Jump to content

Recommended Posts

I think I need help removing an Adware virus identified from Bitdefender. I tried to delete it, but it seems to come back, also, i can't seem to enter the temp folder.

There are quite a few but this is one of them.

"Item was blocked. Threat name: Adware.Dealply.1.Gen. Path C:\Windows\Temp\tmp000001f6\tmp00001367."

I really hope someone could assist me.

IMG20200530234459.jpg

Share this post


Link to post
Share on other sites
Hello Reef and welcome to malwarebytes....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites
Posted (edited)

Hiya Reef,

You can still extract the log from Malwarebytes that shows what was removed:

Open Malwarebytes..

  • Click on the History box > History tab
  • Double click on the Scan which shows the applicable Date and time..
  • Click Export > From export you have two options: >

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

I also need the secondary log from FRST "addition.txt" Check C:\Frst\Logs

Thanks,

Kevin

Edited by kevinf80
typing error

Share this post


Link to post
Share on other sites

Im very sorry but I don't think I can use "Copy To Clipboard" my suspect is that it is too long. I tried it twice and it says error 504. Again sorry for the inconvenience.

Malware3.txt

Share this post


Link to post
Share on other sites

Oh sorry I forgot.

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-05-2020 01
Ran by User (31-05-2020 20:53:25)
Running from C:\Users\User\Downloads
Windows 10 Pro Version 1909 18363.836 (X64) (2019-11-13 08:16:54)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3758651894-3439947011-3621728283-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3758651894-3439947011-3621728283-503 - Limited - Disabled)
Guest (S-1-5-21-3758651894-3439947011-3621728283-501 - Limited - Disabled)
User (S-1-5-21-3758651894-3439947011-3621728283-1001 - Administrator - Enabled) => C:\Users\User
WDAGUtilityAccount (S-1-5-21-3758651894-3439947011-3621728283-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 19.10.16 - Advanced Micro Devices, Inc.)
Apex Legends (HKLM-x32\...\{D7FBF176-382D-484E-863A-DFD1124A2A1C}) (Version: 1.0.3.8 - Electronic Arts, Inc.)
APP Shop v1.0.46 (HKLM-x32\...\{90242E9B-BC60-46E3-8EE7-8E953F702280}_is1) (Version: 1.0.46 - ASRock Inc.)
Balanced (HKLM-x32\...\{0EA45DD4-A825-420C-AFED-C659EFE3B84F}) (Version: 4.00.0000 - Advanced Micro Devices, Inc.) Hidden
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 100.0.1 - Bitdefender)
Bitdefender Antivirus Free (HKLM\...\{1FCCF41D-5F00-4FE2-9653-162D0486C8B4}) (Version: 1.0.17.178 - Bitdefender)
Call of Duty Modern Warfare (HKLM-x32\...\Call of Duty Modern Warfare) (Version:  - Blizzard Entertainment)
Discord (HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\Discord) (Version: 0.0.306 - Discord Inc.)
Epic Games Launcher (HKLM-x32\...\{1D4EB18B-0FEE-444E-B4D1-6F2CFBC363E6}) (Version: 1.1.267.0 - Epic Games, Inc.)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{66C5838F-B854-4A55-89E6-A6138747A4DF}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Futuremark SystemInfo (HKLM-x32\...\{9266535B-CFD6-4696-A167-4D68ED5AD303}) (Version: 5.27.826.0 - Futuremark)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 83.0.4103.61 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.451 - Google LLC) Hidden
Grand Theft Auto V (HKLM-x32\...\{5EFC6C07-6B87-43FC-9524-F9E967241741}) (Version: 1.0.1868.1 - Rockstar Games)
Heaven Benchmark version 4.0 (HKLM-x32\...\Unigine Heaven Benchmark (Basic Edition)_is1) (Version: 4.0 - Unigine Corp.)
Java 8 Update 251 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180251F0}) (Version: 8.0.2510.8 - Oracle Corporation)
Kinect for Windows Speech Recognition Language Pack (en-AU) (HKLM-x32\...\{48CEC0A3-AE10-4EE3-AC62-76D3D58792E5}) (Version: 11.0.7400.336 - Microsoft Corporation)
Kinect for Windows Speech Recognition Language Pack (en-CA) (HKLM-x32\...\{9C5505DA-F9C1-46CB-9F8F-AC38F8EA518A}) (Version: 11.0.7400.336 - Microsoft Corporation)
Kinect for Windows Speech Recognition Language Pack (en-GB) (HKLM-x32\...\{A0186231-0A8B-455A-8A25-B64AABCC11A6}) (Version: 11.0.7400.336 - Microsoft Corporation)
Kinect for Windows Speech Recognition Language Pack (en-IE) (HKLM-x32\...\{998D5259-3BED-4710-98FF-D63387B5429E}) (Version: 11.0.7400.336 - Microsoft Corporation)
Kinect for Windows Speech Recognition Language Pack (en-NZ) (HKLM-x32\...\{07FC9CAD-FCEC-4186-BB83-EF7CCC9372BA}) (Version: 11.0.7400.336 - Microsoft Corporation)
Kinect for Windows Speech Recognition Language Pack (en-US) (HKLM-x32\...\{8AAA44BB-487E-4D01-AF76-484ACB90DBFE}) (Version: 11.0.7400.336 - Microsoft Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{c6c5a357-c7ca-4a5f-9789-3bb1af579253}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Logitech Gaming Software 5.10 (HKLM\...\{1444D2EE-C7AD-44A8-844F-2634B49353D1}) (Version: 5.10.127 - Logitech)
Malwarebytes version 4.1.0.56 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.1.0.56 - Malwarebytes)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.1.1.102 - McAfee, LLC)
Microsoft OneDrive (HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\OneDriveSetup.exe) (Version: 20.064.0329.0008 - Microsoft Corporation)
Microsoft Server Speech Platform Runtime (x64) (HKLM\...\{3B433087-E62E-4BF5-97F9-4AF6E1C2409C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Server Speech Recognition Language - TELE (en-IN) (HKLM-x32\...\{3B06AC90-DE68-44A9-95EB-0A3C1AF1514F}) (Version: 11.0.7400.335 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.22.27821 (HKLM-x32\...\{6361b579-2795-4886-b2a8-53d5239b6452}) (Version: 14.22.27821.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.22.27821 (HKLM-x32\...\{5bfc1380-fd35-4b85-9715-7351535d077e}) (Version: 14.22.27821.0 - Microsoft Corporation)
MSI Afterburner 4.6.2 (HKLM-x32\...\Afterburner) (Version: 4.6.2 - MSI Co., LTD)
NVAPI Monitor plugin for NvContainer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvContainer.NvapiMonitor) (Version: 1.19 - NVIDIA Corporation) Hidden
NVIDIA GeForce Experience 3.20.3.63 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.20.3.63 - NVIDIA Corporation)
NVIDIA Graphics Driver 446.14 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 446.14 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.38.26 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.38.26 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.19.0218 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.19.0218 - NVIDIA Corporation)
NVIDIA USBC Driver 1.38.831.832 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_USBC) (Version: 1.38.831.832 - NVIDIA Corporation)
OEM Application Profile (HKLM-x32\...\{84AD2AF7-10C8-0395-66F9-FFAEB4C5DBF1}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
OpenIV (HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\OpenIV) (Version: 4.0.1401 - .black/OpenIV Team)
Origin (HKLM-x32\...\Origin) (Version: 10.5.70.40362 - Electronic Arts, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.35.510.2019 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.8730.1 - Realtek Semiconductor Corp.)
RivaTuner Statistics Server 7.2.3 (HKLM-x32\...\RTSS) (Version: 7.2.3 - Unwinder)
Roblox Player for User (HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\roblox-player) (Version:  - Roblox Corporation)
Rockstar Games Launcher (HKLM-x32\...\Rockstar Games Launcher) (Version: 1.0.23.252 - Rockstar Games)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 2.0.5.5 - Rockstar Games)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TechPowerUp GPU-Z (HKLM-x32\...\{8B0F211E-5846-4FB2-B0B9-4EB31546FDF9}}_is1) (Version:  - TechPowerUp)
WhatsApp (HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\WhatsApp) (Version: 2.2019.8 - WhatsApp)
WinRAR 5.90 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.90.0 - win.rar GmbH)

Packages:
=========
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2020-05-11] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2020-05-11] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.7.5012.0_x64__8wekyb3d8bbwe [2020-05-11] (Microsoft Studios) [MS Ad]
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.36.20714.0_x64__8wekyb3d8bbwe [2020-05-11] (Microsoft Corporation) [MS Ad]
MusicBee -> C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj [2020-05-16] (Steven Mayall)
NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.956.0_x64__56jybvy8sckqj [2019-11-13] (NVIDIA Corp.)
Realtek Audio Control -> C:\Program Files\WindowsApps\RealtekSemiconductorCorp.RealtekAudioControl_1.3.183.0_x64__dt26b99r8h8gj [2020-05-12] (Realtek Semiconductor Corp)
WiFi Analyzer -> C:\Program Files\WindowsApps\19965MATTHAFNER.WIFIANALYZER_2.6.1.0_x64__gs5k5vmxr2ste [2020-05-20] (Matt Hafner)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2020-03-26] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2020-03-26] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2020-05-30] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_d5216eae94436d77\nvshext.dll [2020-05-19] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2020-05-30] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2020-03-26] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2020-03-26] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [VIDC.RTV1] => C:\Windows\system32\rtvcvfw64.dll [246272 2012-09-29] () [File not signed]
HKLM\...\Drivers32: [VIDC.RTV1] => C:\Windows\SysWOW64\rtvcvfw32.dll [247296 2012-09-29] () [File not signed]

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2020-05-16 17:10 - 2020-05-16 17:10 - 000034392 _____ ((: JOBnik! :) [Arthur Aminov, ISRAEL]) [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\bass_fx.dll
2020-05-16 17:10 - 2020-05-16 17:10 - 000101376 _____ () [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\MusicBeeBass.dll
2020-05-12 14:37 - 2020-05-12 14:37 - 001655296 _____ (Microsoft Corporation) [File not signed] C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_8444db7d32915e4c\MFC80U.DLL
2020-05-12 14:37 - 2020-05-12 14:37 - 000047104 _____ (Microsoft Corporation) [File not signed] C:\Windows\WinSxS\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_bc1d1e5b0be08790\MFC80ENU.DLL
2020-05-13 12:03 - 2020-05-20 19:46 - 001282048 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\LIBEAY32.dll
2020-05-13 12:03 - 2020-05-20 19:46 - 000279040 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\ssleay32.dll
2020-05-13 12:03 - 2020-05-20 19:46 - 001611264 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\platforms\qwindows.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 005487104 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Core.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 005841920 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Gui.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 001179136 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Network.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 000146432 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5WebSockets.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 005089792 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Widgets.dll
2020-05-20 19:46 - 2020-05-20 19:46 - 000184832 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Xml.dll
2020-05-16 17:10 - 2020-05-16 17:10 - 000127669 _____ (Un4seen Developments) [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\bass.dll
2020-05-16 17:10 - 2020-05-16 17:10 - 000019478 _____ (Un4seen Developments) [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\basscd.dll
2020-05-16 17:10 - 2020-05-16 17:10 - 000020700 _____ (Un4seen Developments) [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\bassmix.dll
2020-05-16 17:10 - 2020-05-16 17:10 - 000012166 _____ (Un4seen Developments) [File not signed] C:\Program Files\WindowsApps\50072StevenMayall.MusicBee_3.3.6.0_x86__kcr266et74avj\win32\basswasapi.dll

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [486]
AlternateDataStreams: C:\Users\User\ntuser.ini:NTV [12524]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer trusted/restricted ==========

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-03-19 12:49 - 2020-05-31 15:02 - 000002103 _____ C:\Windows\system32\drivers\etc\hosts
0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 rp.yefeneri2.com
0.0.0.0 os.yefeneri2.com
0.0.0.0 os2.yefeneri2.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;;
HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\User\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\yifei-liu-nRvwpCrw5Ks-unsplash.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\StartupApproved\Run: => "Battle.net"
HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\StartupApproved\Run: => "AvastBrowserAutoLaunch_DD3B34B51295CA4CE249213732CEC2F8"
HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\StartupApproved\Run: => "Steam"
HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\StartupApproved\Run: => "Discord"
HKU\S-1-5-21-3758651894-3439947011-3621728283-1001\...\StartupApproved\Run: => "EADM"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{1E5E5DE0-0F55-4B64-9264-677EBCEB7AD1}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{37B265F8-B4AF-4131-9400-700A5E81AFFC}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{6A5BCA24-4384-45DD-A491-56FF0BC10FE9}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{0C8F7A60-B7A1-41FD-8185-48809A76E777}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{B76A6A17-45AA-4B1A-A10C-7A7E2997DEFB}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{EBD5BF65-AD83-4423-9355-21A75BEB844F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{7306B2E1-269D-4606-AB81-A50331DB1825}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{EC6AF571-342D-4C10-B2B7-351EBC82C08B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{01BFA2B9-5414-41D8-92A0-EFE002178701}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{3B885614-3D27-421A-85B7-6BE1AC0DBBD1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{402AEADF-569A-4F31-BE17-022C9719B25F}] => (Allow) G:\SteamLibrary\steamapps\common\F1 2018\F1_2018.exe (Codemasters Software Company Limited) [File not signed]
FirewallRules: [{7B6CBB3B-11F0-4251-9B7F-9C18C91C204B}] => (Allow) G:\SteamLibrary\steamapps\common\F1 2018\F1_2018.exe (Codemasters Software Company Limited) [File not signed]
FirewallRules: [TCP Query User{21AA0480-064B-476D-8447-DAA240AB16FD}G:\games\battle.net\call of duty modern warfare\modernwarfare.exe] => (Allow) G:\games\battle.net\call of duty modern warfare\modernwarfare.exe (Activision Publishing Inc -> Activision)
FirewallRules: [UDP Query User{E61F8716-060C-45F6-AF49-141E8945A17D}G:\games\battle.net\call of duty modern warfare\modernwarfare.exe] => (Allow) G:\games\battle.net\call of duty modern warfare\modernwarfare.exe (Activision Publishing Inc -> Activision)
FirewallRules: [TCP Query User{C0293690-B9F8-49C7-BF0C-41316B362BA7}G:\games\gta\grand theft auto v\gta5.exe] => (Allow) G:\games\gta\grand theft auto v\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [UDP Query User{2251402D-2A83-4652-AD6F-E3BBC4B86852}G:\games\gta\grand theft auto v\gta5.exe] => (Allow) G:\games\gta\grand theft auto v\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [{8D152727-FD7D-4EB7-AC6B-C6B527B0795E}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{EEE9C3BF-418C-4FDC-8051-C03E9E1541FB}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{013A723B-7FDA-4854-812C-A8639F0D8904}] => (Allow) C:\Program Files (x86)\Origin Games\Apex\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [{95BBF1C5-0881-405D-A189-67CDBC3449D9}] => (Allow) C:\Program Files (x86)\Origin Games\Apex\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [TCP Query User{AD52744A-2531-47AB-972C-BB94FDE8F854}G:\games\gtav\gtav\gta5.exe] => (Allow) G:\games\gtav\gtav\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [UDP Query User{3BCAC90C-7636-4F50-8C9C-211D59A07C7A}G:\games\gtav\gtav\gta5.exe] => (Allow) G:\games\gtav\gtav\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [{53FDB2CB-7F74-4B43-99ED-5FD800967089}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{4F25E4D2-EE43-4E3E-87B5-229D1336EF3D}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{40F67402-AC7B-4B52-8D29-88C978597945}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{B3C9F91D-CA55-46BD-AFD9-C8FEE38CD15B}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe (Digital Extremes Ltd. -> )
FirewallRules: [{14DBBA90-AF59-4F07-B299-400FCD731263}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{2473D3C6-9B95-4068-A96A-DCBC91CBCCBC}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{DB714AA7-4F31-42BA-92DC-C5FD48C2BB63}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe (Digital Extremes Ltd. -> Digital Extremes)
FirewallRules: [{C58358E0-028B-41CD-852E-0525F0F4D03A}] => (Allow) G:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe (Digital Extremes Ltd. -> )
FirewallRules: [{2B27E9EF-3C59-41B7-AD81-05937FDD6145}] => (Allow) G:\SteamLibrary\steamapps\common\LEGO Marvel's Avengers\LEGOMARVELAvengers.exe (Travellers Tales (UK) Ltd -> Warner Bros. Interactive Entertainment)
FirewallRules: [{479F5161-3987-4F5B-8504-6FE4D2B7ECDE}] => (Allow) G:\SteamLibrary\steamapps\common\LEGO Marvel's Avengers\LEGOMARVELAvengers.exe (Travellers Tales (UK) Ltd -> Warner Bros. Interactive Entertainment)
FirewallRules: [{45A318A3-525D-4F03-AF65-274131FC643B}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\3DMarkLauncher.exe (FUTUREMARK INC -> Futuremark)
FirewallRules: [{D0CE9287-DA33-4DA7-AE2C-4AC1BA97D6FB}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\3DMarkLauncher.exe (FUTUREMARK INC -> Futuremark)
FirewallRules: [TCP Query User{97D4B6E1-8388-49EF-8C03-4416D24C80FA}C:\program files (x86)\java\jre1.8.0_251\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_251\bin\javaw.exe => No File
FirewallRules: [UDP Query User{489CDFE8-DC65-465E-92C1-E2E5234054F3}C:\program files (x86)\java\jre1.8.0_251\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_251\bin\javaw.exe => No File
FirewallRules: [{DB9E4E3A-5ECD-4CF0-BCE6-27DAE53DE64E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
FirewallRules: [TCP Query User{5A453047-5304-45CC-ABE2-15AD5B7999CA}C:\program files\java\jre1.8.0_251\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_251\bin\javaw.exe
FirewallRules: [UDP Query User{2296123D-5307-4324-8709-B79A70C74B2A}C:\program files\java\jre1.8.0_251\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_251\bin\javaw.exe
FirewallRules: [{1A8A6424-CA81-408D-9182-912D23D9982C}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\bin\x86\3DMark.exe (FUTUREMARK INC -> )
FirewallRules: [{25D80DCB-9BD4-4B79-AB9F-D59512693E10}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\bin\x86\3DMark.exe (FUTUREMARK INC -> )
FirewallRules: [{209247BA-E752-45D6-97EF-3776546D0DEE}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\bin\x64\3DMark.exe (FUTUREMARK INC -> )
FirewallRules: [{11C49E1E-3391-48EE-B1E4-0318E325FE66}] => (Allow) G:\SteamLibrary\steamapps\common\3DMark\bin\x64\3DMark.exe (FUTUREMARK INC -> )

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:118.61 GB) (Free:26.36 GB) (22%)

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (05/30/2020 11:04:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program bdagent.exe version 1.0.17.177 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 8f0

Start Time: 01d6368887c7da57

Termination Time: 60000

Application Path: C:\Program Files\Bitdefender Antivirus Free\bdagent.exe

Report Id: 30360999-8482-4606-8666-0602319c4ce4

Faulting package full name: 

Faulting package-relative application ID: 

Hang type: Unknown

Error: (05/29/2020 10:06:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: heaven.exe, version: 1.0.0.0, time stamp: 0x511b9e02
Faulting module name: d3d11.dll, version: 10.0.18362.387, time stamp: 0x475a8f58
Exception code: 0xc0000005
Fault offset: 0x0014af1c
Faulting process id: 0x19b0
Faulting application start time: 0x01d635c0b8cc7201
Faulting application path: G:\Heaven Benchmark 4.0\bin\heaven.exe
Faulting module path: C:\Windows\SYSTEM32\d3d11.dll
Report Id: a6398351-b53e-416c-b29e-fa65b040afd6
Faulting package full name: 
Faulting package-relative application ID:

Error: (05/29/2020 09:31:35 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (05/29/2020 09:31:35 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (05/28/2020 05:26:48 PM) (Source: Microsoft-Windows-Perflib) (EventID: 1023) (User: NT AUTHORITY)
Description: Windows cannot load the extensible counter DLL "C:\Windows\system32\sysmain.dll" (Win32 error code 126).

Error: (05/28/2020 12:23:52 AM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating  status to SECURITY_PRODUCT_STATE_SNOOZED.

Error: (05/28/2020 12:21:01 AM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (05/27/2020 05:57:01 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.


System errors:
=============
Error: (05/31/2020 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vsserv service failed to start due to the following error: 
The system cannot find the file specified.

Error: (05/31/2020 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vsservppl service failed to start due to the following error: 
The system cannot find the file specified.

Error: (05/31/2020 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The updatesrv service failed to start due to the following error: 
The system cannot find the file specified.

Error: (05/31/2020 08:48:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The bdredline service failed to start due to the following error: 
The system cannot find the file specified.

Error: (05/31/2020 08:48:50 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (05/31/2020 08:48:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The system cannot find the file specified.

Error: (05/31/2020 08:48:16 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA LocalSystem Container service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

Error: (05/31/2020 08:48:16 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Bitdefender Product Agent Service service terminated unexpectedly.  It has done this 1 time(s).


Windows Defender:
===================================
Date: 2020-05-31 14:59:23.009
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Misleading:Win32/Fybents&threatid=272037&enterprise=0
Name: Misleading:Win32/Fybents
ID: 272037
Severity: High
Category: Potentially Unwanted Software
Path: file:_C:\Program Files\ByteFence\ByteFence.exe; process:_pid:10624,ProcessStart:132353811744729287; process:_pid:8232,ProcessStart:132353818807522152; regkey:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence; uninstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.317.266.0, AS: 1.317.266.0, NIS: 1.317.266.0
Engine Version: AM: 1.1.17100.2, NIS: 1.1.17100.2

Date: 2020-05-31 14:58:03.741
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Misleading:Win32/Fybents&threatid=272037&enterprise=0
Name: Misleading:Win32/Fybents
ID: 272037
Severity: High
Category: Potentially Unwanted Software
Path: file:_C:\Program Files\ByteFence\ByteFence.exe; regkey:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence; uninstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.317.266.0, AS: 1.317.266.0, NIS: 1.317.266.0
Engine Version: AM: 1.1.17100.2, NIS: 1.1.17100.2

Date: 2020-05-31 14:57:27.712
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Misleading:Win32/Fybents&threatid=272037&enterprise=0
Name: Misleading:Win32/Fybents
ID: 272037
Severity: High
Category: Potentially Unwanted Software
Path: file:_C:\Program Files\ByteFence\ByteFence.exe; file:_C:\Program Files\ByteFence\ByteFenceService.exe; file:_C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware\ByteFence Anti-Malware.lnk; file:_C:\Windows\System32\Tasks\ByteFence->(UTF-16LE); process:_pid:3240,ProcessStart:132353254365582354; process:_pid:9076,ProcessStart:132353254859968896; regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA234CDD-7A37-4A7D-96B2-8481408DC491}; regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ByteFence; regkey:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence; service:_ByteFenceService; startup:_C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware\ByteFence Anti-Malware.lnk; taskscheduler:_C:\Windows\System32\Tasks\ByteFence; uninstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ByteFence
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files\ByteFence\ByteFence.exe
Security intelligence Version: AV: 1.317.266.0, AS: 1.317.266.0, NIS: 1.317.266.0
Engine Version: AM: 1.1.17100.2, NIS: 1.1.17100.2

Date: 2020-05-30 23:28:41.799
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Misleading:Win32/Fybents&threatid=272037&enterprise=0
Name: Misleading:Win32/Fybents
ID: 272037
Severity: High
Category: Potentially Unwanted Software
Path: file:_C:\Program Files\ByteFence\ByteFence.exe; file:_C:\Program Files\ByteFence\ByteFenceService.exe; process:_pid:3240,ProcessStart:132353254365582354; process:_pid:9076,ProcessStart:132353254859968896; service:_ByteFenceService
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files\ByteFence\ByteFence.exe
Security intelligence Version: AV: 1.317.266.0, AS: 1.317.266.0, NIS: 1.317.266.0
Engine Version: AM: 1.1.17100.2, NIS: 1.1.17100.2

Date: 2020-05-31 15:01:02.085
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: Behavior Monitoring
Error Code: 0x80508023
Error description: The program could not find the malware and other potentially unwanted software on this device. 
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2020-05-30 23:16:19.643
Description: 
Windows Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 
Previous security intelligence Version: 1.317.54.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.17100.2
Error code: 0x80240022
Error description: The program can't check for definition updates. 

Date: 2020-05-30 23:16:19.611
Description: 
Windows Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 
Previous security intelligence Version: 1.317.54.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.17100.2
Error code: 0x80240022
Error description: The program can't check for definition updates. 

CodeIntegrity:
===================================

Date: 2020-05-31 15:01:13.378
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:11.232
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:09.145
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:07.067
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:04.961
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:02.886
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Windows signing level requirements.

Date: 2020-05-31 15:01:01.116
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Microsoft signing level requirements.

Date: 2020-05-31 15:01:00.965
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume6\ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume6\Program Files\Bitdefender Antivirus Free\bdamsi\264642006458580000\antimalware_provider64.dll that did not meet the Microsoft signing level requirements.

==================== Memory info =========================== 

BIOS: American Megatrends Inc. P3.70 11/13/2019
Motherboard: ASRock A320M-HDV R4.0
Processor: AMD Ryzen 3 3200G with Radeon Vega Graphics 
Percentage of memory in use: 57%
Total physical RAM: 8119.32 MB
Available physical RAM: 3417.8 MB
Total Virtual: 19895.32 MB
Available Virtual: 12863.98 MB

==================== Drives ================================

Drive 😄 () (Fixed) (Total:118.61 GB) (Free:26.36 GB) NTFS
Drive g: (1TB Hardrive) (Fixed) (Total:931.5 GB) (Free:386.79 GB) NTFS

\\?\Volume{c02d1aae-cdb8-4b2e-a2b0-f2e89ee26d5e}\ (Recovery) (Fixed) (Total:0.52 GB) (Free:0.09 GB) NTFS
\\?\Volume{8152ea50-9af9-4405-9538-7e5ad27518fa}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Protective MBR) (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 1 (Protective MBR) (Size: 119.2 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================

Share this post


Link to post
Share on other sites

Hiya Reef,

Thanks for those logs, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin...

fixlist.txt

Share this post


Link to post
Share on other sites

Here are the logs

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-05-2020 01
Ran by User (31-05-2020 23:38:04) Run:1
Running from C:\Users\User\Downloads
Loaded Profiles: User
Boot Mode: Normal
==============================================

fixlist content:
*****************
SystemRestore: On
CreateRestorePoint:
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S2 bdredline; "C:\Program Files\Bitdefender Antivirus Free\bdredline.exe" [X]
S2 updatesrv; "C:\Program Files\Bitdefender Antivirus Free\updatesrv.exe" /service [X]
S2 vsserv; "C:\Program Files\Bitdefender Antivirus Free\vsserv.exe" /service [X]
S2 vsservppl; "C:\Program Files\Bitdefender Antivirus Free\vsservppl.exe" /service [X]
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [939544 2020-05-29] (McAfee, LLC -> McAfee, LLC)
U3 avgbdisk; no ImagePath
2020-05-29 21:09 - 2020-05-29 21:31 - 000000000 ____D C:\Users\User\AppData\Roaming\AVG
2020-05-29 21:09 - 2020-05-29 21:09 - 000000000 ____D C:\Users\User\AppData\Local\Avg
2020-05-29 20:45 - 2020-05-29 21:31 - 000000000 ____D C:\ProgramData\AVG
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [486]
AlternateDataStreams: C:\Users\User\ntuser.ini:NTV [12524] 
C:\Program Files\ByteFence
CMD: winmgmt /verifyrepository
Hosts:
EmptyTemp:

*****************

SystemRestore: On => completed
Restore point was successfully created.
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKLM\System\CurrentControlSet\Services\bdredline => removed successfully
bdredline => service removed successfully
HKLM\System\CurrentControlSet\Services\updatesrv => removed successfully
updatesrv => service removed successfully
HKLM\System\CurrentControlSet\Services\vsserv => removed successfully
vsserv => service removed successfully
HKLM\System\CurrentControlSet\Services\vsservppl => removed successfully
vsservppl => service removed successfully
McAfee WebAdvisor => Unable to stop service.
HKLM\System\CurrentControlSet\Services\McAfee WebAdvisor => removed successfully
McAfee WebAdvisor => service removed successfully
HKLM\System\CurrentControlSet\Services\avgbdisk => removed successfully
avgbdisk => service removed successfully
C:\Users\User\AppData\Roaming\AVG => moved successfully
C:\Users\User\AppData\Local\Avg => moved successfully
C:\ProgramData\AVG => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
C:\Users\Public\Shared Files => ":VersionCache" ADS removed successfully
C:\Users\User\ntuser.ini => ":NTV" ADS removed successfully
"C:\Program Files\ByteFence" => not found

========= winmgmt /verifyrepository =========

WMI repository is consistent

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 7626752 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 56813954 B
Java, Flash, Steam htmlcache => 247827042 B
Windows/system/drivers => 39066293 B
Edge => 1282475 B
Chrome => 410000513 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 120030 B
NetworkService => 10595458 B
User => 2718158253 B

RecycleBin => 1288947189 B
EmptyTemp: => 4.5 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 23:39:15 ====

 


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.81, (build 5.81.16832.1)
Started On Mon May 11 16:35:45 2020

Engine: 1.1.16800.2
Signatures: 1.311.96.0
MpGear: 1.1.16330.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon May 11 16:36:50 2020


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.82, (build 5.82.17046.2)
Started On Thu May 14 19:58:27 2020

Engine: 1.1.16900.4
Signatures: 1.313.2734.0
MpGear: 1.1.16330.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 14 20:01:15 2020


Return code: 0 (0x0)
 

Share this post


Link to post
Share on other sites

What is the current status of your system, any remaining issues or concerns...

Share this post


Link to post
Share on other sites

For now there are no problems but my concerns are if the virus is fully removed or if they are still there but just hidden. Do I need to be worried about it in the future. I really don't want it to be regenerating itself.

Share this post


Link to post
Share on other sites

Run one more indepth scan to double check your system:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Share this post


Link to post
Share on other sites

Hi, I ran the results and i am kinda relieved that it says "Your Computer Is Clean". 

Am I safe now?

Share this post


Link to post
Share on other sites

Hiya Reef,

You should be ok now, first make sure to change all passwords that you use on this PC. Specifically any with a financial impact...

Next,

Uninstall the following program:

Sophos AV Also delete this folder if still present C:\ProgramData\Sophos

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Right click on FRST here: C:\Users\User\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

Share this post


Link to post
Share on other sites

Hey dude, Thank You so much. U made so relieved. Again, thank you👍

Share this post


Link to post
Share on other sites

You`re very welcome Reef, it was a pleasure to work with you...

Regards,

Kevin...

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.