Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    German authorities identify REvil and GangCrab ransomware bosses

Featured Deal: Protect up to 9 devices from ads and tracking for just $16 in this AdGuard deal

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

Crazy Unknown Virus

Started by TheSun369 , Jul 12 2022 06:15 PM

  • This topic is locked This topic is locked
5 replies to this topic

#1 TheSun369

TheSun369

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:01:57 AM

Posted 12 July 2022 - 06:15 PM

Hey folks, a couple of weeks ago, my laptop started playing random adverts every 10 minutes or so. The adverts are not videos, but play through the speakers, and it's so damn annoying. I have searched the internet on many occasions to try to find out how to remove this random advert player. There is not a single piece of information on the internet regarding this virus. When the advert plays, I open task manager and the advert player is called "FormsApp" and when I open the file location the program is called "Mcduff". The Mcduff program is located in program files x86 in the hidden folder Calc. I have tried to open the exe file Mcduff but nothing happens. I have even installed Revo Pro Uninstaller in an attempt to remove the program, but the program does not exist in Revo, even when I search the hidden programs. The Mcduff program also does not exist in the control panel and it does not exist in CMD when I search all installed programs. This is the most dodgy virus or whatever it may be that I have come across...there is literally no information on the internet regarding Mcduff.

 

I have attached two photos. One of the FormsApp in task manager and one of the Mcduff in it's file location.

 

I would appreciate if someone could please help me and offer some advice.

 

Thanks for your time!

Attached Files


BC AdBot (Login to Remove)

 

#2 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 62,343 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:05:57 PM

Posted 12 July 2022 - 07:59 PM

Greetings TheSun369 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
  • It is important to not run any tools or take any steps other than those I will provide for you.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please copy and paste all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for 64 bit systems and save it to your Desktop. <<< Important
  • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
  • Right click on the icon and select Run as administrator
  • Note: If you receive any warning about the download it is a false positive and you can ignore it
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of each report in separate reply windows
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST.txt
  • Addition.txt

Lord, to whom shall we go? You have the words of eternal life and we have believed and have come to know that you are the Holy One of God.
John 6:68-69

The Man on the Middle Cross Said I Could Come

#3 TheSun369

TheSun369
  • Topic Starter

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:01:57 AM

Posted 12 July 2022 - 08:52 PM

Thank you very much for the help. Here are the results from the scan.

 

First -

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-07-2022
Ran by joshu (administrator) on DESKTOP-Q6ILMGH (SAMSUNG ELECTRONICS CO., LTD. 550P5C/550P7C) (13-07-2022 02:45:06)
Running from C:\Users\joshu\Desktop
Loaded Profiles: joshu
Platform: Microsoft Windows 10 Home Version 21H2 19044.1766 (X64) Language: English (United Kingdom)
Default browser: Edge
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Brave Software, Inc. -> BraveSoftware Inc.) C:\Program Files (x86)\BraveSoftware\Update\1.3.361.111\BraveCrashHandler.exe
(Brave Software, Inc. -> BraveSoftware Inc.) C:\Program Files (x86)\BraveSoftware\Update\1.3.361.111\BraveCrashHandler64.exe
(C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe ->) (Node.js Foundation -> Node.js) C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
(C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe ->) (Adobe Inc. -> Adobe Inc) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\IPCBox\AdobeIPCBroker.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(explorer.exe ->) () [File not signed] C:\Users\joshu\Downloads\KeyboardLocker.exe
(explorer.exe ->) (Adobe Inc. -> Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe
(explorer.exe ->) (Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe <19>
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Users\joshu\AppData\Local\Microsoft\EdgeWebView\Application\103.0.1264.49\msedgewebview2.exe <7>
(explorer.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordVPN\NordVPN.exe
(Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(services.exe ->) () [File not signed] C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\Recovery\ElevationService.exe
(services.exe ->) (inMusic Brands Inc -> Numark) C:\Program Files (x86)\Numark\Party Mix Live\AudioDevMon.exe
(services.exe ->) (Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(services.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\NisSrv.exe
(services.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordUpdater\NordUpdateService.exe
(services.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordVPN\nordvpn-service.exe
(services.exe ->) (Wondershare Technology Co.,Ltd -> Wondershare) C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Library\DriverInstaller\DriverInstall.exe
(services.exe ->) (Wondershare Technology Co.,Ltd -> Wondershare) C:\ProgramData\Wondershare\Service\InstallAssistService.exe
(svchost.exe ->) (Dell) [File not signed] C:\Program Files (x86)\Calc\Mcduff.exe
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_11.2205.23.0_x64__8wekyb3d8bbwe\Time.exe
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe\HxOutlook.exe
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe\HxTsr.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MoUsoCoreWorker.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(svchost.exe ->) (Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
 
==================== Registry (Whitelisted) ===================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [14040296 2015-08-29] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM\...\Run: [Peso] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKLM\...\Run: [Calligraphic] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKLM\...\Run: [Altarpiece] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKLM-x32\...\Run: [Kobler] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKLM-x32\...\Run: [Whited] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKLM-x32\...\Run: [Breakaways] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc. -> Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.) [File not signed]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [ut] => C:\Users\joshu\AppData\Roaming\uTorrent\uTorrent.exe [2005664 2022-06-16] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [NordVPN] => C:\Program Files\NordVPN\NordVPN.exe [280952 2022-02-18] (nordvpn s.a. -> TEFINCOM S.A.)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [CCXProcess] => C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [597640 2020-02-07] (Adobe Inc. -> Adobe Systems Incorporated)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Ephesus] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Eros] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Carborundum] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Typical] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Fraternally] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Outsold] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Microsoft Edge Update] => C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\1.3.163.19\MicrosoftEdgeUpdateCore.exe [252848 2022-06-19] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\MountPoints2: {a99b2bfb-c05d-11ec-910a-e8039af622b8} - "D:\startme.exe" 
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\103.1.40.113\Installer\chrmstp.exe [2022-07-06] (Brave Software, Inc. -> Brave Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WSAndroidAppHelper.lnk [2022-04-20]
ShortcutTarget: WSAndroidAppHelper.lnk -> C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\WSAndroidAppHelper.exe (Wondershare Technology Co.,Ltd -> Microsoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WSAppHelper.lnk [2022-04-20]
ShortcutTarget: WSAppHelper.lnk -> C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\WSAppHelper.exe (Wondershare Technology Co.,Ltd -> Microsoft)
Startup: C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeyboardLocker.lnk [2022-03-02]
ShortcutTarget: KeyboardLocker.lnk -> C:\Users\joshu\Downloads\KeyboardLocker.exe () [File not signed]
Startup: C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wombats.lnk [2022-05-27]
ShortcutTarget: wombats.lnk -> C:\Program Files (x86)\Sacrificed\Mcduff.exe (No File)
Startup: C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wombatswombats.lnk [2022-05-27]
ShortcutTarget: wombatswombats.lnk -> C:\Program Files (x86)\pushkin\Baroda.exe (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
 
==================== Scheduled Tasks (Whitelisted) ============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {06A484BD-7E5A-44A6-AD7B-EFDB932CE9A2} - System32\Tasks\0k6huw\8kstn4\44vljz\3y3yj8\9tj2xw\ym1w9e\yd7iut\gwzw10\lr01r4\9ngzox\u6uet2\lqmptk\rmthwh\90oyp7\vzmki2\6yj4f5\6tx0rk => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {2F9DEE8E-FE12-405C-AF6A-81E94B65FAE3} - System32\Tasks\ddf30l\sq4cml\a9f6eg\1jh7ae\jydlov\nzoqzo\24qijf\5nmpax\no7il6\5gcqkm\y9tkh3\6e33fi\btci11\h6zxyp\a0wx3q\5dppmp\3l0yak => C:\Users\joshu\AppData\Local\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {3A960624-4962-47AE-B506-A450CD248BB2} - System32\Tasks\pk4i5r\5rshj5\c0q553\u2cqn3\yqhd76\m3qmqo\ulejgh\kdc9na\khso82\nopsgz\7uy0fn\fitb6y\9h6o7x\d1az1x\4vtlq7\981gem\ift3w4 => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {43D5DF3B-D150-4C6C-83AE-DF5CC9042F2A} - System32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-466771246-433639398-4200461963-1001Core => C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe [205744 2022-06-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {4EF2661C-6B28-457E-8DA6-B59CA21D7701} - System32\Tasks\wfwm1m\xo3dpi\9gzuol\4mldqh\lrg1sa\dcaood\urhkcl\6znouq\0wygvb\bkrm8s\91foap\xj4qgd\ulworh\5dz6fa\vkfbcp\b5f6ea\rtcs2r => C:\Program Files (x86)\Sacrificed\perlite.exe (No File)
Task: {5930089C-B4A7-4010-B907-6580BAFBE2EA} - System32\Tasks\4cpzxp\58jjjo\i7zs9j\zbwys0\h4hwql\qxsfxq\trdd3i\jgy211\g3io60\5do6r5\75datd\o4a5sb\rybeoc\wzo8rn\m4lwma\xoykv1\vlho0k => C:\Users\joshu\AppData\Local\Baroda.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {64CE9108-E016-46D9-A582-B8538AE9B84A} - System32\Tasks\acyewc\l32b80\61vvch\9obpgv\6xcbyc\3dexl2\xjrq9q\8q30t6\wfjajv\cfmhua\dojghf\6cchb2\g06ot2\hnfrcg\aqfe5v\xbl612\orqw9i => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {77EEB87A-B96C-41D6-93FB-C8CA54F02851} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [14040296 2015-08-29] (Realtek Semiconductor Corp -> Realtek Semiconductor)
Task: {80EA4776-7ADF-409E-90BC-FCEB167BCACF} - System32\Tasks\m4gneg\oa4vfg\mfbfps\c7t27l\nvqsag\d869kx\etdci6\eh2rtu\1qpmmi\8zdfpe\7idkub\2mjfy6\jajoai\egwqaj\3s8xca\kwh3rv\ezwzob => C:\Users\joshu\AppData\Local\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {906878AE-2654-46BE-824B-0D0A1C35C94B} - System32\Tasks\93w2z1\ptsz81\yb9ade\t1j7gd\rdb5dq\992l6x\gihl6v\d19y6t\3pvnid\jfhioq\822ebn\x98bod\1m1nmp\gsvah5\207yg3\i3jbzz\ytgqb7 => C:\Program Files (x86)\Blemished\penniless.exe [63717 2022-05-27] () [File not signed]
Task: {95BF14C0-DC2B-4A81-B87F-7C01FD92CDAD} - System32\Tasks\66kzfz\nvm5df\ixxe6p\62t4nt\aoqs3g\zjraqo\qley8c\i4l6ir\522d9n\8txqaf\ffbt9z\194scc\zhi7pj\iadhul\6e69n6\t0xdfo\sjrem0 => C:\Users\joshu\AppData\Local\guido.exe [46184 2022-05-27] () [File not signed]
Task: {972FF52A-A542-4EFB-A387-E17AD527C303} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-02] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {9BAEB46C-4282-4477-926E-A525346B23A6} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MpCmdRun.exe [993008 2022-06-23] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {B2D15DB5-F531-4841-8080-CF04C46B8005} - System32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-466771246-433639398-4200461963-1001UA => C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe [205744 2022-06-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {CB2029DD-2B90-4DA9-8930-90D77453EC20} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [561984 2011-06-01] (Apple Inc. -> Apple Inc.)
Task: {CC93B223-99DA-4540-8EA0-C7F63357BA31} - System32\Tasks\86arl1\9mf0zo\orcyoy\o42bbz\5x30h4\7jpd15\9xsr8y\47w1ov\q45fyt\7ibktu\uwyimz\axgwi5\ohu70n\sygf70\5spkif\0cug3q\b1draq => C:\Program Files (x86)\Calc\Baroda.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {E0229D3B-2270-4D32-A844-880CAE53BE2E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MpCmdRun.exe [993008 2022-06-23] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {E67C488B-28FD-49E2-983D-E74C24C41350} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MpCmdRun.exe [993008 2022-06-23] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {EE3EC87B-9A16-426D-BE3D-296EB03BD249} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-02] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {F9E20B1B-6812-4B5B-BF47-FAFA4240CC9C} - System32\Tasks\ej2pnm\beycey\9w9z57\rtt1hu\5nm0sv\ji82zs\0px8mm\1gsb8h\g5j5qy\h98fef\ujthj3\kct4ut\eqzzzf\8al05d\3ukawl\k8y9ch\ly0wc1 => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.22.22 192.168.22.23
Tcpip\..\Interfaces\{cedf304e-eda2-4d33-a15b-ed0911dfe2e5}: [DhcpNameServer] 192.168.22.22 192.168.22.23
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
 
FireFox:
========
FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)
 
Brave: 
=======
BRA Profile: C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default [2022-07-13]
BRA Extension: (Google Translate) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2022-04-17]
BRA Extension: (Grammar & Spell Checker — LanguageTool) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\oldceeleldhonbafppcapldpdifcinji [2022-07-12]
BRA Extension: (Brave Local Data Files Updater) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal [2022-07-12]
BRA Extension: (Brave NTP background images) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\aoojcmojmmcbpfgoecoadbdpnagfchel [2022-07-08]
BRA Extension: (Wallet Data Files Updater) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\BraveWallet [2022-07-12]
BRA Extension: (Brave Ad Block Updater (Default)) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\cffkpbalmllkdoenhmdmpbkajipdjfam [2022-07-12]
BRA Extension: (Brave Ads Resources) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\cmdlemldhabgmejfognbhdejendfeikd [2022-07-08]
BRA Extension: (Brave Tor Client Updater (Windows)) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb [2022-04-22]
BRA Extension: (Brave SpeedReader Updater) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\jicbkmdloagakknpihibphagfckhjdih [2022-03-13]
BRA Extension: (Brave NTP sponsored images) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\mjpbonbjgpinifgnneajcbigekbpfige [2022-07-12]
BRA Extension: (Brave Ads Resources) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\ocilmpijebaopmdifcomolmpigakocmo [2022-03-29]
BRA Extension: (Brave HTTPS Everywhere Updater) - C:\Users\joshu\AppData\Local\BraveSoftware\Brave-Browser\User Data\oofiananboodjbbmdelgdommihjbkfag [2022-07-12]
 
==================== Services (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-02] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-02] (Brave Software, Inc. -> BraveSoftware Inc.)
R2 ElevationService; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\Recovery\ElevationService.exe [913408 2022-04-19] () [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [8348856 2022-04-04] (Malwarebytes Inc -> Malwarebytes)
R2 NordUpdaterService; C:\Program Files\NordUpdater\NordUpdateService.exe [297848 2021-06-07] (nordvpn s.a. -> TEFINCOM S.A.)
R2 nordvpn-service; C:\Program Files\NordVPN\nordvpn-service.exe [281464 2022-02-18] (nordvpn s.a. -> TEFINCOM S.A.)
R2 PartyMixLiveAudioDevMon; C:\Program Files (x86)\Numark\Party Mix Live\AudioDevMon.exe [635960 2020-11-24] (inMusic Brands Inc -> Numark)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\NisSrv.exe [3120992 2022-06-23] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MsMpEng.exe [133544 2022-06-23] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 Wondershare InstallAssist; C:\ProgramData\Wondershare\Service\InstallAssistService.exe [262880 2022-03-17] (Wondershare Technology Co.,Ltd -> Wondershare)
R2 WsDrvInst; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Library\DriverInstaller\DriverInstall.exe [120096 2018-01-16] (Wondershare Technology Co.,Ltd -> Wondershare)
S2 DFWSIDService; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe [X]
 
===================== Drivers (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ampa; C:\Windows\system32\ampa.sys [38320 2017-02-28] (CHENGDU AOMEI Tech Co., Ltd. -> )
S3 AppleLowerFilter; C:\Windows\System32\drivers\AppleLowerFilter.sys [35976 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 ddmdrv; C:\Windows\SysWOW64\ddmdrv.sys [34216 2016-12-27] (CHENGDU AOMEI Tech Co., Ltd. -> )
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [223688 2022-04-04] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2022-03-13] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2022-06-06] (Malwarebytes Inc -> Malwarebytes)
R2 NDivert; C:\Program Files\NordVPN\6.47.22.0\Drivers\NDivert.sys [131456 2022-04-20] (nordvpn s.a. -> Nordvpn S.A.)
R1 nordlwf; C:\Windows\system32\DRIVERS\nordlwf.sys [44928 2022-02-22] (nordvpn s.a. -> TEFINCOM S.A.)
S3 NumarkPartyMixLive; C:\Windows\System32\drivers\NumarkPartyMixLive.sys [593928 2020-11-24] (Microsoft Windows Hardware Compatibility Publisher -> Numark)
S3 Revoflt; C:\Windows\System32\DRIVERS\revoflt.sys [38400 2020-10-14] (Microsoft Windows Hardware Compatibility Publisher -> VS Revo Group)
R3 tapnordvpn; C:\Windows\System32\drivers\tapnordvpn.sys [49744 2021-06-13] (nordvpn s.a. -> The OpenVPN Project)
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49576 2022-06-23] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [452856 2022-06-23] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [91384 2022-06-23] (Microsoft Windows -> Microsoft Corporation)
R2 WinisoCDBus; C:\Windows\System32\drivers\WinisoCDBus.sys [204032 2016-05-12] (ZJMedia Digital Technology Ltd. -> WinISO.com)
S3 wintun; C:\Windows\system32\DRIVERS\wintun.sys [29592 2022-03-18] (Microsoft Windows Hardware Compatibility Publisher -> WireGuard LLC)
U4 Sense; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One month (created) (Whitelisted) =========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2022-07-13 02:45 - 2022-07-13 02:45 - 000024701 _____ C:\Users\joshu\Desktop\FRST.txt
2022-07-13 02:32 - 2022-07-13 02:45 - 000000000 ____D C:\FRST
2022-07-13 02:32 - 2022-07-13 02:32 - 002369536 _____ (Farbar) C:\Users\joshu\Desktop\FRST64.exe
2022-07-13 00:12 - 2022-07-13 00:12 - 000001206 _____ C:\Users\joshu\Documents\virus.txt
2022-07-12 23:10 - 2022-07-12 23:10 - 000000000 ___HD C:\$WinREAgent
2022-07-10 03:02 - 2022-07-10 03:02 - 000000048 _____ C:\Users\joshu\Documents\Netflix.txt
2022-06-28 13:36 - 2022-06-28 13:36 - 000000254 _____ C:\Users\joshu\Documents\DAZN.txt
2022-06-22 08:54 - 2022-06-22 08:54 - 000000039 _____ C:\Users\joshu\Documents\Gorof Rd, Cwm-twrch Isaf,.txt
2022-06-21 04:21 - 2022-06-21 04:22 - 000000000 ____D C:\AdwCleaner
2022-06-21 04:21 - 2022-06-21 04:21 - 008551608 _____ (Malwarebytes) C:\Users\joshu\Documents\adwcleaner.exe
2022-06-19 00:06 - 2022-06-19 00:06 - 000003792 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-466771246-433639398-4200461963-1001UA
2022-06-19 00:06 - 2022-06-19 00:06 - 000003728 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-466771246-433639398-4200461963-1001Core
2022-06-18 01:43 - 2022-07-12 23:08 - 000004164 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{78AF499D-0B70-4AB2-BAFB-0D24E9BD706D}
2022-06-18 01:39 - 2022-06-18 01:39 - 000000000 ____D C:\Users\joshu\AppData\Local\VS Revo Group
2022-06-18 01:39 - 2022-06-18 01:39 - 000000000 ____D C:\ProgramData\VS Revo Group
2022-06-18 01:39 - 2022-06-18 01:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2022-06-18 01:39 - 2022-06-18 01:39 - 000000000 ____D C:\Program Files\VS Revo Group
2022-06-18 01:39 - 2020-10-14 04:07 - 000038400 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2022-06-17 04:34 - 2022-06-17 04:34 - 000000000 ____D C:\Users\joshu\AppData\LocalLow\uTorrent.WebView2
2022-06-16 21:38 - 2022-06-16 21:38 - 000104448 _____ C:\Windows\system32\nettraceex.dll
2022-06-16 21:38 - 2022-06-16 21:38 - 000011787 _____ C:\Windows\system32\DrtmAuthTxt.wim
2022-06-16 21:37 - 2022-06-16 21:37 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll
2022-06-16 21:36 - 2022-06-16 21:36 - 002260480 _____ C:\Windows\system32\TextInputMethodFormatter.dll
2022-06-16 21:36 - 2022-06-16 21:36 - 000232288 _____ C:\Windows\system32\containerdevicemanagement.dll
2022-06-14 23:23 - 2022-06-15 00:06 - 000000024 _____ C:\Users\joshu\Documents\order.txt
 
==================== One month (modified) ==================
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2022-07-13 02:02 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\AppReadiness
2022-07-13 01:55 - 2022-05-25 05:28 - 000000000 ____D C:\Wondershare UniConverter 13
2022-07-13 01:44 - 2019-12-07 10:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2022-07-13 00:19 - 2022-03-13 23:20 - 000000000 ____D C:\Users\joshu\AppData\Local\CrashDumps
2022-07-12 23:31 - 2019-12-07 10:14 - 000000000 ___HD C:\Program Files\WindowsApps
2022-07-12 23:05 - 2022-03-02 21:59 - 000000000 __SHD C:\Users\joshu\IntelGraphicsProfiles
2022-07-12 23:04 - 2022-03-02 20:46 - 000000000 ____D C:\Users\joshu
2022-07-12 23:03 - 2022-03-02 20:34 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-07-12 23:03 - 2022-03-02 20:33 - 000008192 ___SH C:\DumpStack.log.tmp
2022-07-12 23:03 - 2022-03-02 20:33 - 000000000 ____D C:\Windows\system32\SleepStudy
2022-07-12 04:47 - 2022-05-27 23:43 - 000000000 ____D C:\Users\joshu\AppData\LocalLow\IGDump
2022-07-12 03:48 - 2022-03-02 21:27 - 000000000 ____D C:\Users\joshu\AppData\Local\BitTorrentHelper
2022-07-12 03:48 - 2022-03-02 21:24 - 000000000 ____D C:\Users\joshu\AppData\Roaming\uTorrent
2022-07-10 03:09 - 2022-03-02 20:49 - 000000000 ____D C:\Users\joshu\AppData\Local\Packages
2022-07-10 03:08 - 2022-03-02 20:53 - 000000000 ____D C:\Users\joshu\AppData\Local\PlaceholderTileLogoFolder
2022-07-08 19:55 - 2022-03-02 20:45 - 000795738 _____ C:\Windows\system32\PerfStringBackup.INI
2022-07-08 19:55 - 2019-12-07 10:13 - 000000000 ____D C:\Windows\INF
2022-07-08 19:10 - 2022-04-04 03:39 - 000000000 ____D C:\Users\joshu\AppData\Local\NordVPN
2022-07-06 00:03 - 2022-03-02 21:01 - 000002364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2022-06-30 00:21 - 2022-03-02 20:58 - 000003584 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-466771246-433639398-4200461963-1001
2022-06-30 00:21 - 2022-03-02 20:53 - 000003376 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-466771246-433639398-4200461963-1001
2022-06-30 00:21 - 2022-03-02 20:46 - 000002379 _____ C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2022-06-29 17:16 - 2022-04-04 03:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NordSec
2022-06-29 17:16 - 2022-04-04 03:39 - 000000000 ____D C:\Program Files\NordVPN
2022-06-28 10:14 - 2022-04-22 23:56 - 000000065 _____ C:\Users\joshu\Documents\incognito.txt
2022-06-23 04:32 - 2022-03-02 20:34 - 000000000 ____D C:\Windows\system32\Drivers\wd
2022-06-21 05:30 - 2022-03-02 21:07 - 000000000 ____D C:\Users\joshu\AppData\Local\Comms
2022-06-18 01:33 - 2022-05-27 22:16 - 000000000 ____D C:\Program Files (x86)\pushkin
2022-06-17 03:52 - 2022-04-26 06:50 - 000000000 ____D C:\Users\joshu\AppData\LocalLow\Mozilla
2022-06-16 22:11 - 2022-03-02 20:33 - 000294344 _____ C:\Windows\system32\FNTCACHE.DAT
2022-06-16 22:10 - 2019-12-07 10:03 - 000524288 _____ C:\Windows\system32\config\BBI
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SysWOW64\lv-LV
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SysWOW64\lt-LT
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SysWOW64\et-EE
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SysWOW64\es-MX
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SysWOW64\Dism
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\SystemResources
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\ShellExperiences
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\oobe
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\lv-LV
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\lt-LT
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\et-EE
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\es-MX
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\Dism
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\system32\DDFs
2022-06-16 22:08 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\bcastdvr
2022-06-16 22:08 - 2019-12-07 10:03 - 000000000 ____D C:\Windows\servicing
2022-06-16 21:49 - 2019-12-07 10:03 - 000000000 ____D C:\Windows\CbsTemp
2022-06-16 21:36 - 2022-03-02 20:36 - 002877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2022-06-16 21:06 - 2022-03-03 15:24 - 000000000 ____D C:\Windows\system32\MRT
2022-06-16 21:00 - 2022-03-03 15:23 - 145918784 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
==================== Files in the root of some directories ========
 
2022-05-27 11:25 - 2022-05-27 11:25 - 000315392 _____ (Dell) C:\Users\joshu\AppData\Local\Baroda.exe
2022-05-27 11:25 - 2022-05-27 11:25 - 000046184 _____ () C:\Users\joshu\AppData\Local\guido.exe
2021-11-20 17:06 - 2021-11-20 17:06 - 000138680 _____ (Microsoft Corporation) C:\Users\joshu\AppData\Local\WebView2Loader.dll
 
==================== SigCheck ============================
 
(There is no automatic fix for files that do not pass verification.)
 
==================== End of FRST.txt ========================
 
 
 
Addition -
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-07-2022
Ran by joshu (13-07-2022 02:46:30)
Running from C:\Users\joshu\Desktop
Microsoft Windows 10 Home Version 21H2 19044.1766 (X64) (2022-03-02 19:41:18)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
 
(If an entry is included in the fixlist, it will be removed.)
 
Administrator (S-1-5-21-466771246-433639398-4200461963-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-466771246-433639398-4200461963-503 - Limited - Disabled)
Guest (S-1-5-21-466771246-433639398-4200461963-501 - Limited - Disabled)
joshu (S-1-5-21-466771246-433639398-4200461963-1001 - Administrator - Enabled) => C:\Users\joshu
WDAGUtilityAccount (S-1-5-21-466771246-433639398-4200461963-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\uTorrent) (Version: 3.5.5.46304 - BitTorrent Inc.)
7-Zip 21.07 (x64) (HKLM\...\7-Zip) (Version: 21.07 - Igor Pavlov)
Active@ KillDisk Professional 10 (HKLM\...\{C932B116-1A14-400B-B0E3-81A86905FF25}_is1) (Version: 10 - LSoft Technologies Inc)
Adobe Photoshop 2020 (HKLM-x32\...\PHSP_21_2_2) (Version: 21.2.2.289 - Adobe Inc.)
Adobe Premiere Pro 2020 (HKLM-x32\...\PPRO_14_0_3) (Version: 14.0.3 - Adobe Inc.)
AOMEI Partition Assistant 9.6.1 (HKLM-x32\...\AOMEI Partition Assistant_is1) (Version: 9.6.1 - RePack 9649)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Athens Markets MT5 Terminal (HKLM\...\Athens Markets MT5 Terminal) (Version: 5.00 - MetaQuotes Ltd.)
Atomic Wallet 2.42.1 (HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\0ba5fe9b-2a0d-54e2-a47a-d2764be56a7d) (Version: 2.42.1 - atomicwallet.io)
AutoHotkey 1.1.33.10 (HKLM\...\AutoHotkey) (Version: 1.1.33.10 - Lexikos)
Balabolka (HKLM-x32\...\Balabolka) (Version: 2.15.0.818 - Ilya Morozov)
Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 103.1.40.113 - Brave Software Inc)
Disk Drill 4.4.613.0 (HKLM-x32\...\{cdc6076f-6952-467b-8fb0-5de94d753487}) (Version: 4.4.613.0 - CleverFiles)
dr.fone (Version 9.1.0) (HKLM-x32\...\{E8F86DA8-B8E4-42C7-AFD4-EBB692AC43FD}_is1) (Version: 9.1.0.7 - Wondershare Technology Co.,Ltd.)
DroidKit (HKLM-x32\...\DroidKit) (Version: 1.0.0.3 - iMobie Inc.)
EaseUS MobiSaver for Android version 5.0 (HKLM-x32\...\{82D2239C-0F46-4446-B3CA-810A07BF7A6E}_is1) (Version: 5.0 - CHENGDU YIWO Tech Development Co., Ltd.)
FoneDog Toolkit for Android 2.0.52 (HKLM-x32\...\{7A8C4E7C-62D5-47E6-B93B-80C5DD48CBA4}_is1) (Version: 2.0.52 - FoneDog)
FoneLab Android Data Recovery 3.0.62 (HKLM-x32\...\{9D4E5CFB-1923-4ff6-9305-0E5AF9430AF0}_is1) (Version: 3.0.62 - FoneLab)
iBeesoft Data Recovery version 4.0.0.0 (HKLM\...\iBeesoft Data Recovery_is1) (Version: 4.0.0.0 - iBeesoft Tech Co., Ltd)
Icecream Ebook Reader version 5.31 (HKLM-x32\...\{B8C30F0F-1F23-49E1-A3ED-44DE17660EE2}_is1) (Version: 5.31 - Icecream Apps)
Intel® Wireless Bluetooth® (HKLM-x32\...\{00000120-0220-1033-84C8-B8D95FA3C8C3}) (Version: 22.120.0.3 - Intel Corporation)
IVONA 2 (HKLM-x32\...\IVONA 2) (Version: 1.6.63 - IVONA Software Sp. z o.o.)
Kingo ROOT version 1.3.6.2289 (HKLM-x32\...\{AE7675D6-0B31-494F-ABFA-822E1A0FDF17}_is1) (Version: 1.3.6.2289 - Kingosoft Technology Ltd.)
KingRoot °æ±¾ 3.5.0.1157 (HKLM-x32\...\{FA3B7324-9EB4-4ADC-84D0-5461BE113832}_is1) (Version: 3.5.0.1157 - KingRoot)
Malwarebytes version 4.5.7.186 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.7.186 - Malwarebytes)
MetaTrader (HKLM\...\MetaTrader) (Version: 5.00 - MetaQuotes Ltd.)
Microsoft Edge WebView2 Runtime (HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Microsoft EdgeWebView) (Version: 103.0.1264.49 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\OneDriveSetup.exe) (Version: 22.121.0605.0002 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{7B1FCD52-8F6B-4F12-A143-361EA39F5E7C}) (Version: 3.67.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660 (HKLM\...\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}) (Version: 12.0.40660 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660 (HKLM\...\{CB0836EC-B072-368D-82B2-D3470BF95707}) (Version: 12.0.40660 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 (HKLM-x32\...\{7DAD0258-515C-3DD4-8964-BD714199E0F7}) (Version: 12.0.40660 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 (HKLM-x32\...\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}) (Version: 12.0.40660 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30139 (HKLM-x32\...\{2c673fb6-3e65-4751-965d-33d30b68a8a6}) (Version: 14.29.30139.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.28.29325 (HKLM-x32\...\{d7a6435f-ac9a-4af6-8fdc-ca130d13fac9}) (Version: 14.28.29325.2 - Microsoft Corporation)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.29.30139 (HKLM\...\{7F4A9F52-173F-4B0D-B1EA-269C32EDA827}) (Version: 14.29.30139 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.29.30139 (HKLM\...\{A6D3F752-BF11-4D7C-B19C-F6F96A35CF50}) (Version: 14.29.30139 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.28.29325 (HKLM-x32\...\{B40FC85D-2B12-46E0-B950-E5B27E348793}) (Version: 14.28.29325 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.28.29325 (HKLM-x32\...\{EE2E15BB-54C8-4DB0-B1F3-026E3C166991}) (Version: 14.28.29325 - Microsoft Corporation) Hidden
NordUpdater (HKLM\...\{6E35DB82-3D19-4DD6-B8CB-F082815FDE18}_is1) (Version: 1.2.2.116 - Nord Security)
NordVPN (HKLM\...\{19465C24-3D5D-4327-B99F-3CC0A1D38151}_is1) (Version: 6.47.22.0 - Nord Security)
NordVPN network TAP (HKLM-x32\...\{97DEC5D6-2BE9-45BB-BFC5-274B851B486B}) (Version: 1.0.1 - NordVPN)
Numark Party Mix Live 1.0.0 (HKLM\...\{E1A39300-6573-48A6-84F5-CF9CD106EB58}) (Version: 1.0.0 - Numark)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7543 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 4.3.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 4.3.8 - VS Revo Group, Ltd.)
Serato DJ Pro  (HKLM\...\{EF9700E3-59E9-4C20-AB55-4D4CD2DE4BE7}) (Version: 2.5.11.1418 - Serato Limited) Hidden
Serato DJ Pro  (HKLM-x32\...\{12623249-9b42-400f-9c83-7e586144e880}) (Version: 2.5.11.1418 - Serato Limited)
Sony刷机驱动安装程序 version 1.2 (HKLM-x32\...\{DCF4A01A-4ED7-4E60-8D4B-4B3F59CF3DE0}_is1) (Version: 1.2 - 北京众晶锐驰科技有限公司)
Sp5 (HKLM-x32\...\{560F47F7-EB23-44B1-AAFC-667F1CD8FE5C}) (Version: 5.1.4324.0 - Microsoft) Hidden
Sp5Intl (HKLM-x32\...\{FD4B33E1-24AE-4535-AA7B-162B30FB57CD}) (Version: 5.1.4324.0 - Microsoft) Hidden
Sp5TTInt (HKLM-x32\...\{E415C943-37E5-473F-8BAE-043C56734124}) (Version: 5.1.4324.0 - Microsoft) Hidden
SpCommon (HKLM-x32\...\{6C3959C6-943E-44B3-BAAD-570B04B134E5}) (Version: 5.1.4324.0 - Microsoft) Hidden
SpPhones (HKLM-x32\...\{4DFF1415-4C29-44A8-BFD4-2BCE249C4991}) (Version: 6.0.3122.0 - Microsoft) Hidden
UltData for Android 6.7.3.0 (HKLM-x32\...\{UltData for Android}_is1) (Version: 6.7.3.0 - Tenorshare, Inc.)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.16 - VideoLAN)
Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.7.7.0 - Azureus Software, Inc.)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (08/27/2012 7.0.0000.00004) (HKLM\...\BE156A27AFEAEA39D6A7C9D25CFA8DAFAF91756B) (Version: 08/27/2012 7.0.0000.00004 - Google, Inc.)
Windows PC Health Check (HKLM\...\{6798C408-2636-448C-8AC6-F4E341102D27}) (Version: 3.6.2204.08001 - Microsoft Corporation)
WinISO (HKLM-x32\...\WinISO) (Version: 6.4.1.5976 - WinISO Computing Inc.)
Wondershare UniConverter 13(Build 13.6.0.139) (HKLM\...\UniConverter 13_is1) (Version: 13.6.0.139 - Wondershare Software)
 
Packages:
=========
Disney+ -> C:\Program Files\WindowsApps\Disney.37853FC22B2CE_1.33.1.0_x64__6rarf9sa4v8jt [2022-07-12] (Disney)
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.13.7040.0_x64__8wekyb3d8bbwe [2022-07-12] (Microsoft Studios) [MS Ad]
Netflix -> C:\Program Files\WindowsApps\4DF9E0F8.Netflix_6.98.1805.0_x64__mcm4njqhnhss8 [2022-07-10] (Netflix, Inc.)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0 [2022-07-12] (Spotify AB) [Startup Task]
 
==================== Custom CLSID (Whitelisted): ==============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-466771246-433639398-4200461963-1001_Classes\CLSID\{5EA43877-C6D8-4885-B77A-C0BB27E94372}\InprocServer32 -> C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\1.3.163.19\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-466771246-433639398-4200461963-1001_Classes\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32 -> C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\1.3.163.19\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-466771246-433639398-4200461963-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation - pGFX -> Intel Corporation)
CustomCLSID: HKU\S-1-5-21-466771246-433639398-4200461963-1001_Classes\CLSID\{BFBE0943-74C5-40E0-9E80-0B808109E95D}\InprocServer32 -> C:\Users\joshu\AppData\Local\Microsoft\EdgeUpdate\1.3.163.19\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-12-26] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [Balabolka] -> {6CB83A5A-AA68-4895-9F54-175E789AE149} => C:\Program Files (x86)\Balabolka\BFileExt.dll [2020-04-04] (Ilya Morozov) [File not signed]
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-03-13] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-12-26] (Igor Pavlov) [File not signed]
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2015-07-30] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-12-26] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-03-13] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [RUShellExt] -> {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} => C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [2020-09-28] (VS Revo Group Ltd. -> VS Revo Group)
 
==================== Codecs (Whitelisted) ====================
 
==================== Shortcuts & WMI ========================
 
==================== Loaded Modules (Whitelisted) =============
 
2022-06-29 17:16 - 2022-06-29 20:45 - 009103360 _____ () [File not signed] C:\Program Files\NordVPN\6.47.22.0\telio.DLL
2022-04-21 01:15 - 2021-12-26 15:00 - 000093696 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2020-04-04 21:04 - 2020-04-04 21:04 - 000370176 _____ (Ilya Morozov) [File not signed] C:\Program Files (x86)\Balabolka\BFileExt.dll
 
==================== Alternate Data Streams (Whitelisted) ========
 
==================== Safe Mode (Whitelisted) ==================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) =================
 
==================== Internet Explorer (Whitelisted) ==========
 
SearchScopes: HKU\S-1-5-21-466771246-433639398-4200461963-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
==================== Hosts content: =========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2019-12-07 10:14 - 2019-12-07 10:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts
 
==================== Other Areas ===========================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-466771246-433639398-4200461963-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\joshu\Pictures\1251853.jpg
DNS Servers: 192.168.22.22 - 192.168.22.23
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
 
Network Binding:
=============
WiFi: NordVPN LightWeight Firewall -> NordLwf (enabled) 
Ethernet: NordVPN LightWeight Firewall -> NordLwf (enabled) 
Ethernet 2: NordVPN LightWeight Firewall -> NordLwf (enabled) 
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(If an entry is included in the fixlist, it will be removed.)
 
HKLM\...\StartupApproved\Run: => "Altarpiece"
HKLM\...\StartupApproved\Run: => "Peso"
HKLM\...\StartupApproved\Run32: => "Breakaways"
HKLM\...\StartupApproved\Run32: => "Kobler"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\StartupFolder: => "wombats.lnk"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_8CFE0D2E897E6F5DD7117E6C430C171E"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "ut"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Outsold"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Typical"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Carborundum"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Ephesus"
 
==================== FirewallRules (Whitelisted) ================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{72CB32BB-EAA2-47D0-BE7F-0C37AD0AA571}] => (Allow) C:\Users\joshu\AppData\Roaming\uTorrent\uTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{CD7C5CBF-7AE5-4485-84D1-664DB9ABFBA8}] => (Allow) C:\Users\joshu\AppData\Roaming\uTorrent\uTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{AE940449-7582-41C7-9FB4-E7E796CE7828}] => (Allow) C:\Program Files (x86)\iMobie\DroidKit\xldownload\download\MiniThunderPlatform.exe (ShenZhen Thunder Networking Technologies Ltd. -> 深圳市迅雷网络技术有限公司)
FirewallRules: [{83CD32AA-D7FA-491C-B592-64F596187F8B}] => (Allow) C:\Program Files (x86)\iMobie\DroidKit\xldownload\download\MiniThunderPlatform.exe (ShenZhen Thunder Networking Technologies Ltd. -> 深圳市迅雷网络技术有限公司)
FirewallRules: [TCP Query User{FAF141EE-7E53-47D3-AE0B-A36F0E22E011}C:\program files (x86)\wondershare\wondershare dr.fone\addins\recovery\drfonerecovery.exe] => (Allow) C:\program files (x86)\wondershare\wondershare dr.fone\addins\recovery\drfonerecovery.exe (Wondershare Technology Co.,Ltd -> Wondershare)
FirewallRules: [UDP Query User{43C71507-EA52-4E2B-918E-156070B6C108}C:\program files (x86)\wondershare\wondershare dr.fone\addins\recovery\drfonerecovery.exe] => (Allow) C:\program files (x86)\wondershare\wondershare dr.fone\addins\recovery\drfonerecovery.exe (Wondershare Technology Co.,Ltd -> Wondershare)
FirewallRules: [{74395E2E-E48A-4407-952F-76194504E206}] => (Allow) C:\Users\joshu\Desktop\ultdata-android.exe => No File
FirewallRules: [{10CB23BA-803A-46FB-BBFB-054F59AA7A8E}] => (Allow) C:\Users\joshu\Desktop\ultdata-android.exe => No File
FirewallRules: [TCP Query User{300A1F24-6C16-4218-A709-8EF9AB8E9CC2}C:\program files (x86)\tenorshare\ultdata - android data recovery\ultdata for android.exe] => (Allow) C:\program files (x86)\tenorshare\ultdata - android data recovery\ultdata for android.exe (Tenorshare Co., Ltd. -> Tenorshare)
FirewallRules: [UDP Query User{3A03B3A7-CA81-4353-879C-CADE86E75A86}C:\program files (x86)\tenorshare\ultdata - android data recovery\ultdata for android.exe] => (Allow) C:\program files (x86)\tenorshare\ultdata - android data recovery\ultdata for android.exe (Tenorshare Co., Ltd. -> Tenorshare)
FirewallRules: [{888A05D9-03F7-4BA1-B609-86D3153DE90F}] => (Allow) C:\Program Files\MetaTrader\metatester64.exe (MetaQuotes Ltd. -> MetaQuotes Ltd.)
FirewallRules: [{6DB2D0AF-7FAC-4EA7-97F7-1C6C50CDA19A}] => (Allow) C:\Program Files\Vuze\Azureus.exe (Azureus Software, Inc. -> Azureus Software, Inc)
FirewallRules: [{C1BCBD4D-23CB-4B56-BB8C-4E9DFF5FC2C7}] => (Allow) C:\Program Files\Vuze\Azureus.exe (Azureus Software, Inc. -> Azureus Software, Inc)
FirewallRules: [{40751048-CCA1-4343-BAB1-E91734A31B2F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe => No File
FirewallRules: [{1DAD4C06-FC80-45EB-8624-4648386EB7A2}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe => No File
FirewallRules: [{2C0BE79D-B3C0-4DA0-A951-90C1F6BFC050}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{4C5ED7C5-5085-47F3-9A4F-E92153088BA1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{F62834FE-5B08-4C32-8E72-81492A6DFA90}C:\program files (x86)\age of empires iv\reliccardinal.exe] => (Allow) C:\program files (x86)\age of empires iv\reliccardinal.exe => No File
FirewallRules: [UDP Query User{2E17378D-10F3-40A9-86C4-E99609833CAB}C:\program files (x86)\age of empires iv\reliccardinal.exe] => (Allow) C:\program files (x86)\age of empires iv\reliccardinal.exe => No File
FirewallRules: [{96820912-F3C2-466B-9652-3D6BF2643FC9}] => (Allow) C:\Program Files (x86)\Sacrificed\Mcduff.exe => No File
FirewallRules: [{14082E15-3405-4A5B-8A88-447640EEAFBA}] => (Allow) C:\Program Files (x86)\Calc\Mcduff.exe (Dell) [File not signed]
FirewallRules: [{5ECA1825-6863-46E5-BE17-1EF0FDEA43C9}] => (Allow) C:\Program Files (x86)\pushkin\Baroda.exe => No File
FirewallRules: [{FFC242D5-3236-463E-BDC2-1C92D67A7C6B}] => (Allow) C:\Program Files (x86)\Calc\Baroda.exe (Dell) [File not signed]
FirewallRules: [{7CE2D2BF-B8C6-49AF-B29E-F9B5BCC44D57}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{0A407FD5-551B-4DD7-81F7-97E56F8D3A96}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.85.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{3D2514B7-55D6-4E5A-9D31-CB120F32ADEF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.85.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{F21AC9EE-EC3D-43BC-8468-38E3C1C1D8F0}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.85.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{0D0C7CBD-F9BB-437A-8E91-EF5F605839B5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.85.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{FD896CAA-75F3-4587-9930-B5D15E495C8B}] => (Allow) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc. -> Brave Software, Inc.)
FirewallRules: [{46A58E40-F286-46A2-8353-2A4B5D73B6EC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{4D33BC29-411F-447C-8B94-410D66693CA9}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{3828AC51-192F-4231-9FD4-E55E61F62914}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{A28694DA-2861-46BA-9335-D4DA14A7B0E3}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{742AA920-9436-46F7-A74F-67ADE3E20E4A}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{B3AB588E-DAC0-44C3-8335-9E63F55E229E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{C07E3659-FC13-4D08-BBA8-4D90B6DA3867}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{D5777BAB-BB6A-45A6-97A1-BB8AC837BC2D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.189.862.0_x64__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
 
==================== Restore Points =========================
 
04-07-2022 01:16:16 Scheduled Checkpoint
12-07-2022 03:52:46 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices ============
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Sony sa0200 ADB Interface Driver
Description: Sony sa0200 ADB Interface Driver
Class Guid: {7072d66b-8abd-445c-9490-c0d7638d38dd}
Manufacturer: Sony
Service: WinUSB
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: ========================
 
Application errors:
==================
Error: (07/13/2022 02:44:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 11.7.2022.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2be8
 
Start Time: 01d896586935f90b
 
Termination Time: 4294967295
 
Application Path: C:\Users\joshu\Desktop\FRST64.exe
 
Report Id: 67cd6588-22c2-44e5-82dd-b1d3338c76f7
 
Faulting package full name: 
 
Faulting package-relative application ID: 
 
Hang type: Top level window is idle
 
Error: (07/13/2022 12:18:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Sacrificed.exe, version: 1.0.0.0, time stamp: 0x628f0031
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1741, time stamp: 0xe9b4a91b
Exception code: 0xe0434352
Fault offset: 0x0000000000034fd9
Faulting process ID: 0x32a0
Faulting application start time: 0x01d89645c0cff80c
Faulting application path: C:\Program Files (x86)\Sacrificed\Sacrificed.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report ID: 1383351e-6bb8-40c1-8ca1-96c55e06a0e6
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (07/13/2022 12:18:54 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Sacrificed.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IndexOutOfRangeException
   at FormsApp.Form2.InitializeComponent()
   at FormsApp.Form2..ctor()
   at FormsApp.Program.Main()
 
Error: (07/12/2022 11:09:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SoftwareUpdate.exe version 2.1.3.127 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 9e4
 
Start Time: 01d8963bcbaccf6d
 
Termination Time: 19
 
Application Path: C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe
 
Report Id: 9ae780f4-a3ee-4179-879d-cc2e0c56bfba
 
Faulting package full name: 
 
Faulting package-relative application ID: 
 
Hang type: Unknown
 
Error: (07/11/2022 10:09:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: guido.exe, version: 0.0.0.0, time stamp: 0x4b1ae3cc
Faulting module name: ntdll.dll, version: 10.0.19041.1741, time stamp: 0x221456c9
Exception code: 0xc0000005
Fault offset: 0x00078a14
Faulting process ID: 0x21f0
Faulting application start time: 0x01d8956a6ec74289
Faulting application path: C:\Users\joshu\AppData\Local\guido.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report ID: 0be95907-1593-4d6a-8db7-2f315fd0d1f8
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (07/10/2022 04:35:31 AM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimiser couldn't complete re-trim on (C:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)
 
Error: (07/10/2022 04:06:58 AM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimiser couldn't complete re-trim on System Reserved because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)
 
Error: (07/10/2022 03:56:58 AM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimiser couldn't complete re-trim on System Reserved because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)
 
 
System errors:
=============
Error: (07/13/2022 01:50:28 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
Error: (07/13/2022 01:50:02 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
Error: (07/13/2022 01:45:43 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge.AppXxat4m5y1bf9ghax409y1vwyatpqea4s8.mca as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
Error: (07/12/2022 11:12:17 PM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
Error: (07/12/2022 11:12:06 PM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
Error: (07/12/2022 11:06:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Brave Update Service (brave) service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (07/12/2022 11:06:20 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Brave Update Service (brave) service to connect.
 
Error: (07/12/2022 11:05:45 PM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-Q6ILMGH)
Description: Unable to start a DCOM Server: Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe!MicrosoftEdge as Unavailable/Unavailable. The error:
"2147942402"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
 
 
Windows Defender:
================
Date: 2022-05-27 22:11:21
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: VirTool:Win32/DefenderTamperingRestore
Severity: Severe
Category: Tool
Path: regkeyvalue:_hklm\software\policies\microsoft\windows defender\\DisableAntiSpyware
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.367.557.0, AS: 1.367.557.0, NIS: 1.367.557.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6
 
Date: 2022-05-27 22:11:08
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Wacatac.B!ml
Severity: Severe
Category: Trojan
Path: file:_C:\Users\joshu\AppData\Local\Temp\nsd2BA2.tmp\26055.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: C:\Windows\System32\conhost.exe
Security intelligence Version: AV: 1.367.557.0, AS: 1.367.557.0, NIS: 1.367.557.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6
 
Date: 2022-05-27 22:10:48
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Wacatac.B!ml
Severity: Severe
Category: Trojan
Path: file:_C:\Users\joshu\AppData\Local\Temp\nsd2BA2.tmp\26055.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: C:\Windows\System32\conhost.exe
Security intelligence Version: AV: 1.367.557.0, AS: 1.367.557.0, NIS: 1.367.557.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6
 
Date: 2022-05-27 22:10:43
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Wacatac.B!ml
Severity: Severe
Category: Trojan
Path: file:_C:\Users\joshu\AppData\Local\Temp\nsd2BA2.tmp\26055.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.367.557.0, AS: 1.367.557.0, NIS: 1.367.557.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6
 
Date: 2022-05-27 22:10:40
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Mamson.A!ac
Severity: Severe
Category: Trojan
Path: file:_C:\Users\joshu\AppData\Local\Temp\nsuEFE1.tmp\installer.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\joshu\Desktop\Serato Studio v1.6.8 Final x64\Serato Studio v1.6.8 CE.exe
Security intelligence Version: AV: 1.367.557.0, AS: 1.367.557.0, NIS: 1.367.557.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6
Event[0]:
 
Date: 2022-07-08 19:49:10
Description: 
Microsoft Defender Antivirus has encountered an error trying to load security intelligence and will attempt reverting back to a known-good version.
Security intelligence Attempted: Current
Error Code: 0x80070003
Error description: The system cannot find the path specified. 
Security intelligence version: 0.0.0.0;0.0.0.0
Engine version: 0.0.0.0
 
CodeIntegrity:
===============
Date: 2022-03-18 22:24:23
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\joshu\Desktop\BT-22.120.0-32-64UWD-Win10-Win11.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2022-03-18 21:40:29
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\joshu\Desktop\BT-22.80.1-64-Win10-Win11.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
BIOS: American Megatrends Inc. P03ABI.005.120927.dg 09/27/2012
Motherboard: SAMSUNG ELECTRONICS CO., LTD. NP550P5C-A08UK
Processor: Intel® Core™ i5-3210M CPU @ 2.50GHz
Percentage of memory in use: 52%
Total physical RAM: 8079.62 MB
Available physical RAM: 3869.21 MB
Total Virtual: 9359.62 MB
Available Virtual: 4070.59 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.2 GB) (Free:393.68 GB) (Model: ST500LT012-1DG142) NTFS
 
\\?\Volume{f00e5fc5-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.05 GB) (Free:0.02 GB) NTFS
\\?\Volume{f00e5fc5-0000-0000-0000-505074000000}\ () (Fixed) (Total:0.5 GB) (Free:0.08 GB) NTFS
 
==================== MBR & Partition Table ====================
 
==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: F00E5FC5)
Partition 1: (Active) - (Size=50 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=517 MB) - (Type=27)
 
==================== End of Addition.txt =======================

#4 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 62,343 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:05:57 PM

Posted 13 July 2022 - 09:15 AM

Greetings.

It is my pleasure to help clean your computer.

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have Peer 2 Peer (torrent) program(s) installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Peer 2 Peer programs, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about CryptoLocker Ransomware, a type of Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar Recovery Scan Tool Fix

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST will do it for you
Start::
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [Peso] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKLM\...\Run: [Calligraphic] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKLM\...\Run: [Altarpiece] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKLM-x32\...\Run: [Kobler] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKLM-x32\...\Run: [Whited] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKLM-x32\...\Run: [Breakaways] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Ephesus] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Eros] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Carborundum] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Typical] => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy. (the data entry has 116 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Fraternally] => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgb (the data entry has 113 more characters). (No File)
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\Run: [Outsold] => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\MountPoints2: {a99b2bfb-c05d-11ec-910a-e8039af622b8} - "D:\startme.exe"
Startup: C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wombats.lnk [2022-05-27]
Startup: C:\Users\joshu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wombatswombats.lnk [2022-05-27]
Task: {06A484BD-7E5A-44A6-AD7B-EFDB932CE9A2} - System32\Tasks\0k6huw\8kstn4\44vljz\3y3yj8\9tj2xw\ym1w9e\yd7iut\gwzw10\lr01r4\9ngzox\u6uet2\lqmptk\rmthwh\90oyp7\vzmki2\6yj4f5\6tx0rk => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {2F9DEE8E-FE12-405C-AF6A-81E94B65FAE3} - System32\Tasks\ddf30l\sq4cml\a9f6eg\1jh7ae\jydlov\nzoqzo\24qijf\5nmpax\no7il6\5gcqkm\y9tkh3\6e33fi\btci11\h6zxyp\a0wx3q\5dppmp\3l0yak => C:\Users\joshu\AppData\Local\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {3A960624-4962-47AE-B506-A450CD248BB2} - System32\Tasks\pk4i5r\5rshj5\c0q553\u2cqn3\yqhd76\m3qmqo\ulejgh\kdc9na\khso82\nopsgz\7uy0fn\fitb6y\9h6o7x\d1az1x\4vtlq7\981gem\ift3w4 => C:\Program Files (x86)\Sacrificed\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {4EF2661C-6B28-457E-8DA6-B59CA21D7701} - System32\Tasks\wfwm1m\xo3dpi\9gzuol\4mldqh\lrg1sa\dcaood\urhkcl\6znouq\0wygvb\bkrm8s\91foap\xj4qgd\ulworh\5dz6fa\vkfbcp\b5f6ea\rtcs2r => C:\Program Files (x86)\Sacrificed\perlite.exe (No File)
Task: {5930089C-B4A7-4010-B907-6580BAFBE2EA} - System32\Tasks\4cpzxp\58jjjo\i7zs9j\zbwys0\h4hwql\qxsfxq\trdd3i\jgy211\g3io60\5do6r5\75datd\o4a5sb\rybeoc\wzo8rn\m4lwma\xoykv1\vlho0k => C:\Users\joshu\AppData\Local\Baroda.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {64CE9108-E016-46D9-A582-B8538AE9B84A} - System32\Tasks\acyewc\l32b80\61vvch\9obpgv\6xcbyc\3dexl2\xjrq9q\8q30t6\wfjajv\cfmhua\dojghf\6cchb2\g06ot2\hnfrcg\aqfe5v\xbl612\orqw9i => C:\Program Files (x86)\Calc\Mcduff.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {80EA4776-7ADF-409E-90BC-FCEB167BCACF} - System32\Tasks\m4gneg\oa4vfg\mfbfps\c7t27l\nvqsag\d869kx\etdci6\eh2rtu\1qpmmi\8zdfpe\7idkub\2mjfy6\jajoai\egwqaj\3s8xca\kwh3rv\ezwzob => C:\Users\joshu\AppData\Local\Mcduff.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
Task: {906878AE-2654-46BE-824B-0D0A1C35C94B} - System32\Tasks\93w2z1\ptsz81\yb9ade\t1j7gd\rdb5dq\992l6x\gihl6v\d19y6t\3pvnid\jfhioq\822ebn\x98bod\1m1nmp\gsvah5\207yg3\i3jbzz\ytgqb7 => C:\Program Files (x86)\Blemished\penniless.exe [63717 2022-05-27] () [File not signed]
Task: {95BF14C0-DC2B-4A81-B87F-7C01FD92CDAD} - System32\Tasks\66kzfz\nvm5df\ixxe6p\62t4nt\aoqs3g\zjraqo\qley8c\i4l6ir\522d9n\8txqaf\ffbt9z\194scc\zhi7pj\iadhul\6e69n6\t0xdfo\sjrem0 => C:\Users\joshu\AppData\Local\guido.exe [46184 2022-05-27] () [File not signed]
Task: {CC93B223-99DA-4540-8EA0-C7F63357BA31} - System32\Tasks\86arl1\9mf0zo\orcyoy\o42bbz\5x30h4\7jpd15\9xsr8y\47w1ov\q45fyt\7ibktu\uwyimz\axgwi5\ohu70n\sygf70\5spkif\0cug3q\b1draq => C:\Program Files (x86)\Calc\Baroda.exe [315392 2022-05-27] (Dell) [File not signed]
Task: {F9E20B1B-6812-4B5B-BF47-FAFA4240CC9C} - System32\Tasks\ej2pnm\beycey\9w9z57\rtt1hu\5nm0sv\ji82zs\0px8mm\1gsb8h\g5j5qy\h98fef\ujthj3\kct4ut\eqzzzf\8al05d\3ukawl\k8y9ch\ly0wc1 => C:\Program Files (x86)\pushkin\Baroda.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhypn2be0be2btgbnhye2be0gn5gntgbnhy2pn7pnbeastgbnhypngjZmJpLltgbnhyc3ocXhRvU0tgbnhy0" (No File)
HKLM\...\StartupApproved\Run: => "Altarpiece"
HKLM\...\StartupApproved\Run: => "Peso"
HKLM\...\StartupApproved\Run32: => "Breakaways"
HKLM\...\StartupApproved\Run32: => "Kobler"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\StartupFolder: => "wombats.lnk"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_8CFE0D2E897E6F5DD7117E6C430C171E"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Outsold"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Typical"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Carborundum"
HKU\S-1-5-21-466771246-433639398-4200461963-1001\...\StartupApproved\Run: => "Ephesus"
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
C:\Program Files (x86)\Sacrificed
C:\Program Files (x86)\pushkin
C:\Program Files (x86)\Calc
C:\Users\joshu\AppData\Local\Mcduff.exe
C:\Program Files (x86)\Blemished
C:\Users\joshu\AppData\Local\guido.exe
U4 Sense; no ImagePath
C:\Users\joshu\AppData\Local\Baroda.exe
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
Emptytemp:
End::
  • Click Fix
  • When completed the tool will create a Fixlog.txt file located in the same directory as FRST64.exe . Please copy and paste the contents of the file in your reply.
  • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
  • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer performance

Lord, to whom shall we go? You have the words of eternal life and we have believed and have come to know that you are the Holy One of God.
John 6:68-69

The Man on the Middle Cross Said I Could Come

#5 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 62,343 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:05:57 PM

Posted 16 July 2022 - 12:11 PM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Lord, to whom shall we go? You have the words of eternal life and we have believed and have come to know that you are the Holy One of God.
John 6:68-69

The Man on the Middle Cross Said I Could Come

#6 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 62,343 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:05:57 PM

Posted 18 July 2022 - 09:09 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Lord, to whom shall we go? You have the words of eternal life and we have believed and have come to know that you are the Holy One of God.
John 6:68-69

The Man on the Middle Cross Said I Could Come
Back to Virus, Trojan, Spyware, and Malware Removal Help


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·