Jump to content

Windows Process Manager 32-bit eating CPU- App data folders un-accessible


nadnal
 Share

Recommended Posts

Hey there, I think I have the SmartSerive malware. 

Is there any way I can skip the steps and get to the fixlist by replacing the folders to be fixed with the names of the specific folders in my App data?

I'm speaking of the folders names 'dsntgb' and the like that I do not have permission to access [despite being admin.] and are the file location for the Windows Process Managers that are eating up my CPU?

I only ask because my spare PC is at work, and my home PC is infected. 

Waiting a day to post logs would be an inconvenience when I think I'm tech literate enough to compensate.

Thanks!

Edited by nadnal
Link to post
Share on other sites

Hi nadnal :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

It isn't possible, no. The randomly named folders are of little concern, the "biggest" issue is the SmartService driver, that is randomly named, and so is the service that launches it. Without that information, we cannot put together a fixlist for you.

Link to post
Share on other sites

Great. 

Well, I have FRST on my flash drive, as well as a new windows boot from windows media creation tool. 

I'm aware of getting into WinRE as well as opening my flash drive [:I] and running the FRST.exe. 

Would the next concurrent step be to post the log file here in order to get my fixlist? and can I do that, and the following steps, from my infected pc?

Edited by nadnal
Link to post
Share on other sites

Hey, 

I have a laptop I can use when I get home as a clean spare pc, so everything should work out. 

I seem hasty because the spring semester started yesterday and having a home pc is critical. 

Take your time and get back to me when you can, I follow directions well. And I'm sorry if I seem impatient. 

Link to post
Share on other sites

To be honest, if you can get in the Windows RE, launch FRST and run a Scan, it'll be enough. FRST will remove the main SmartService entries, and from there, the clean-up is pretty straightforward.

SmartService disables access to the Advanced Boot Menu, which is used to access the Windows RE. Hence why for most users, I personally ask for FRST logs, and a fixlog (from a fixlist to restore access to the Advanced Boot Menu) before.

Edited by Aura
Link to post
Share on other sites

Gotcha, I'm totally in the dark as to how SmartService operates. 

I'll see what I can do when I get home [around 5pm EST] and I will promptly report back here. 

Thank you!

ps. Out of curiosity: FRST is run on the infected pc, the logs are reviewed, and then FRST is run again on the infected pc in order to grant access to WinRE - where FRST is run a third and final time?

Link to post
Share on other sites

Quote

ps. Out of curiosity: FRST is run on the infected pc, the logs are reviewed, and then FRST is run again on the infected pc in order to grant access to WinRE - where FRST is run a third and final time?

 

There are 2 possibilites:

1. FRST is run under a normal Windows boot, and two logs are gathered: FRST.txt and Addition.txt
2. A standard FRST fix (to restore access to the Windows RE, and gather a couple more information) is run under a normal Windows boot, and the fixlog.txt is gathered
3. A FRST fix is ran from the Windows RE, using a fixlist created from the information of the FRST.txt, Addition.txt and fixlog.txt logs

OR

1. A FRST scan is ran from the Windows RE, and the fixlog.txt is gathered afterwards to make sure that FRST removed SmartService properly.

Link to post
Share on other sites

:[

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by nadnal (administrator) on DESKTOP-HC54M1G (09-01-2018 18:09:06)
Running from C:\Users\nadnal\Downloads
Loaded Profiles: nadnal (Available Profiles: nadnal & kd6-3.7)
Platform: Windows 10 Pro Version 1703 15063.786 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\tincouksvc.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Windows\KMS-R@1n.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
(Thalonet, Inc. (dba Haste)) C:\Program Files\Haste\Haste Esports Accelerator\UserEdgeService.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.257.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel) C:\Program Files (x86)\Intel Driver and Support Assistant\DSATray.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\ArxApplets\Discord\logitechg_discord.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\dsdtrgn.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
() C:\Users\nadnal\AppData\Local\dtkpmrl\iakhzgo.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIC.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
() C:\Users\nadnal\AppData\Local\dsdtrgn\scehzap.exe
(Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [17652344 2017-06-26] (Logitech Inc.)
HKLM\...\Run: [iTunesHelper] => "B:\iTunesHelper.exe"
HKLM\...\Run: [finks] => "C:\Program Files (x86)\Patentable\lemke.exe"
HKLM\...\Run: [finkspoor] => "C:\Program Files (x86)\anschutz\golly.exe"
HKLM\...\Run: [finksfinks] => "C:\Program Files (x86)\Stine\lemke.exe"
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [246120 2018-01-04] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM-x32\...\Run: [finances] => "C:\Program Files (x86)\Patentable\lemke.exe"
HKLM-x32\...\Run: [financesdendron] => "C:\Program Files (x86)\anschutz\golly.exe"
HKLM-x32\...\Run: [financesfinances] => "C:\Program Files (x86)\Stine\lemke.exe"
HKLM-x32\...\Run: [DSATray] => C:\Program Files (x86)\Intel Driver and Support Assistant\DsaTray.exe [131360 2017-12-19] (Intel)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [1061680 2018-01-07] (Webroot)
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [Spotify] => C:\Users\nadnal\AppData\Roaming\Spotify\Spotify.exe [21070224 2017-12-30] (Spotify Ltd)
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [Steam] => "B:\steam\steam.exe" -silent
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [Speech Recognition] => C:\Windows\Speech\Common\sapisvr.exe [44032 2017-03-18] (Microsoft Corporation)
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [uTorrent] => C:\Users\nadnal\AppData\Roaming\uTorrent\uTorrent.exe [1981624 2017-12-28] (BitTorrent Inc.)
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [Haste] => C:\Program Files\Haste\Haste Esports Accelerator\Haste.exe [3228968 2017-12-06] (Thalonet, Inc. dba Haste)
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [Spotify Web Helper] => C:\Users\nadnal\AppData\Roaming\Spotify\SpotifyWebHelper.exe [780688 2017-12-30] (Spotify Ltd)
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [dendron] => "C:\Program Files (x86)\Patentable\lemke.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [dendronfinances] => "C:\Program Files (x86)\anschutz\golly.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [dendrondendron] => "C:\Program Files (x86)\Stine\lemke.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [poor] => "C:\Program Files (x86)\Patentable\lemke.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [poorfinks] => "C:\Program Files (x86)\anschutz\golly.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [poorpoor] => "C:\Program Files (x86)\Stine\lemke.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [lebrun] => "C:\Program Files (x86)\davydov\lebrun.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [perjure] => "C:\Program Files (x86)\Patentable\lemke.exe"
HKU\S-1-5-21-2196192277-3204217356-2237211829-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10249048 2017-12-13] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Universal Media Server.lnk [2017-07-17]
ShortcutTarget: Universal Media Server.lnk -> C:\Program Files (x86)\Universal Media Server\UMS.exe (No File)
Startup: C:\Users\nadnal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anatomic.lnk [2018-01-04]
ShortcutTarget: anatomic.lnk -> C:\Program Files (x86)\Patentable\lemke.exe (No File)
Startup: C:\Users\nadnal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anatomicanatomic.lnk [2018-01-04]
ShortcutTarget: anatomicanatomic.lnk -> C:\Program Files (x86)\anschutz\golly.exe (No File)
Startup: C:\Users\nadnal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Twitch.lnk [2017-09-22]
ShortcutTarget: Twitch.lnk -> C:\Users\nadnal\AppData\Roaming\Twitch\Bin\Twitch.exe (Twitch Interactive, Inc.)
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.200.1
Tcpip\..\Interfaces\{5af61b51-75dc-4543-864b-c4339a3afe95}: [NameServer] 82.163.143.174,82.163.142.176
Tcpip\..\Interfaces\{5af61b51-75dc-4543-864b-c4339a3afe95}: [DhcpNameServer] 192.168.200.1
Tcpip\..\Interfaces\{fed54187-62e6-11e7-bb79-806e6f6e6963}: [NameServer] 8.8.8.8

Internet Explorer:
==================
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files\Common Files\Webroot\WebFiltering\wrflt.dll [2018-01-07] (Webroot)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-12-09] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files (x86)\Common Files\Webroot\WebFiltering\wrflt.dll [2018-01-07] (Webroot)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-12-09] (Oracle Corporation)

FireFox:
========
FF DefaultProfile: zsbvht08.default
FF ProfilePath: C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default [2018-01-09]
FF Homepage: Mozilla\Firefox\Profiles\zsbvht08.default -> hxxps://www.google.com/
FF NewTabOverride: Mozilla\Firefox\Profiles\zsbvht08.default -> Enabled: "id":"{3c53fae8-7f6e-4c86-b595-43f97766b977
FF NewTabOverride: Mozilla\Firefox\Profiles\zsbvht08.default -> Disabled: newtaboverride@agenedia.com
FF Extension: (Dark Background and Light Text) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\jid1-QoFqdK4qzUfGWQ@jetpack.xpi [2017-11-15]
FF Extension: (Reddit Enhancement Suite) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2017-11-14]
FF Extension: (New Tab Override) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\newtaboverride@agenedia.com.xpi [2017-12-12]
FF Extension: (Pioneer Enrollment) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\pioneer-enrollment-study@mozilla.org.xpi [2017-12-09] [Legacy]
FF Extension: (uBlock Origin) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\uBlock0@raymondhill.net.xpi [2017-12-15]
FF Extension: (Dark Mode) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\{174b2d58-b983-4501-ab4b-07e71203cb43}.xpi [2017-12-14]
FF Extension: (Black New Tab) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\{3c53fae8-7f6e-4c86-b595-43f97766b977}.xpi [2017-12-12]
FF Extension: (Stylish - Custom themes for any website) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2017-12-12]
FF Extension: (Disable JavaScript Shared Memory) - C:\Users\nadnal\AppData\Roaming\Mozilla\Firefox\Profiles\zsbvht08.default\features\{7bf64db7-be77-49c4-b6cb-573d6ee3730e}\disable-js-shared-memory@mozilla.org.xpi [2018-01-05] [Legacy]
FF HKLM\...\Firefox\Extensions: [webrootsecure@webroot.com] - C:\ProgramData\WRData\PKG\FF_WEBEX
FF Extension: (Webroot Filtering Extension) - C:\ProgramData\WRData\PKG\FF_WEBEX [2018-01-07]
FF HKLM-x32\...\Firefox\Extensions: [webrootsecurewebextensions@webroot.com] - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF Extension: (Webroot Filtering Extension - XUL/XPCOM) - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer [2018-01-07] [Legacy]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-12-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-12-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-07] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)

Chrome:
=======
CHR Profile: C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default [2018-01-08]
CHR Extension: (Slides) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-01-07]
CHR Extension: (Docs) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-01-07]
CHR Extension: (Google Drive) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-01-07]
CHR Extension: (YouTube) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-01-07]
CHR Extension: (Sheets) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-01-07]
CHR Extension: (Google Docs Offline) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-01-07]
CHR Extension: (Webroot Filtering Extension) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjeghcllfecehndceplomkocgfbklffd [2018-01-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-01-07]
CHR Extension: (Gmail) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-01-07]
CHR Extension: (Chrome Media Router) - C:\Users\nadnal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-07]
CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
OPR StartupUrls:  "hxxp://reddit.com/"
OPR Extension: (Reddit Enhancement Suite) - C:\Users\nadnal\AppData\Roaming\Opera Software\Opera Stable\Extensions\gfdcmdcpehpkengmkhkbpifajmbhfgae [2017-09-22]
OPR Extension: (Dark Skin for Youtube™) - C:\Users\nadnal\AppData\Roaming\Opera Software\Opera Stable\Extensions\jmbefbhbhjgnjbegmnhmakmmldnfogcd [2017-08-29]
OPR Extension: (uBlock Origin) - C:\Users\nadnal\AppData\Roaming\Opera Software\Opera Stable\Extensions\kccohkcpppjjkkjppopfnflnebibpida [2018-01-04]
OPR Extension: (Adblock Plus) - C:\Users\nadnal\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2017-09-28]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\csrmxh <==== ATTENTION (Rootkit!)

S2 ab5d988e61f63d05b2ae52dff2836335; C:\Windows\ab5d988e61f63d05b2ae52dff2836335.dll [972288 2018-01-04] () [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R2 HasteUEService; C:\Program Files\Haste\Haste Esports Accelerator\UserEdgeService.exe [1787688 2017-12-06] (Thalonet, Inc. (dba Haste))
R2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2017-07-07] () [File not signed]
R2 LogiRegistryService; C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [225400 2017-06-26] (Logitech Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2123104 2017-10-13] (Electronic Arts)
S2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [3002720 2017-10-13] (Electronic Arts)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1995240 2017-06-28] (Plex, Inc.)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-07] (Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-07] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [1061680 2018-01-07] (Webroot)
S2 gXuhN3YdrMJa Updater; C:\Program Files (x86)\gXuhN3YdrMJa Updater\gXuhN3YdrMJa Updater.exe [X]
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
S2 RunBooster; C:\Program Files\RunBooster\RunBoosterService64.exe [X] <==== ATTENTION
S3 wpscloudsvr; "B:\nadnal\Kingsoft Office\wpscloudsvr.exe" LocalService [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 amdgpio2; C:\Windows\System32\drivers\amdgpio2.sys [43400 2017-03-02] (Advanced Micro Devices, Inc)
R3 amdgpio3; C:\Windows\System32\drivers\amdgpio3.sys [33120 2017-05-12] (Advanced Micro Devices, Inc)
S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [95080 2017-06-12] (Advanced Micro Devices, Inc. )
R3 AMDPCIDev; C:\Windows\System32\drivers\AMDPCIDev.sys [31112 2017-10-10] (Advanced Micro Devices)
R1 amdpsp; C:\Windows\system32\DRIVERS\amdpsp.sys [239976 2017-06-12] (Advanced Micro Devices, Inc. )
U5 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [358672 2018-01-04] (AVAST Software)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R2 LGCoreTemp; C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys [14184 2015-06-21] (Logitech)
R3 LGJoyXlCore; C:\Windows\system32\drivers\LGJoyXlCore.sys [67736 2017-06-26] (Logitech Inc.)
R0 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-07] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2018-01-09] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2018-01-09] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-09] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2018-01-08] (Malwarebytes)
R3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nv_ref_pubwu.inf_amd64_2e7fa54192fe16d0\nvlddmkm.sys [16936048 2017-11-09] (NVIDIA Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek )
R3 ScpVBus; C:\Windows\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
R3 VBAudioVACMME; C:\Windows\system32\DRIVERS\vbaudio_cable64_win7.sys [41192 2013-07-11] (Windows (R) Win 7 DDK provider)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [46072 2017-12-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [288848 2017-12-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-07] (Microsoft Corporation)
R2 WinDivert1.2; C:\Windows\system32\drivers\WinDivert64.sys [37552 2018-01-04] (Basil)
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [127760 2018-01-07] (Webroot)
R3 wrUrlFlt; C:\Windows\system32\DRIVERS\wrUrlFlt.sys [67024 2018-01-07] (Webroot)
S1 24c6e3dc6d6c7c7d1de0ff24f8051b3e; \??\C:\Windows\system32\drivers\24c6e3dc6d6c7c7d1de0ff24f8051b3e.sys [X]
R3 jmpswz; system32\drivers\pswzcf.sys [X]
S0 oWGJkjeP; System32\drivers\oWGJkjeP.sys [X]
S3 RivaTuner64; \??\C:\Users\nadnal\Desktop\zeldazelda\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [X]
U0 SR; no ImagePath
U2 srservice; no ImagePath
S0 UtvoBAwh; System32\drivers\UtvoBAwh.sys [X]
S3 wzcfjm; system32\drivers\cfimps.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-09 18:09 - 2018-01-09 18:09 - 000021530 _____ C:\Users\nadnal\Downloads\FRST.txt
2018-01-09 18:09 - 2018-01-09 18:09 - 000000000 ____D C:\FRST
2018-01-09 18:07 - 2018-01-09 18:07 - 002393088 _____ (Farbar) C:\Users\nadnal\Downloads\FRST64.exe
2018-01-09 17:03 - 2018-01-09 17:03 - 000142672 ____N C:\Windows\system32\Drivers\svrknqux.sys
2018-01-09 09:32 - 2018-01-09 09:33 - 000839996 _____ C:\Windows\Minidump\010918-455125-01.dmp
2018-01-09 09:32 - 2018-01-09 09:32 - 3639161408 _____ C:\Windows\MEMORY.DMP
2018-01-08 19:54 - 2018-01-08 20:30 - 000000000 ____D C:\Windows\system32\Drivers\wd
2018-01-07 18:47 - 2018-01-07 18:47 - 000127760 _____ (Webroot) C:\Windows\system32\Drivers\kFChCVAd.sys
2018-01-07 17:51 - 2018-01-07 17:51 - 000000202 _____ C:\Users\nadnal\Desktop\Deceit.url
2018-01-07 14:03 - 2018-01-07 14:03 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\Google
2018-01-07 12:48 - 2018-01-07 12:48 - 000003938 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-01-07 12:48 - 2018-01-07 12:48 - 000002872 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-01-07 12:48 - 2018-01-07 12:48 - 000002355 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-07 12:48 - 2018-01-07 12:48 - 000002343 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-01-07 12:48 - 2018-01-07 12:48 - 000000870 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-01-07 12:48 - 2018-01-07 12:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-01-07 12:48 - 2018-01-07 12:48 - 000000000 ____D C:\Program Files\CCleaner
2018-01-07 12:46 - 2018-01-07 13:22 - 000003416 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-01-07 12:46 - 2018-01-07 13:22 - 000003292 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-01-07 12:45 - 2018-01-07 12:56 - 000000000 ____D C:\Users\nadnal\AppData\Local\Google
2018-01-07 12:45 - 2018-01-07 12:48 - 000000000 ____D C:\Program Files (x86)\Google
2018-01-07 12:43 - 2018-01-07 12:43 - 011203696 _____ (Piriform Ltd) C:\Users\kd6-3.7\Desktop\ccsetup538pro.exe
2018-01-07 12:35 - 2018-01-07 13:20 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\CrashDumps
2018-01-07 12:35 - 2018-01-07 12:35 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\DBG
2018-01-07 11:48 - 2018-01-09 09:32 - 000000000 ____D C:\Windows\Minidump
2018-01-07 10:42 - 2018-01-07 10:42 - 000000000 ____D C:\Users\kd6-3.7\Documents\League of Legends
2018-01-07 10:42 - 2018-01-07 10:42 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\CEF
2018-01-07 10:35 - 2018-01-07 10:35 - 000127760 _____ (Webroot) C:\Windows\system32\Drivers\KKxlMcMc.sys
2018-01-07 10:24 - 2018-01-07 10:24 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\Comms
2018-01-07 10:21 - 2018-01-07 10:21 - 000003382 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2196192277-3204217356-2237211829-1002
2018-01-07 10:20 - 2018-01-07 10:21 - 000002380 _____ C:\Users\kd6-3.7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-01-07 10:20 - 2018-01-07 10:21 - 000000000 ___RD C:\Users\kd6-3.7\OneDrive
2018-01-07 10:16 - 2018-01-09 17:11 - 000182192 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2018-01-07 10:16 - 2018-01-09 17:11 - 000114672 _____ (Webroot) C:\Windows\system32\WRusr.dll
2018-01-07 10:16 - 2018-01-08 15:54 - 000000000 ____D C:\ProgramData\WRData
2018-01-07 10:16 - 2018-01-07 10:16 - 000127760 _____ (Webroot) C:\Windows\system32\Drivers\WRkrn.sys
2018-01-07 10:16 - 2018-01-07 10:16 - 000067024 ____T (Webroot) C:\Windows\system32\Drivers\wrUrlFlt.sys
2018-01-07 10:16 - 2018-01-07 10:16 - 000000000 ____D C:\Program Files\Common Files\Webroot
2018-01-07 10:16 - 2018-01-07 10:16 - 000000000 ____D C:\Program Files (x86)\Webroot
2018-01-07 10:15 - 2018-01-07 10:15 - 001061680 _____ (Webroot) C:\Users\kd6-3.7\Desktop\0cabcntme538f43b4315.exe
2018-01-07 10:13 - 2018-01-07 10:13 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\MicrosoftEdge
2018-01-07 10:08 - 2018-01-07 10:08 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\Logitech
2018-01-07 10:06 - 2018-01-07 12:35 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\Publishers
2018-01-07 10:05 - 2018-01-07 10:08 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\zargmvx
2018-01-07 10:05 - 2018-01-07 10:05 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\VirtualStore
2018-01-07 10:05 - 2018-01-07 10:05 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\cwhptdk
2018-01-07 10:04 - 2018-01-07 13:28 - 000000000 ____D C:\Users\kd6-3.7
2018-01-07 10:04 - 2018-01-07 12:35 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\Packages
2018-01-07 10:04 - 2018-01-07 10:04 - 000000020 ___SH C:\Users\kd6-3.7\ntuser.ini
2018-01-07 10:04 - 2018-01-07 10:04 - 000000000 ____D C:\Users\kd6-3.7\AppData\Roaming\Adobe
2018-01-07 10:04 - 2018-01-07 10:04 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\TileDataLayer
2018-01-07 10:04 - 2018-01-07 10:04 - 000000000 ____D C:\Users\kd6-3.7\AppData\Local\ConnectedDevicesPlatform
2018-01-07 08:06 - 2018-01-07 08:06 - 000039816 _____ C:\Windows\uninstaller.dat
2018-01-07 01:08 - 2018-01-09 17:12 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-01-07 01:08 - 2018-01-07 01:08 - 000001919 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-07 01:08 - 2018-01-07 01:08 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-07 01:08 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-07 01:07 - 2018-01-07 01:07 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2018-01-07 00:54 - 2018-01-07 00:55 - 042151072 _____ (Microsoft Corporation) C:\Users\nadnal\Downloads\Windows-KB890830-x64-V5.55.exe
2018-01-06 23:37 - 2018-01-06 23:38 - 004468000 _____ (Microsoft Corporation) C:\Users\nadnal\Downloads\Setup.X86.en-us_O365ProPlusRetail_02711010-e0c1-49ad-882a-39a871f40fe2_TX_PR_b_64_.exe
2018-01-06 23:28 - 2018-01-06 23:40 - 000000000 ____D C:\AdwCleaner
2018-01-06 23:24 - 2018-01-06 23:24 - 008198432 _____ (Malwarebytes) C:\Users\nadnal\Downloads\adwcleaner_7.0.6.0.exe
2018-01-06 23:17 - 2018-01-09 17:12 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-06 23:17 - 2018-01-09 17:12 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-06 23:17 - 2018-01-08 19:56 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-06 23:17 - 2018-01-07 01:08 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-06 23:17 - 2018-01-07 01:08 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-06 23:17 - 2018-01-06 23:17 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-06 23:14 - 2018-01-06 23:16 - 083316440 _____ (Malwarebytes ) C:\Users\nadnal\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2018-01-06 23:07 - 2018-01-06 23:07 - 000000000 ____D C:\Windows\pss
2018-01-06 23:02 - 2018-01-06 23:02 - 000000000 ____D C:\Users\nadnal\AppData\Local\RadeonInstaller
2018-01-06 23:02 - 2018-01-06 23:02 - 000000000 ____D C:\Program Files\AMD
2018-01-06 23:02 - 2018-01-06 23:02 - 000000000 ____D C:\AMD
2018-01-06 22:59 - 2018-01-06 23:00 - 041035960 _____ (AMD Inc.) C:\Users\nadnal\Downloads\radeon-software-adrenalin-17.12.2-minimalsetup-171219_web.exe
2018-01-06 22:59 - 2018-01-06 23:00 - 000000000 ____D C:\Program Files (x86)\Intel Driver and Support Assistant
2018-01-06 22:59 - 2018-01-06 22:59 - 000003762 _____ C:\Windows\System32\Tasks\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132
2018-01-06 22:59 - 2018-01-06 22:59 - 000003528 _____ C:\Windows\System32\Tasks\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132-Logon
2018-01-06 22:59 - 2018-01-06 22:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel Driver and Support Assistant
2018-01-06 22:58 - 2018-01-06 22:59 - 000002690 _____ C:\Windows\System32\Tasks\USER_ESRV_SVC_QUEENCREEK
2018-01-06 22:58 - 2018-01-06 22:59 - 000000000 ____D C:\ProgramData\Intel
2018-01-06 22:58 - 2018-01-06 22:58 - 000000000 ____D C:\Program Files\Intel
2018-01-06 22:58 - 2017-12-07 23:29 - 000041512 _____ C:\Windows\system32\Drivers\semav6msr64.sys
2018-01-06 22:55 - 2018-01-06 22:57 - 013840800 _____ (Intel) C:\Users\nadnal\Downloads\Intel Driver and Support Assistant Installer.exe
2018-01-06 21:06 - 2018-01-09 17:03 - 085983232 _____ C:\Windows\system32\config\SOFTWARE
2018-01-06 13:01 - 2018-01-06 13:01 - 000625776 _____ C:\Users\nadnal\Downloads\JOI Alert Message.wav
2018-01-05 18:06 - 2018-01-06 23:57 - 000005554 _____ C:\Windows\system32\PerfStringBackup.TMP
2018-01-05 17:59 - 2018-01-05 17:59 - 000255904 _____ C:\Windows\system32\FNTCACHE.DAT
2018-01-05 04:10 - 2018-01-06 21:04 - 000000000 ____D C:\Windows\Microsoft Antimalware
2018-01-05 01:08 - 2018-01-05 01:08 - 000000000 ___SD C:\Windows\UpdateAssistantV2
2018-01-04 21:44 - 2018-01-08 08:35 - 000000000 ____D C:\Users\nadnal\AppData\LocalLow\uTorrent
2018-01-04 20:20 - 2018-01-04 20:20 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\AVAST Software
2018-01-04 20:18 - 2018-01-04 20:18 - 000003994 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-04 20:18 - 2018-01-04 20:18 - 000001986 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2018-01-04 20:18 - 2018-01-04 20:18 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2018-01-04 20:18 - 2018-01-04 20:18 - 000000000 ____D C:\ProgramData\SWCUTemp
2018-01-04 20:18 - 2018-01-04 20:18 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2018-01-04 20:17 - 2018-01-04 20:17 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000457400 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-01-04 20:17 - 2018-01-04 20:17 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000149344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000146664 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-01-04 20:17 - 2018-01-04 20:17 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-01-04 20:12 - 2018-01-08 09:18 - 000000000 ____D C:\Users\nadnal\AppData\Local\vdowsue
2018-01-04 20:08 - 2018-01-04 20:08 - 000000000 ____D C:\Program Files\AVAST Software
2018-01-04 20:07 - 2018-01-04 20:07 - 001611944 _____ (Secure Download Ltd. ) C:\Users\nadnal\Downloads\KMSpico_patch
2018-01-04 20:06 - 2018-01-04 20:06 - 000037552 _____ (Basil) C:\Windows\system32\Drivers\WinDivert64.sys
2018-01-04 20:05 - 2018-01-09 18:07 - 000000000 ____D C:\Users\nadnal\AppData\Local\dsdtrgn
2018-01-04 20:05 - 2018-01-04 20:08 - 000000000 ____D C:\Users\nadnal\AppData\Local\dtkpmrl
2018-01-04 20:04 - 2018-01-09 17:11 - 002888192 _____ (TOSHIBA CORPORATION) C:\Windows\system32\tincouksvc.exe
2018-01-04 20:04 - 2018-01-04 20:04 - 000021604 _____ C:\Windows\System32\Tasks\gXuhN3YdrMJa
2018-01-04 20:04 - 2018-01-04 20:04 - 000000000 ____D C:\Windows\SysWOW64\msiwzex
2018-01-04 20:04 - 2018-01-04 20:04 - 000000000 ____D C:\Windows\system32\msiwzex
2018-01-04 20:04 - 2018-01-04 20:04 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\et
2018-01-04 20:03 - 2018-01-04 20:03 - 000000020 _____ C:\Windows\b46026946
2018-01-04 20:02 - 2018-01-04 20:02 - 000972288 _____ C:\Windows\ab5d988e61f63d05b2ae52dff2836335.dll
2018-01-04 19:53 - 2018-01-04 19:53 - 000003396 _____ C:\Windows\System32\Tasks\AutoKMSCustom
2018-01-04 19:41 - 2018-01-04 21:58 - 000000000 ____D C:\Windows\KMSServerService
2018-01-04 19:30 - 2018-01-07 19:53 - 000000000 ____D C:\Windows\AutoKMS
2018-01-04 19:15 - 2018-01-04 19:15 - 000000000 ____D C:\ProgramData\Microsoft Toolkit
2018-01-01 20:22 - 2010-06-02 04:55 - 000518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2018-01-01 20:22 - 2010-06-02 04:55 - 000077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2018-01-01 20:22 - 2010-05-26 11:41 - 002526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2018-01-01 20:22 - 2010-05-26 11:41 - 002401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2018-01-01 20:22 - 2010-05-26 11:41 - 001907552 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2018-01-01 20:22 - 2010-05-26 11:41 - 000511328 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2018-01-01 20:22 - 2010-05-26 11:41 - 000276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2018-01-01 20:22 - 2010-02-04 10:01 - 000024920 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2018-01-01 20:22 - 2007-04-04 18:54 - 000107368 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2018-01-01 18:54 - 2018-01-01 18:54 - 000001443 _____ C:\Users\nadnal\Desktop\TheyAreBillions - Shortcut.lnk
2017-12-28 22:08 - 2017-12-28 22:08 - 000000000 ____D C:\Users\nadnal\AppData\LocalLow\League of Geeks
2017-12-28 16:31 - 2017-12-28 16:31 - 000000202 _____ C:\Users\nadnal\Desktop\Armello.url
2017-12-22 14:43 - 2017-12-22 15:18 - 1350501064 _____ C:\Users\nadnal\Downloads\【癒しBGM・作業用BGM】 ジブリオーケストラ メドレー Studio Ghibli Concert.mp4
2017-12-22 14:27 - 2017-12-22 14:34 - 277894037 _____ C:\Users\nadnal\Downloads\Studio Ghibli [Tributes Mix].mp4
2017-12-18 21:05 - 2017-12-18 21:09 - 073809754 _____ C:\Users\nadnal\Downloads\Vanilla - Origin (Full Album).mp4
2017-12-16 10:30 - 2017-12-16 10:40 - 270127857 _____ C:\Users\nadnal\Downloads\Lost in the future (Vaporwave - beats - electronic mix).mp4
2017-12-12 23:02 - 2017-12-12 23:02 - 000000000 ____D C:\Windows.old
2017-12-12 22:37 - 2017-11-29 22:33 - 001144728 _____ (Microsoft Corporation) C:\Windows\system32\hvix64.exe
2017-12-12 22:37 - 2017-11-29 22:33 - 001015704 _____ (Microsoft Corporation) C:\Windows\system32\hvax64.exe
2017-12-12 22:37 - 2017-11-29 22:33 - 000038808 _____ (Microsoft Corporation) C:\Windows\system32\OOBEUpdater.exe
2017-12-12 22:37 - 2017-11-29 22:29 - 008319384 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-12-12 22:37 - 2017-11-29 22:26 - 002647216 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-12-12 22:37 - 2017-11-29 22:24 - 000870896 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2017-12-12 22:37 - 2017-11-29 22:23 - 007910960 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Protection.PlayReady.dll
2017-12-12 22:37 - 2017-11-29 22:23 - 001194248 _____ (Microsoft Corporation) C:\Windows\system32\mfnetcore.dll
2017-12-12 22:37 - 2017-11-29 22:00 - 002166808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-12-12 22:37 - 2017-11-29 21:59 - 023678464 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2017-12-12 22:37 - 2017-11-29 21:58 - 006763128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-12-12 22:37 - 2017-11-29 21:58 - 000702032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2017-12-12 22:37 - 2017-11-29 21:57 - 001123968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfnetcore.dll
2017-12-12 22:37 - 2017-11-29 21:45 - 000119808 _____ (Microsoft Corporation) C:\Windows\system32\UserDataTimeUtil.dll
2017-12-12 22:37 - 2017-11-29 21:45 - 000002560 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-12-12 22:37 - 2017-11-29 21:44 - 023679488 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-12-12 22:37 - 2017-11-29 21:44 - 019334144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-12-12 22:37 - 2017-11-29 21:44 - 000171008 _____ (Microsoft Corporation) C:\Windows\system32\itss.dll
2017-12-12 22:37 - 2017-11-29 21:44 - 000110592 _____ (Microsoft Corporation) C:\Windows\system32\Chakradiag.dll
2017-12-12 22:37 - 2017-11-29 21:44 - 000042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vwifimp.sys
2017-12-12 22:37 - 2017-11-29 21:43 - 020511232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-12-12 22:37 - 2017-11-29 21:43 - 000164352 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2017-12-12 22:37 - 2017-11-29 21:43 - 000095232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UserDataTimeUtil.dll
2017-12-12 22:37 - 2017-11-29 21:43 - 000002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-12-12 22:37 - 2017-11-29 21:42 - 001878016 _____ (Microsoft Corporation) C:\Windows\system32\AzureSettingSyncProvider.dll
2017-12-12 22:37 - 2017-11-29 21:42 - 000560640 _____ (Microsoft Corporation) C:\Windows\system32\iprtrmgr.dll
2017-12-12 22:37 - 2017-11-29 21:42 - 000304640 _____ (Microsoft Corporation) C:\Windows\system32\dusmsvc.dll
2017-12-12 22:37 - 2017-11-29 21:42 - 000164352 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2017-12-12 22:37 - 2017-11-29 21:42 - 000148992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itss.dll
2017-12-12 22:37 - 2017-11-29 21:42 - 000100864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscript.ocx
2017-12-12 22:37 - 2017-11-29 21:42 - 000080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakradiag.dll
2017-12-12 22:37 - 2017-11-29 21:41 - 000527360 _____ (Microsoft Corporation) C:\Windows\system32\aadcloudap.dll
2017-12-12 22:37 - 2017-11-29 21:41 - 000414720 _____ (Microsoft Corporation) C:\Windows\system32\provhandlers.dll
2017-12-12 22:37 - 2017-11-29 21:41 - 000225792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-12-12 22:37 - 2017-11-29 21:41 - 000222208 _____ (Microsoft Corporation) C:\Windows\system32\scrobj.dll
2017-12-12 22:37 - 2017-11-29 21:41 - 000146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2017-12-12 22:37 - 2017-11-29 21:40 - 012803072 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-12-12 22:37 - 2017-11-29 21:40 - 000585216 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-12-12 22:37 - 2017-11-29 21:40 - 000528384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtrmgr.dll
2017-12-12 22:37 - 2017-11-29 21:40 - 000206336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrobj.dll
2017-12-12 22:37 - 2017-11-29 21:40 - 000143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2017-12-12 22:37 - 2017-11-29 21:39 - 011888640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-12-12 22:37 - 2017-11-29 21:39 - 003206656 _____ (Microsoft Corporation) C:\Windows\system32\Microsoft.Bluetooth.Profiles.Gatt.dll
2017-12-12 22:37 - 2017-11-29 21:39 - 002809344 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2017-12-12 22:37 - 2017-11-29 21:39 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\WpcWebFilter.dll
2017-12-12 22:37 - 2017-11-29 21:38 - 008195584 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2017-12-12 22:37 - 2017-11-29 21:38 - 001248768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AzureSettingSyncProvider.dll
2017-12-12 22:37 - 2017-11-29 21:38 - 000684544 _____ (Microsoft Corporation) C:\Windows\system32\usocore.dll
2017-12-12 22:37 - 2017-11-29 21:38 - 000636416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WpcWebFilter.dll
2017-12-12 22:37 - 2017-11-29 21:38 - 000497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-12-12 22:37 - 2017-11-29 21:37 - 006252544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-12-12 22:37 - 2017-11-29 21:37 - 003306496 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-12-12 22:37 - 2017-11-29 21:37 - 002859520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-12-12 22:37 - 2017-11-29 21:37 - 001293824 _____ (Microsoft Corporation) C:\Windows\system32\aadtb.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 005557760 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 004726784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 003652096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 001802240 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 001398784 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 001019904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 000755200 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-12-12 22:37 - 2017-11-29 21:36 - 000658432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-12-12 22:37 - 2017-11-29 21:35 - 001627136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-12-12 22:37 - 2017-11-29 21:34 - 004559360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 002032536 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-12-12 22:37 - 2017-11-17 04:46 - 001578904 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000821656 _____ (Microsoft Corporation) C:\Windows\system32\hvloader.exe
2017-12-12 22:37 - 2017-11-17 04:46 - 000678808 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000613784 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000612248 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000484248 _____ (Microsoft Corporation) C:\Windows\system32\dcntel.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000379288 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000259992 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000190360 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000136088 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-12-12 22:37 - 2017-11-17 04:46 - 000067992 _____ (Microsoft Corporation) C:\Windows\system32\win32appinventorycsp.dll
2017-12-12 22:37 - 2017-11-17 04:46 - 000034712 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2017-12-12 22:37 - 2017-11-17 04:41 - 000503704 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2017-12-12 22:37 - 2017-11-17 04:39 - 005477088 _____ (Microsoft Corporation) C:\Windows\system32\OneCoreUAPCommonProxyStub.dll
2017-12-12 22:37 - 2017-11-17 04:39 - 000643200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-12-12 22:37 - 2017-11-17 04:37 - 021353200 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-12-12 22:37 - 2017-11-17 04:31 - 000223640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aepic.dll
2017-12-12 22:37 - 2017-11-17 04:03 - 003668992 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2017-12-12 22:37 - 2017-11-17 04:00 - 002953216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-12-12 22:37 - 2017-11-17 03:59 - 000064512 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-12-12 22:37 - 2017-11-17 03:56 - 000757248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdiWiFi.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-09 18:06 - 2017-11-14 16:12 - 000000000 ____D C:\Users\nadnal\AppData\LocalLow\Mozilla
2018-01-09 18:05 - 2017-07-07 01:36 - 000000000 ____D C:\Windows\system32\SleepStudy
2018-01-09 17:37 - 2017-03-18 15:51 - 000000000 ____D C:\Windows\CbsTemp
2018-01-09 17:11 - 2017-07-07 11:30 - 000000000 ____D C:\ProgramData\NVIDIA
2018-01-09 17:11 - 2017-07-07 01:37 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-09 17:03 - 2017-03-18 06:40 - 067371008 _____ C:\Windows\system32\config\HARDWARE
2018-01-09 16:54 - 2017-03-18 06:40 - 001572864 _____ C:\Windows\system32\config\BBI
2018-01-09 09:20 - 2017-07-07 11:44 - 000000000 ____D C:\Users\nadnal\AppData\Local\Battle.net
2018-01-09 06:24 - 2017-03-18 16:03 - 000000000 ___HD C:\Program Files\WindowsApps
2018-01-09 06:24 - 2017-03-18 16:03 - 000000000 ____D C:\Windows\AppReadiness
2018-01-08 21:33 - 2017-07-07 11:59 - 000000000 ____D C:\Program Files (x86)\Blizzard App
2018-01-08 19:55 - 2017-03-18 06:40 - 000032768 _____ C:\Windows\system32\config\ELAM
2018-01-08 19:53 - 2017-07-07 02:01 - 000000000 ____D C:\Users\nadnal
2018-01-08 19:17 - 2017-07-07 20:36 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\uTorrent
2018-01-07 22:50 - 2017-07-31 22:07 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\vlc
2018-01-07 21:12 - 2017-08-31 17:53 - 000000000 ____D C:\Users\nadnal\Desktop\August=September
2018-01-07 13:21 - 2017-07-08 23:45 - 000000000 ____D C:\Users\nadnal\AppData\Local\CrashDumps
2018-01-07 13:21 - 2017-07-07 02:36 - 000000000 ____D C:\Windows\Panther
2018-01-07 13:21 - 2017-03-18 16:03 - 000000000 ____D C:\Windows\LiveKernelReports
2018-01-07 13:21 - 2017-03-18 16:01 - 000000000 ____D C:\Windows\INF
2018-01-07 10:05 - 2017-07-07 02:02 - 000000000 __RHD C:\Users\Public\AccountPictures
2018-01-07 00:56 - 2017-10-10 19:00 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-01-07 00:55 - 2017-07-07 13:11 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-01-06 22:58 - 2017-07-10 18:45 - 000000000 ____D C:\ProgramData\Package Cache
2018-01-05 18:29 - 2017-09-22 18:19 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\Twitch
2018-01-05 01:08 - 2017-03-18 16:03 - 000000000 ____D C:\Windows\system32\oobe
2018-01-04 21:49 - 2017-07-28 23:27 - 000000410 __RSH C:\ProgramData\ntuser.pol
2018-01-04 21:00 - 2017-11-14 16:12 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-04 20:18 - 2017-07-08 11:11 - 000061304 _____ () C:\Windows\system32\Drivers\lpsport.sys
2018-01-04 20:17 - 2017-07-08 10:59 - 000000000 ____D C:\ProgramData\AVAST Software
2018-01-04 20:06 - 2017-11-14 16:12 - 000001012 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2018-01-04 20:06 - 2017-11-14 16:12 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-01-03 00:50 - 2017-07-10 19:41 - 000000000 ____D C:\Users\nadnal\AppData\Local\Spotify
2018-01-02 19:54 - 2017-07-10 19:39 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\Spotify
2018-01-01 17:36 - 2017-07-10 19:20 - 000000000 ____D C:\Users\nadnal\Documents\My Games
2017-12-26 16:28 - 2017-07-07 11:22 - 000004214 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1499444529
2017-12-26 16:28 - 2017-07-07 11:22 - 000001384 _____ C:\Users\nadnal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2017-12-20 23:35 - 2017-09-14 01:20 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-12-20 23:35 - 2017-09-14 01:20 - 000177648 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-12-17 19:37 - 2017-08-17 17:26 - 000000000 ____D C:\Users\nadnal\AppData\Local\HearthstoneDeckTracker
2017-12-17 19:37 - 2017-08-17 17:18 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HearthSim
2017-12-17 19:37 - 2017-08-05 14:48 - 000000000 ____D C:\Users\nadnal\AppData\Local\SquirrelTemp
2017-12-16 10:43 - 2017-08-05 14:48 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\discord
2017-12-14 06:27 - 2017-07-07 02:01 - 000000000 ____D C:\Users\nadnal\AppData\Local\Packages
2017-12-13 10:03 - 2017-07-07 13:11 - 000000000 ____D C:\Windows\system32\MRT
2017-12-13 09:48 - 2017-11-15 21:32 - 000034293 _____ C:\Windows\diagwrn.xml
2017-12-13 09:48 - 2017-11-15 21:32 - 000034293 _____ C:\Windows\diagerr.xml
2017-12-13 08:51 - 2017-09-29 10:05 - 000000000 ___HD C:\$WINDOWS.~BT
2017-12-13 08:51 - 2017-03-18 16:03 - 000000000 ____D C:\Windows\registration
2017-12-11 18:23 - 2017-08-05 14:48 - 000000000 ____D C:\Users\nadnal\AppData\Local\Discord
2017-12-10 12:18 - 2017-08-17 17:18 - 000000000 ____D C:\Users\nadnal\AppData\Roaming\HearthstoneDeckTracker

==================== Files in the root of some directories =======

2017-09-28 15:11 - 2017-09-28 15:11 - 001065984 _____ () C:\Users\nadnal\AppData\Local\file__0.localstorage
2017-09-22 16:40 - 2017-09-22 16:40 - 000007595 _____ () C:\Users\nadnal\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\svrknqux.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION

LastRegBack: 2018-01-03 02:52

==================== End of FRST.txt ============================

Link to post
Share on other sites

It doesn't seem like it, and I don't want to risk getting the flashdrive dirty.

Shift and restarts were a no, F12 is busted, F9 brought me into systems as normal so I can change my fan speed if that helps.

I've never had to deal with cutting edge malware like this and it's terrible to be up against an information wall and not be able to figure it out myself.


image.png.520589a13a1232fdb2d994fd65163b63.png

Edited by nadnal
Link to post
Share on other sites

Alright. Launch FRST and copy/paste the following inside the text area. Once done, click on the Fix button. A log called fixlog.txt should appear on your desktop afterwards. Attach it here.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
End::

 

Link to post
Share on other sites

For the next part, you'll need to download the FRST executable and fixlist.txt on a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)

Preparing the USB Flash Drive

  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well

Boot in the Recovery Environment

  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

fixlist.txt

Link to post
Share on other sites

Boot in the Recovery Environment

  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer

 


Should this be in a different order?

as well as I'm not able to get into WinRE

But Ill email the fixlist to myself and put it on my clean flash when I get to my work computer.

Thank you

Edited by nadnal
Link to post
Share on other sites

It is in a different order, hence why I specified it at the beginning.

Quote

That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

 

Link to post
Share on other sites

You'll be able to access the Windows RE now because of the FRST fix we ran, yes. And just plug in the USB that have FRST and the fixlist on the infected computer only when it is either shutdown, or in the Windows RE. 

Link to post
Share on other sites

"yet" 

Don't be impatient and don't be self-concerned. Be grateful that someone cares to help.

This is what late stage capitalism gets you, by the way, all powerful corporations that don't do stuff until it may affect their bottom dollar, leaving consumers like you and me out to dry because we don't matter today or tomorrow or until the problem gets big enough that it can't be ignored.

Link to post
Share on other sites

1 hour ago, CO79 said:

Can somebody tell me why the "AntiVirus" People did not come up with a solution for this "advanced" malware yet, and why users have to do it manually?

Malwarebytes is the only company that is keeping tabs on SmartService as far as I know.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.