Help request removing bittorrent client infection

[CaptainKrill]

MWB is blocking incoming traffic from IP addresses around the world (see below) . 
Happens on a very regular basis of about every 10 minutes. 
Not related to the bittorrent traffic. 
Stops when client (Deluge) is closed.  

The client was not on my Protected Applications list until just now.  After removing this infection, is there anything more I can do to prevent future infections while using this client?  I only share files via the fully legal,  non-pirate site dimeadozen.org)

78.188.67.250    Turkey
189.100.19.38    Brazil
62.103.29.27    Greece
91.98.155.80    Iran
197.51.100.50    Egypt
73.138.179.173    Miami, FL
 

Here's a typical report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/15/18
Protection Event Time: 9:12 PM
Log File: 3ac68934-e95e-11e8-b6fc-d8cb8a31a6f6.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.7867
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 1.34.55.127
Port: [56592]
Type: Inbound
File: C:\Program Files (x86)\Deluge\deluge.exe

(end)

Thank you!

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

 

[CaptainKrill]

Thanks so much!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15.11.2018
Ran by User Person (administrator) on LORD_MELKHOR (18-11-2018 18:22:19)
Running from E:\Vault\Computing\AntiVirus
Loaded Profiles: User Person &  (Available Profiles: User Person & Woman)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
( ) C:\Windows\System32\lxducoms.exe
() C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe
() C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
(Micro-Star INT'L CO., LTD.) C:\Program Files (x86)\MSI\ECO Center\ECO_Service.exe
(MSI) C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe
(Micro-Star INT'L CO., LTD.) C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe
(MSI) C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Micro-Star International) C:\MSI\Smart Utilities\SuperRAIDSvc.exe
() C:\Program Files\Touro Cloud Backup\Touro Cloud BackupCrawler.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(VIA Technologies, Inc.) C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe
() C:\Program Files\Ditto\Ditto.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Mozy, Inc.) C:\Program Files\MozyHome\mozystat.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
(MSI) C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe
(Dropbox, Inc.) C:\Users\User Person\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD15\PowerDVD15Agent.exe
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\SSDriver\fi5110\SsWiaChecker.exe
(PFU Limited) C:\Program Files (x86)\PFU\ScanSnap\Update\SsUWatcher.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Dropbox, Inc.) C:\Users\User Person\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.17\GoogleCrashHandler.exe
(Dropbox, Inc.) C:\Users\User Person\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.17\GoogleCrashHandler64.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Mozy, Inc.) C:\Program Files\MozyHome\mozybackup.exe
(Mozy, Inc.) C:\Program Files\MozyHome\mozybackup.exe
(Intel(R) Corporation) C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
(publicspace.net) C:\Program Files\Better File Rename\bfr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\Creator\FoxitProxyServer_Socket_RD.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(PFU Limited) C:\Program Files (x86)\PFU\ScanSnap\Update\ScanSnapUpdater.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) E:\Vault\Computing\AntiVirus\FarbarRecoveryScanTool64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8461528 2015-03-04] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [VIAxHCUtl] => C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe [331776 2011-07-12] (VIA Technologies, Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-06-26] (Intel Corporation)
HKLM-x32\...\Run: [Fast Boot] => C:\Program Files (x86)\MSI\Fast Boot\StartFastBoot.exe [764472 2012-09-19] ()
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Super Charger] => C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe [1014736 2014-07-22] (MSI)
HKLM-x32\...\Run: [Command Center] => C:\Program Files (x86)\MSI\Command Center\StartCommandCenter.exe [797648 2015-03-27] (MSI)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PowerDVD15Agent] => C:\Program Files (x86)\CyberLink\PowerDVD15\PowerDVD15Agent.exe [949960 2015-08-03] (CyberLink Corp.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [455136 2018-02-28] (Power Software Ltd)
HKLM-x32\...\Run: [ScanSnap WIA Service Checker] => C:\Program Files (x86)\PFU\ScanSnap\Driver\SSDriver\fi5110\SsWiaChecker.exe [86016 2016-02-18] (PFU LIMITED)
HKLM-x32\...\Run: [ScanSnap OnlineUpdate Watcher] => C:\Program Files (x86)\PFU\ScanSnap\Update\SsUWatcher.exe [454144 2016-09-06] (PFU Limited)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [6788032 2018-04-20] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021256888\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1
/errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\Run: [Ditto] => C:\Program Files\Ditto\Ditto.exe [2151424 2016-03-18] ()
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\Run: [Dropbox Update] => C:\Users\User Person\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-20] (Dropbox, Inc.)
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [49802792 2018-10-10] (Skype Technologies S.A.)
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_31_0_0_108_pepper.exe [1454592 2018-09-20] (Adobe Systems
Incorporated)
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\MountPoints2: {88cbccec-f18b-11e6-a38b-d8cb8a31a6f6} - J:\SETUP.EXE
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\MountPoints2: {9f59c585-218a-11e8-8d01-d8cb8a31a6f6} - J:\setup.exe
HKU\S-1-5-21-561414255-2582098021-515967562-1000\...\MountPoints2: {c49a3e73-192d-11e8-8e11-d8cb8a31a6f6} - J:\setup.exe
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\Run: [Ditto] => C:\Program Files\Ditto\Ditto.exe [2151424 2016-03-18] ()
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\Run: [Dropbox Update] => C:\Users\User Person\AppData\Local\Dropbox\Update
\DropboxUpdate.exe [143144 2016-11-20] (Dropbox, Inc.)
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop
\Skype.exe [49802792 2018-10-10] (Skype Technologies S.A.)
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash
\FlashUtil32_31_0_0_108_pepper.exe [1454592 2018-09-20] (Adobe Systems Incorporated)
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\MountPoints2: {88cbccec-f18b-11e6-a38b-d8cb8a31a6f6} - J:\SETUP.EXE
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\MountPoints2: {9f59c585-218a-11e8-8d01-d8cb8a31a6f6} - J:\setup.exe
HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174\...\MountPoints2: {c49a3e73-192d-11e8-8e11-d8cb8a31a6f6} - J:\setup.exe
HKU\S-1-5-21-561414255-2582098021-515967562-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021259931\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy
\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-561414255-2582098021-515967562-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021259931\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-561414255-2582098021-515967562-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021259931\...\MountPoints2: {b48cd715-dfe4-11e4-8ecf-806e6f6e6963} - D:\autorun.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2015-04-11]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk [2018-10-24]
ShortcutTarget: MozyHome Status.lnk -> C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk [2018-08-19]
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\Users\User Person\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2018-11-07]
ShortcutTarget: Dropbox.lnk -> C:\Users\User Person\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\User Person\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2018-10-25]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-561414255-2582098021-515967562-1000] => localhost:8080
ProxyServer: [S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174] => localhost:8080
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 208.201.224.11 208.201.224.33
Tcpip\..\Interfaces\{37AE7312-3A1C-4504-8467-C7906C76AAD0}: [DhcpNameServer] 208.201.224.11 208.201.224.33
Tcpip\..\Interfaces\{986A0FBA-687D-461F-AE5B-B5F6578EA74B}: [DhcpNameServer] 10.13.0.1

Internet Explorer:
==================
HKU\S-1-5-21-561414255-2582098021-515967562-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021259931\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
hxxp://www.msn.com/?ocid=iehp
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: jawrwtwm.default-1536634241555
FF ProfilePath: C:\Users\User Person\AppData\Roaming\Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555 [2018-11-18]
FF NetworkProxy: Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555 -> type", 0
FF Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\User Person\AppData\Roaming\Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555\Extensions\firefox@ghostery.com.xpi [2018-09-11]
FF Extension: (Privacy Badger) - C:\Users\User Person\AppData\Roaming\Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2018-10-04]
FF Extension: (Adblock Plus) - C:\Users\User Person\AppData\Roaming\Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2018-11-
14]
FF Extension: (Firefox Monitor) - C:\Users\User Person\AppData\Roaming\Mozilla\Firefox\Profiles\jawrwtwm.default-1536634241555\features\{d4cfdd58-a931-45ba-a58a-
7d52e4712be5}\fxmonitor@mozilla.org.xpi [2018-11-16]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_26_0_0_151.dll [2017-08-31] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_151.dll [2017-08-31] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2018-09-19] (Foxit
Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2018-09-19]
(Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2018-09-19]
(Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2018-09-19]
(Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-11-10] (Intel
Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-11-10] (Intel
Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2018-01-03] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2018-01-03] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-06-05] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-06-05] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF Plugin HKU\S-1-5-21-561414255-2582098021-515967562-1000: SkypeForBusinessPlugin-15.8 -> C:\Users\User Person\AppData\Local\Microsoft\SkypeForBusinessPlugin
\15.8.20020.399\npGatewayNpapi.dll [2015-06-09] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-561414255-2582098021-515967562-1000: SkypeForBusinessPlugin64-15.8 -> C:\Users\User Person\AppData\Local\Microsoft\SkypeForBusinessPlugin
\15.8.20020.399\npGatewayNpapi-x64.dll [2015-06-09] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174: SkypeForBusinessPlugin-15.8 -> C:\Users\User Person\AppData\Local
\Microsoft\SkypeForBusinessPlugin\15.8.20020.399\npGatewayNpapi.dll [2015-06-09] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-561414255-2582098021-515967562-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11172018021257174: SkypeForBusinessPlugin64-15.8 -> C:\Users\User Person\AppData\Local
\Microsoft\SkypeForBusinessPlugin\15.8.20020.399\npGatewayNpapi-x64.dll [2015-06-09] (Microsoft Corporation)

Chrome: 
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> ssh
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default [2018-11-18]
CHR Extension: (Docs) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-14]
CHR Extension: (Google Drive) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-02]
CHR Extension: (Adblock Plus) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-11-16]
CHR Extension: (Google Search) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Google Docs Offline) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-08-19]
CHR Extension: (Download Master) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcceagdollnkjlogmdckgjakjapmkdjf [2016-04-16]
CHR Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2018-08-25]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-15]
CHR Extension: (Grateful Grabber) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\oaodbbeaklbdmjcghbkcfgmioafnjbfe [2018-10-21]
CHR Extension: (Gmail) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-11]
CHR Extension: (Chrome Media Router) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-10-23]
CHR Extension: (Secure Shell App) - C:\Users\User Person\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnhechapfaindjhompbnflcldabbghjo [2018-10-25]

Opera: 
=======
OPR Session Restore: -> is enabled.
OPR Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\User Person\AppData\Roaming\Opera Software\Opera Stable\Extensions\bbkekonodcdmedgffkkbgmnnekbainbg [2018-08-26]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ExpressVpnService; C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe [339168 2018-02-07] ()
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2015-04-11] (Macrovision Europe Ltd.) [File not
signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [132896 2014-11-10] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [158496 2014-11-10] (Intel Corporation)
R2 lxdu_device; C:\Windows\system32\lxducoms.exe [1040552 2008-05-23] ( )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6347056 2018-09-19] (Malwarebytes)
S3 Media Center 19 Service; C:\Program Files (x86)\J River\Media Center 19\JRService.exe [397896 2014-08-12] (JRiver, Inc.)
R2 mozybackup; C:\Program Files\MozyHome\mozybackup.exe [53288 2017-06-01] (Mozy, Inc.)
S3 MSIBIOSData_CC; C:\Program Files (x86)\MSI\Command Center\BIOSData\MSIBIOSDataService.exe [2099712 2014-12-31] (MSI) [File not signed]
S3 MSIClock_CC; C:\Program Files (x86)\MSI\Command Center\ClockGen\MSIClockService.exe [4035024 2015-03-10] (MSI)
S3 MSICOMM_CC; C:\Program Files (x86)\MSI\Command Center\MSICommService.exe [2117632 2014-12-31] () [File not signed]
S3 MSICPU_CC; C:\Program Files (x86)\MSI\Command Center\CPU\MSICPUService.exe [4158976 2015-03-30] () [File not signed]
R2 MSICTL_CC; C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe [1992704 2015-01-29] () [File not signed]
S3 MSIDDR_CC; C:\Program Files (x86)\MSI\Command Center\DDR\MSIDDRService.exe [2249168 2015-03-10] ()
S3 MSISMB_CC; C:\Program Files (x86)\MSI\Command Center\SMBus\MSISMBService.exe [2063360 2014-12-31] () [File not signed]
S3 MSISuperIO_CC; C:\Program Files (x86)\MSI\Command Center\SuperIO\MSISuperIOService.exe [575488 2015-03-27] () [File not signed]
R2 MSI_ECOSERVICE; C:\Program Files (x86)\MSI\ECO Center\ECO_Service.exe [2266280 2015-03-27] (Micro-Star INT'L CO., LTD.)
R2 MSI_FastBoot; C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe [103992 2012-10-26] (MSI)
R2 MSI_LiveUpdate_Service; C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe [1736872 2015-04-29] (Micro-Star INT'L CO., LTD.)
R2 MSI_SuperCharger; C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe [162800 2014-03-17] (MSI)
R2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [836904 2007-08-08] (Nero AG)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [382248 2007-08-03] (Nero AG)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [522688 2018-03-14] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [522688 2018-03-14] (NVIDIA Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3892256 2018-04-20] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [3943664 2018-04-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233712 2018-02-06] (Safer-Networking Ltd.)
R2 SuperRAIDSvc; C:\MSI\Smart Utilities\SuperRAIDSvc.exe [29648 2014-08-13] (Micro-Star International)
R2 Touro Cloud Backup Crawler; C:\Program Files\Touro Cloud Backup\Touro Cloud BackupCrawler.exe [2370656 2014-10-24] ()
S3 wampapache64; c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe [24576 2014-05-01] (Apache Software Foundation) [File not signed]
S3 wampmysqld64; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe [12942848 2014-05-01] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 XTU3SERVICE; C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe [18384 2014-08-07] (Intel(R) Corporation)
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA
\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
R2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d
"C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AcpiCtlDrv; C:\Windows\System32\DRIVERS\AcpiCtlDrv.sys [25880 2012-07-17] (Intel Corporation)
S3 ampa; C:\Windows\system32\ampa.sys [17008 2013-12-18] () [File not signed]
S3 ampa; C:\Windows\SysWOW64\ampa.sys [17008 2013-12-18] () [File not signed]
S2 CDRPDACC; C:\Program Files (x86)\321Studios\Shared\CDRPDACC.SYS [5273 2003-10-28] (Arrowkey) [File not signed]
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [489752 2013-08-22] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [152688 2018-10-27] (Malwarebytes)
S3 expressvpnsplittunnel; C:\Program Files (x86)\ExpressVpn SplitTunnel Driver\driver\expressvpnsplittunnel.sys [18800 2018-02-07] ()
R2 iocbios2; C:\Program Files (x86)\Intel\Extreme Tuning Utility\Drivers\IocDriver\64bit\iocbios2.sys [28912 2014-06-17] (Intel Corporation)
S3 jrvad_service; C:\Windows\System32\drivers\JRiverWDMDriver.sys [36872 2015-04-10] (JRiver, Inc.)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [198000 2018-10-27] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [119136 2018-11-16] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [63768 2018-11-16] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [260480 2018-11-16] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [101200 2018-11-18] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-11-10] (Intel Corporation)
R1 mozyMiniFilter; C:\Windows\System32\DRIVERS\mozyMiniFilter.sys [46824 2018-10-17] (Mozy, Inc.)
R3 NTIOLib_1_0_3; C:\Program Files (x86)\MSI\Super Charger\NTIOLib_X64.sys [13368 2012-10-25] (MSI)
R3 NTIOLib_1_0_4; C:\Program Files (x86)\MSI\Live Update\NTIOLib_X64.sys [14136 2010-10-22] (MSI)
R3 NTIOLib_ECO; C:\Program Files (x86)\MSI\ECO Center\NTIOLib_X64.sys [13808 2014-01-06] (MSI)
R3 NTIOLib_FastBoot; C:\Program Files (x86)\MSI\Fast Boot\NTIOLib_X64.sys [13368 2012-10-26] (MSI)
S3 NTIOLib_MSIClock_CC; C:\Program Files (x86)\MSI\Command Center\ClockGen\NTIOLib_X64.sys [13368 2012-11-20] (MSI)
S3 NTIOLib_MSICOMM_CC; C:\Program Files (x86)\MSI\Command Center\NTIOLib_X64.sys [13368 2012-11-19] (MSI)
S3 NTIOLib_MSICPU_CC; C:\Program Files (x86)\MSI\Command Center\CPU\NTIOLib_X64.sys [13368 2012-11-20] (MSI)
S3 NTIOLib_MSIDDR_CC; C:\Program Files (x86)\MSI\Command Center\DDR\NTIOLib_X64.sys [13368 2012-11-26] (MSI)
S3 NTIOLib_MSIFrequency_CC; C:\Program Files (x86)\MSI\Command Center\ClockGen\CPU_Frequency\NTIOLib_X64.sys [13368 2012-11-20] (MSI)
S3 NTIOLib_MSIRatio_CC; C:\Program Files (x86)\MSI\Command Center\CPU\CPU_Ratio\NTIOLib_X64.sys [13368 2012-11-20] (MSI)
S3 NTIOLib_MSISMB_CC; C:\Program Files (x86)\MSI\Command Center\SMBus\NTIOLib_X64.sys [13368 2012-11-19] (MSI)
S3 NTIOLib_MSISuperIO_CC; C:\Program Files (x86)\MSI\Command Center\SuperIO\NTIOLib_X64.sys [13368 2012-11-19] (MSI)
R3 NTIOLib_MSI_RAID; C:\MSI\Smart Utilities\NTIOLib_X64.sys [13808 2014-03-17] (MSI)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [31168 2018-03-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [59240 2017-12-14] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57792 2018-01-03] (NVIDIA Corporation)
S3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [14024 2017-08-27] ()
S3 tapexpressvpn; C:\Windows\System32\DRIVERS\tapexpressvpn.sys [35696 2018-02-07] (The OpenVPN Project)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [221696 2015-08-20] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [294912 2015-08-20] (VIA Technologies, Inc.)
R3 XtuAcpiDriver; C:\Windows\System32\DRIVERS\XtuAcpiDriver.sys [54344 2016-11-22] (Intel Corporation)
R2 {687703DE-DC6D-4649-892B-B8497854A6AB}; C:\Program Files (x86)\CyberLink\PowerDVD15\Common\NavFilter\000.fcl [29896 2015-08-02] (CyberLink Corp.)
U0 aswVmm; no ImagePath
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-11-18 18:22 - 2018-11-18 18:22 - 000000000 ____D C:\FRST
2018-11-16 22:04 - 2018-11-18 14:13 - 000101200 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-11-16 22:04 - 2018-11-16 22:04 - 000260480 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-11-16 22:04 - 2018-11-16 22:04 - 000119136 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-11-16 22:04 - 2018-11-16 22:04 - 000063768 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-11-15 21:13 - 2018-11-15 21:13 - 000006784 _____ C:\Users\User Person\AppData\Local\recently-used.xbel
2018-11-14 11:44 - 2018-11-14 11:44 - 000064014 _____ C:\Users\Woman\Documents\Person M Release 2.pdf
2018-11-14 10:01 - 2018-11-14 10:00 - 000063279 _____ C:\Users\Woman\Documents\ROI 111318 Dr Greene and Dr Avery.pdf
2018-11-14 10:00 - 2018-11-14 10:00 - 000000000 ____D C:\Users\Woman\AppData\Local\mbamtray
2018-11-12 23:51 - 2018-11-12 23:51 - 000001079 _____ C:\Users\Public\Desktop\Exact Audio Copy.lnk
2018-11-12 23:51 - 2018-11-12 23:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Exact Audio Copy
2018-11-12 23:51 - 2018-11-12 23:51 - 000000000 ____D C:\Program Files (x86)\Exact Audio Copy
2018-11-12 16:35 - 2018-11-12 17:04 - 790144260 _____ C:\Users\User Person\'Documenting the Grateful Dead Scene - 1988-1990'-208755423.mp4
2018-11-07 12:19 - 2018-11-07 12:19 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-11-06 18:49 - 2018-11-06 17:49 - 000301486 _____ C:\Users\User Person\View from the summit of the Grand Teton, June 28, 2018-ndku7mmkdtw11.fdash-AUDIO-1.m4a
2018-11-06 18:48 - 2018-11-06 17:49 - 022026471 _____ C:\Users\User Person\View from the summit of the Grand Teton, June 28, 2018-ndku7mmkdtw11.fdash-VIDEO-4.mp4
2018-11-05 03:36 - 2014-02-19 19:54 - 053218764 _____ C:\Users\User Person\Haight Ashbury Grateful Dead Morning Dew-pu-y6rqV53g.mp4
2018-10-30 21:18 - 2018-10-30 21:18 - 000112541 _____ C:\Users\User Person\Downloads\English_CA_member_claim_form.pdf
2018-10-30 21:14 - 2018-10-30 21:14 - 000000000 ____D C:\ProgramData\Foxit Software
2018-10-30 21:13 - 2018-10-30 21:13 - 000000000 ____D C:\Users\Public\Foxit Software
2018-10-30 21:12 - 2018-10-30 21:14 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Foxit Software
2018-10-30 21:12 - 2018-10-30 21:12 - 000000056 _____ C:\Users\Public\Documents\pre_fileassoc.tmp
2018-10-30 21:12 - 2018-10-30 21:12 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Foxit AgentInformation
2018-10-30 21:12 - 2018-10-30 21:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader
2018-10-30 21:12 - 2018-10-30 21:12 - 000000000 ____D C:\ProgramData\Foxit ContentPlatform
2018-10-30 21:12 - 2018-10-30 21:12 - 000000000 ____D C:\Program Files (x86)\Foxit Software
2018-10-30 20:52 - 2018-10-30 20:54 - 069389880 _____ C:\Users\User Person\Downloads\FoxitReader93_Setup_Prom_IS.exe
2018-10-29 17:42 - 2015-01-20 02:16 - 010344144 _____ C:\Users\User Person\The Wallflowers and Jordan Zevon - Lawyers Guns and Money-9KdHuZXWxGo.mp4
2018-10-27 04:12 - 2018-10-27 04:12 - 000198000 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-10-24 16:18 - 2018-10-17 13:15 - 000046824 _____ (Mozy, Inc.) C:\Windows\system32\Drivers\mozyMiniFilter.sys
2018-10-20 14:51 - 2018-10-20 14:52 - 027870725 _____ C:\Users\User Person\Downloads\LibreCAD-Installer-2.1.3.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-11-18 18:20 - 2016-09-02 12:41 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Ditto
2018-11-18 17:54 - 2015-07-12 10:58 - 000000934 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-561414255-2582098021-515967562-1000UA.job
2018-11-18 15:00 - 2015-02-02 18:24 - 000007588 _____ C:\Windows\mozy.blk
2018-11-18 15:00 - 2015-02-02 18:24 - 000000164 _____ C:\Windows\mozy.flt
2018-11-18 12:25 - 2018-03-03 18:15 - 000000000 ____D C:\ProgramData\NVIDIA
2018-11-18 11:54 - 2015-07-12 10:58 - 000000882 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-561414255-2582098021-515967562-1000Core.job
2018-11-18 03:59 - 2009-07-13 20:45 - 000013760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-11-18 03:59 - 2009-07-13 20:45 - 000013760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-11-18 02:00 - 2015-04-11 00:12 - 000000000 ____D C:\Users\User Person\AppData\Local\Adobe
2018-11-18 00:30 - 2016-11-24 12:11 - 000000000 ____D C:\Users\User Person\AppData\LocalLow\Mozilla
2018-11-17 02:15 - 2018-03-09 13:04 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2018-11-16 22:09 - 2009-07-13 21:13 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-11-16 22:09 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-11-16 22:03 - 2017-08-29 17:47 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-11-16 22:03 - 2015-04-10 06:17 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-11-16 22:03 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-11-16 00:12 - 2015-07-10 12:28 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Mp3tag
2018-11-15 04:37 - 2018-03-15 15:01 - 000000000 ____D C:\Users\User Person\AppData\Roaming\deluge
2018-11-14 22:02 - 2015-06-07 10:03 - 000114640 _____ C:\Users\Woman\AppData\Local\GDIPFONTCACHEV1.DAT
2018-11-14 10:00 - 2018-09-13 08:21 - 000000000 ____D C:\Users\Woman\AppData\Roaming\PFU
2018-11-14 10:00 - 2017-03-15 06:56 - 000000000 ____D C:\Users\Woman\AppData\Local\CrashDumps
2018-11-14 10:00 - 2015-06-07 10:03 - 000000000 ____D C:\Users\Woman
2018-11-14 01:17 - 2015-05-10 18:30 - 000000000 ____D C:\Users\User Person\AppData\Roaming\vlc
2018-11-14 01:14 - 2015-05-10 18:31 - 000000000 ____D C:\Users\User Person\AppData\Roaming\dvdcss
2018-11-14 00:47 - 2015-05-19 22:40 - 000000000 ____D C:\Users\User Person\AppData\Local\CrashDumps
2018-11-14 00:18 - 2015-07-14 20:25 - 000000000 ____D C:\Users\User Person\AppData\Roaming\VUPlayer
2018-11-13 13:43 - 2015-09-18 20:32 - 000757248 ___SH C:\Users\User Person\Thumbs.db
2018-11-12 17:04 - 2015-04-10 01:56 - 000000000 ____D C:\Users\User Person
2018-11-10 12:45 - 2018-06-27 20:27 - 000000000 ____D C:\Users\User Person\Desktop\Desktop Temp
2018-11-08 20:16 - 2015-04-12 21:53 - 000003852 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1428904412
2018-11-08 20:16 - 2015-04-12 21:52 - 000000000 ____D C:\Program Files (x86)\Opera
2018-11-07 12:19 - 2015-04-25 23:14 - 000000000 ____D C:\Users\User Person\AppData\Roaming\Dropbox
2018-11-06 00:03 - 2015-04-26 12:07 - 000000000 ___RD C:\Users\User Person\Dropbox
2018-11-05 10:54 - 2015-04-11 17:02 - 000000000 ____D C:\Users\User Person\AppData\Local\Microsoft Help
2018-10-27 04:12 - 2018-09-24 21:00 - 000152688 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2018-10-24 23:53 - 2018-09-21 16:34 - 000001315 _____ C:\Users\Public\Desktop\Skype.lnk
2018-10-24 23:53 - 2018-09-21 16:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-10-24 16:18 - 2018-09-20 18:01 - 000000000 ___SD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MozyHome
2018-10-24 16:18 - 2015-04-25 22:56 - 000000000 ____D C:\Program Files\MozyHome
2018-10-24 16:17 - 2016-03-18 14:57 - 000000000 ____D C:\ProgramData\Temp
2018-10-24 15:31 - 2015-04-10 02:42 - 000000000 ____D C:\Windows\system32\MRT
2018-10-24 15:28 - 2015-04-10 02:42 - 136745976 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-10-24 15:26 - 2015-04-10 02:02 - 000773912 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-10-21 15:05 - 2016-03-05 11:14 - 000000000 ____D C:\Users\User Person\AppData\Roaming\qBittorrent
2018-10-21 03:52 - 2018-09-10 16:41 - 000005226 _____ C:\Users\User Person\Desktop\Dime URLs.htm

==================== Files in the root of some directories =======

2018-01-16 15:57 - 2018-01-16 15:58 - 007852383 _____ () C:\Users\User Person\youtube-dl.2018-01-14.exe
2018-09-14 15:03 - 2018-09-14 15:03 - 007960960 _____ () C:\Users\User Person\youtube-dl.2018-09-10.exe
2018-09-14 15:03 - 2018-09-25 01:06 - 007963303 _____ () C:\Users\User Person\youtube-dl.exe
2015-04-11 15:12 - 2010-12-23 02:52 - 003574446 _____ (Mike Gieson                         ) C:\Program Files (x86)\Guitar Tuner.exe
2016-04-28 22:08 - 2016-04-28 22:08 - 000000100 _____ () C:\Users\User Person\AppData\Roaming\settings.xml
2016-03-18 14:40 - 2016-03-18 14:42 - 000000061 _____ () C:\Users\User Person\AppData\Local\DVDPATH.TXT
2015-05-15 00:20 - 2018-09-28 20:09 - 000000600 _____ () C:\Users\User Person\AppData\Local\PUTTY.RND
2018-11-15 21:13 - 2018-11-15 21:13 - 000006784 _____ () C:\Users\User Person\AppData\Local\recently-used.xbel
2017-02-25 12:13 - 2017-02-25 12:13 - 000000017 _____ () C:\Users\User Person\AppData\Local\resmon.resmoncfg
2016-04-16 18:23 - 2016-04-16 18:24 - 000000000 _____ () C:\Users\User Person\AppData\Local\{66FB254C-3DC3-46F7-AD42-8A375DF563EE}

Some files in TEMP:
====================
2014-03-25 03:22 - 2014-03-25 03:22 - 000398832 ____R (MSI) C:\Users\User Person\AppData\Local\Temp\AutoWifi.exe
2015-04-10 02:01 - 2010-12-30 19:07 - 000086880 ____R (Microsoft Corporation) C:\Users\User Person\AppData\Local\Temp\devcon64.exe
2010-03-16 06:11 - 2010-03-16 06:11 - 000149352 ____R (Microsoft Corporation) C:\Users\User Person\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-11-16 22:48

==================== End of FRST.txt ============================

Addition.txt

[nasdaq]

Hi,

FIREFOX SYNCING issue?
If Firefox still gives you problems and you are Syncing it with other Devices remove it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

Restart the computer and let me know if the problem persists.

[CaptainKrill]

Hi Nasdaq,

Nope, no problems of any kind with Firefox here!  (Maybe this reply was an accidentally sent to the wrong thread?)

Just a steady stream of blocked, incoming traffic from different IP addresses all over the world, on ~10 minute intervals, whenever I have the Deluge bittorrent client running.

 

[nasdaq]

Hi,

The request on the Syncing issue was real. Often the MBAM reports are caused by Syncing.

With this fix will reset your DNS.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please scan the file in bold at VirusTotal.
https://www.virustotal.com/#/home/upload
Find out if compromised or not.

C:\Program Files (x86)\Deluge\deluge.exe
===
 

fixlist.txt

[CaptainKrill]

Here's the log.  Didn't know it was going to overwrite my hosts file.  Not psyched about that, but I can restore most of what I had in there.  My last backup is from 2016. 

Couldn't I have just run ipconfig /flushdns instead?

Did this fix address the firefox issue as well?

Thanks!

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.11.2018
Ran by User Person (20-11-2018 23:49:09) Run:1
Running from E:\Vault\Computing\AntiVirus
Loaded Profiles: User Person &  (Available Profiles: User Person & Woman)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Start
 
CreateRestorePoint:
CloseProcesses:
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: bitsadmin /reset /allusers
Hosts:

Reboot:
End

*****************

Restore point was successfully created.
Processes closed successfully.

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= IPCONFIG /release =========

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::5050:44bf:f529:5850%10
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.{37AE7312-3A1C-4504-8467-C7906C76AAD0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Reusable ISATAP Interface {D57F9AEB-B43E-40B1-B666-6CA49782FE1E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

========= End of CMD: =========

========= IPCONFIG /renew =========

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : gateway.sonic.net
   Link-local IPv6 Address . . . . . : fe80::5050:44bf:f529:5850%10
   IPv4 Address. . . . . . . . . . . : 192.168.42.65
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.42.1

Tunnel adapter isatap.{37AE7312-3A1C-4504-8467-C7906C76AAD0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Reusable ISATAP Interface {D57F9AEB-B43E-40B1-B666-6CA49782FE1E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {5D62B2B2-2849-4443-8E2A-6F3933523207}.
0 out of 1 jobs canceled.

========= End of CMD: =========

Could not move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled to move on reboot.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 21-11-2018 00:02:02)

C:\Windows\System32\Drivers\etc\hosts => Is moved successfully
Hosts restored successfully.

==== End of Fixlog 00:02:02 ====

[nasdaq]

Hi,

I was not sure is the infection came from your Hosts file.

The old copy you restored look good.

Glad we could help.

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks