Potential malware in system files (undetected by MB, detected by RK)

[kexas]

Hello,

Today my computer froze; hard shut down. After start-up it was incredibly slow. Ran RK (MBAM had 0 detections in all the recent scans while RK had a few); couple of detections: 1 false positive (most likely) and .tmp file (recurring detection; possibly due to RK not being able to remove the file since it is on a bad sector or at least it claims to be. Not sure if it could be a sophisticated malware somehow making some files to give I/O error and bad sectors are not unlikely due to hard drive being over 5 years old). Repeat scan returned 0 threats. Restart and shut down & starting up again did not improve anything and it's still slow as if something is being worked on. Slight improvements after 10 or so minutes.


Causes of suspicion:

After the first RK scan (but prior to threat removal) amount of free space on hard drive increased by 5GB (have not deleted or uninstalled anything manually);

A lot of saved Chrome (default browser) passwords disappeared (including Google account - Gmail etc.). However some passwords are still there, but only for websites I have visited very long time ago. This had happened before, but I brushed it off. Successfully logged in to Google - no other attempts to login were reported. But after restarting it happened again.

Some [seemingly harmless] processes (I don't know about Win processes since I'm not familiar with them)were running after startup. Like Acrobat update, Bluetooth support server, OriginWebHelperService (EA Origin). Also happened before, but I brushed it off as well. 


All recent MBAM scans reported 0 threats.
AdwCleaner (scanned just now) reported 0 threats and 2 preinstalled software (from ASUS - manufacturer of the laptop).
Today's RK scans I described above. However, previous recent scans had other detections. svchost.exe in particular (recurring) while MBAM did not detect anything suspicious.

Processes that seemed suspicious to me personally (I don't have much clue, but just seemed suspicious):
svchost.exe (also noticed two or three instances of COM Surrogate running from time to time, but they often automatically end a couple of seconds after I open Task Manager);
livecomm.exe (manually deleted);
some Service Host network related instances seem to be active from time to time.
I'm sure I'm forgetting something, but can't remember now.


 

[kevinf80]

Hello kexas,

Run the following: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Right click on FRST and rename FRSTEnglish   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin

[kexas]

Could you elaborate what are possible potential causes?

I also attached Wireshark capture if it's any use.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-01-2021 01
Ran by First (administrator) on HOME (ASUSTeK COMPUTER INC. X550MD) (26-01-2021 23:02:38)
Running from C:\Users\First\Desktop\Security and Cleanup
Loaded Profiles: First
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ASUSTeK Computer Inc. -> ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTeK Computer Inc. -> AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(ASUSTeK Computer Inc. -> AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(ASUSTeK Computer Inc. -> AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(Broadcom Corporation -> Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Canon Inc. -> ) C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(F.lux Software LLC -> f.lux Software LLC) C:\Users\First\AppData\Local\FluxSoftware\Flux\flux.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <21>
(Intel(R) Corporation) [File not signed] C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SnippingTool.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.18384_none_fa1d93c39b41b41a\TiWorker.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Wireshark Foundation, Inc. -> The Wireshark developer community, hxxps://www.wireshark.org/) C:\Program Files\Wireshark\Wireshark.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation -> Microsoft Corporation)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation -> Microsoft Corporation)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282120 2013-05-02] (Canon Inc. -> CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle America, Inc. -> Oracle Corporation)
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\Run: [f.lux] => C:\Users\First\AppData\Local\FluxSoftware\Flux\flux.exe [1469968 2020-06-17] (F.lux Software LLC -> f.lux Software LLC)
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\Run: [WinAuth] => C:\Users\First\Desktop\WinAuth-3.3.7\WinAuth.exe -min
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\Run: [Spotify Web Helper] => C:\Users\First\AppData\Roaming\Spotify\SpotifyWebHelper.exe [782736 2018-06-04] (Spotify AB -> Spotify Ltd)
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\Policies\Explorer: [NoAutorun] 1
HKU\S-1-5-21-1401302362-31832541-2573301910-1001\...\MountPoints2: {1dda0f44-bd4b-11e4-8263-54a050ead6dc} - "E:\SETUP.EXE" 
HKLM\...\Windows x64\Print Processors\Canon MG2400 series Print Processor: C:\Windows\System32\spool\prtprocs\x64\CNMPDBW.DLL [30208 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\...\Print\Monitors\Canon BJ Language Monitor MG2400 series: C:\Windows\system32\CNMLMBW.DLL [391168 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\...\Print\Monitors\Canon BJ Language Monitor MG2400 series XPS: C:\Windows\system32\CNMXLMBW.DLL [393728 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\87.0.4280.141\Installer\chrmstp.exe [2021-01-06] (Google LLC -> Google LLC)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> "C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
HKLM\Software\...\Authentication\Credential Providers: [{50968FF7-10C1-4fb3-98B0-CD654D6CB97E}] -> C:\Program Files\WIDCOMM\Bluetooth Software\\BtwCP.dll [2014-03-19] (Broadcom Corporation -> Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2015-02-10]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation -> Broadcom Corporation.)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {027DBF83-89A3-48FC-A99D-E0CD11A58B79} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: {174153D6-157A-45CA-891E-0F33B2070007} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13671640 2014-04-10] (Realtek Semiconductor Corp -> Realtek Semiconductor)
Task: {1BBD7903-B8E3-4FBB-B9A5-2441A383F714} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [107848 2015-02-11] (Google Inc -> Google Inc.)
Task: {37D342D7-CEA1-448E-99DB-ED0EEE161772} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [18232 2014-03-31] (ASUSTeK Computer Inc. -> AsusTek)
Task: {6BD9BA87-7A6B-474B-A77A-8BB0B7C62CBD} - System32\Tasks\ASUS Live Update2 => C:\Program Files (x86) [Argument = -check]
Task: {75CDA201-2D96-422C-B99E-F59A7E2BE4B7} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-06-23] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {89821807-27A9-469E-A487-8E561CA1CBAA} - System32\Tasks\Update Checker => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe
Task: {92568790-171E-4CF6-886F-1C7D4FE96A4B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Task: {99ABF2AB-76E7-463E-ACF4-F9A07372D783} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-06-23] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {A2BE772C-8C71-4428-9D90-1461267371B0} - System32\Tasks\update-S-1-5-21-1401302362-31832541-2573301910-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [414872 2017-04-12] (OOO Lightshot -> TODO: <Company name>)
Task: {A6711DDB-E942-43F9-91CB-9B9934F23557} - System32\Tasks\Mozilla\Firefox Default Browser Agent E7CF176E110C211B => C:\Program Files (x86)\Mozilla Firefox\default-browser-agent.exe [693216 2021-01-08] (Mozilla Corporation -> Mozilla Foundation)
Task: {B1D6F979-BF14-4B7D-91CF-5DDF9A230709} - System32\Tasks\ATK Package 36D18D69AFC3 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [109880 2014-01-14] (ASUSTeK Computer Inc. -> ASUSTek Computer Inc.)
Task: {BE1A57A1-4F52-4A19-B672-17789401A939} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [880 2020-09-25] () [File not signed]
Task: {C98A7CCD-542E-4628-B565-54E0C86CE8F2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [107848 2015-02-11] (Google Inc -> Google Inc.)
Task: {CAA8DDAE-8FFA-4D83-B8E2-16CCCD30FE7D} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [414872 2017-04-12] (OOO Lightshot -> TODO: <Company name>)
Task: {CDB23E8E-4F40-4F90-982B-4FE020C8225E} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1385840 2014-04-15] (Realtek Semiconductor Corp -> Realtek Semiconductor)
Task: {F47393E6-9E27-421A-B603-2B9764212FAE} - System32\Tasks\ASUS Live Update1 => C:\Program Files (x86) [Argument = -critical]
Task: {F7C39D98-E377-4CE0-ACDB-6103F551427B} - System32\Tasks\{5D19AE19-BB92-4A5D-AB53-672873CA66BD} => C:\Windows\system32\pcalua.exe -a C:\Users\First\AppData\Local\Programs\RunItOncePoker\uninstall.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\update-S-1-5-21-1401302362-31832541-2573301910-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{72A769FC-C39A-4FB0-BDDE-531B4E026AD5}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{72A769FC-C39A-4FB0-BDDE-531B4E026AD5}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{7BF0CEF1-9622-482F-BA15-CB6192B7A9A3}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{7BF0CEF1-9622-482F-BA15-CB6192B7A9A3}: [DhcpNameServer] 192.168.0.1

Edge: 
=======
Edge Profile: C:\Users\First\AppData\Local\Microsoft\Edge\User Data\Default [2021-01-26]

FireFox:
========
FF DefaultProfile: th1rul2j.default-1455558374396
FF ProfilePath: C:\Users\First\AppData\Roaming\Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396 [2021-01-26]
FF Session Restore: Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396 -> is enabled.
FF Extension: (English (US) Language Pack) - C:\Users\First\AppData\Roaming\Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396\Extensions\langpack-en-US@firefox.mozilla.org.xpi [2020-12-18]
FF Extension: (uBlock Origin) - C:\Users\First\AppData\Roaming\Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396\Extensions\uBlock0@raymondhill.net.xpi [2021-01-07]
FF Extension: (Malwarebytes Browser Guard) - C:\Users\First\AppData\Roaming\Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396\Extensions\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi [2020-12-17]
FF Extension: (Quick Locale Switcher) - C:\Users\First\AppData\Roaming\Mozilla\Firefox\Profiles\th1rul2j.default-1455558374396\Extensions\{25A1388B-6B18-46c3-BEBA-A81915D0DE8F}.xpi [2016-05-24] [Legacy]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF Plugin: @java.com/DTPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2016-12-09] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2016-12-09] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] (Microsoft Corporation ->  Microsoft Corporation)
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.) [File not signed]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] (Microsoft Corporation ->  Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2020-06-04] (VideoLAN -> VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2020-06-04] (VideoLAN -> VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.11 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2020-06-04] (VideoLAN -> VideoLAN)

Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\First\AppData\Local\Google\Chrome\User Data\Default [2021-01-26]
CHR Notifications: Default -> hxxp://www.hltv.org; hxxps://www.curse.com
CHR Session Restore: Default -> is enabled.
CHR Extension: (Slides) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-14]
CHR Extension: (Docs) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-14]
CHR Extension: (Google Drive) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-10-22]
CHR Extension: (YouTube) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (uBlock Origin) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2021-01-10]
CHR Extension: (Google Search) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Tampermonkey) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2020-10-07]
CHR Extension: (Sheets) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-14]
CHR Extension: (Google Docs Offline) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-11-17]
CHR Extension: (Malwarebytes Browser Guard) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihcjicgdanjaechkgeegckofjjedodee [2020-12-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-04]
CHR Extension: (Gmail) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-10-23]
CHR Extension: (Chrome Media Router) - C:\Users\First\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-12-09]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1863688 2016-05-13] (BattlEye Innovations e.K. -> )
S3 GalaxyClientService; C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe [1728072 2020-10-01] (GOG Sp. z o.o. -> GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6821960 2020-10-01] (GOG Sp. z o.o. -> GOG.com)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140936 2013-05-14] (Canon Inc. -> )
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-02] (Intel(R) Corporation) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7456464 2020-12-11] (Malwarebytes Inc -> Malwarebytes)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2523448 2020-12-21] (Electronic Arts, Inc. -> Electronic Arts)
S2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [3478336 2020-12-21] (Electronic Arts, Inc. -> Electronic Arts)
S4 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2016-05-04] (Even Balance, Inc. -> )
S2 rkrtservice; C:\Program Files\RogueKiller\RogueKillerSvc.exe [13686080 2021-01-13] (Adlice -> )
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation -> Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation -> Microsoft Corporation)
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [69904 2014-03-31] (ASUSTeK Computer Inc. -> ASUS Corporation)
S3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30352 2015-02-26] (Disc Soft Ltd -> Disc Soft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [153312 2020-12-11] (Malwarebytes Corporation -> Malwarebytes)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-06] (ASUSTeK Computer Inc. -> )
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [220160 2020-12-12] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [197792 2021-01-26] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [77496 2021-01-26] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-12-11] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [139424 2021-01-26] (Malwarebytes Inc -> Malwarebytes)
R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [65880 2020-09-25] (Insecure.Com LLC -> Insecure.Com LLC.)
S4 npcap_wifi; C:\Windows\system32\DRIVERS\npcap.sys [65880 2020-09-25] (Insecure.Com LLC -> Insecure.Com LLC.)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166752 2019-07-09] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
R3 USBPcap; C:\Windows\system32\DRIVERS\USBPcap.sys [43648 2020-05-22] (Tomasz Moń -> USBPcap)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Windows -> Microsoft Corporation)
S3 WsAudio_Device(1); C:\Windows\system32\drivers\VirtualAudio1.sys [31080 2014-11-26] (Wondershare Software Co., Ltd.  -> Wondershare)
S4 nvvad_WaveExtensible; \SystemRoot\system32\drivers\nvvad64v.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-26 22:55 - 2021-01-26 22:55 - 002297344 _____ (Farbar) C:\Users\First\Downloads\FRST64.exe
2021-01-26 21:45 - 2021-01-26 21:45 - 000000000 ____D C:\Users\First\AppData\LocalLow\IGDump
2021-01-26 20:34 - 2021-01-26 21:27 - 000000000 ____D C:\Users\First\AppData\Roaming\Wireshark
2021-01-26 20:33 - 2021-01-26 20:33 - 000077496 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2021-01-26 20:30 - 2021-01-26 20:30 - 000197792 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2021-01-26 20:30 - 2021-01-26 20:30 - 000139424 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2021-01-26 20:03 - 2021-01-26 20:03 - 000001798 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2021-01-26 20:01 - 2021-01-26 20:02 - 000000000 ____D C:\Program Files\USBPcap
2021-01-26 20:01 - 2021-01-26 20:01 - 000003096 _____ C:\Windows\system32\Tasks\npcapwatchdog
2021-01-26 20:01 - 2021-01-26 20:01 - 000000000 ____D C:\Windows\SysWOW64\Npcap
2021-01-26 20:01 - 2021-01-26 20:01 - 000000000 ____D C:\Windows\system32\Npcap
2021-01-26 19:59 - 2021-01-26 20:01 - 000000000 ____D C:\Program Files\Npcap
2021-01-26 19:55 - 2021-01-26 20:04 - 000000000 ____D C:\Program Files\Wireshark
2021-01-26 19:52 - 2021-01-26 19:52 - 061483296 _____ (Wireshark development team) C:\Users\First\Downloads\Wireshark-win64-3.4.2.exe
2021-01-26 17:59 - 2016-06-14 19:13 - 000828408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2021-01-26 17:59 - 2016-06-14 19:13 - 000176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2021-01-26 17:53 - 2021-01-26 17:53 - 000000000 ____D C:\Program Files\Windows Journal
2021-01-26 09:59 - 2021-01-26 09:59 - 000002243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-01-26 09:59 - 2021-01-26 09:59 - 000002202 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2021-01-26 09:59 - 2021-01-26 09:59 - 000002202 _____ C:\ProgramData\Desktop\Microsoft Edge.lnk
2021-01-26 09:58 - 2021-01-26 09:58 - 000003380 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-01-26 09:58 - 2021-01-26 09:58 - 000003252 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2021-01-26 08:34 - 2021-01-26 08:35 - 000000000 ____D C:\Users\First\Desktop\Microsoft updates
2021-01-26 07:24 - 2021-01-26 07:24 - 000001114 _____ C:\Users\First\Downloads\vbs_file_association_fix_win7.zip
2021-01-26 05:17 - 2021-01-26 05:18 - 040487584 _____ (Adlice Software ) C:\Users\First\Downloads\RogueKiller_setup.exe
2021-01-26 04:39 - 2021-01-26 04:39 - 000000000 ___RD C:\Users\First\Documents\Scanned Documents
2021-01-26 04:39 - 2021-01-26 04:39 - 000000000 ____D C:\Users\First\Documents\Fax
2021-01-08 03:39 - 2021-01-08 03:39 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2021-01-02 03:44 - 2021-01-02 18:26 - 000000000 ____D C:\Users\First\Downloads\ASF-win-x64 v5012
2021-01-02 03:42 - 2021-01-02 03:42 - 019357072 _____ C:\Users\First\Downloads\ASF-win-x64.zip
2021-01-02 02:50 - 2021-01-02 02:50 - 000000000 ____D C:\Users\First\AppData\LocalLow\The Bae Team

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-26 23:12 - 2013-08-22 17:20 - 000000000 ____D C:\Windows\CbsTemp
2021-01-26 23:05 - 2020-10-11 21:26 - 000000000 ____D C:\FRST
2021-01-26 23:02 - 2020-10-11 21:04 - 000000000 ____D C:\Users\First\Desktop\Security and Cleanup
2021-01-26 20:25 - 2018-01-28 03:01 - 000000398 _____ C:\Windows\Tasks\update-sys.job
2021-01-26 20:22 - 2013-08-22 16:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-01-26 20:01 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\Inf
2021-01-26 19:59 - 2015-12-14 13:44 - 000000000 ____D C:\ProgramData\Package Cache
2021-01-26 19:41 - 2018-01-28 03:01 - 000000398 _____ C:\Windows\Tasks\update-S-1-5-21-1401302362-31832541-2573301910-1001.job
2021-01-26 17:53 - 2014-11-21 17:14 - 000000000 ___SD C:\Windows\system32\CompatTel
2021-01-26 17:53 - 2014-11-21 09:18 - 000000000 ____D C:\Windows\ShellNew
2021-01-26 17:53 - 2013-08-22 17:36 - 000000000 ___RD C:\Windows\ToastData
2021-01-26 17:53 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\SysWOW64\setup
2021-01-26 17:53 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\system32\setup
2021-01-26 17:42 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\AppCompat
2021-01-26 11:19 - 2015-02-10 12:12 - 000003596 _____ C:\Windows\system32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1401302362-31832541-2573301910-1001
2021-01-26 10:52 - 2015-12-30 22:30 - 000000000 ____D C:\Users\First\AppData\Local\CrashDumps
2021-01-26 09:27 - 2015-02-10 15:12 - 000000000 ____D C:\Windows\system32\MRT
2021-01-26 09:17 - 2015-02-10 15:12 - 135062968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2021-01-26 08:35 - 2016-12-06 21:15 - 000000000 ____D C:\Users\First\AppData\LocalLow\Mozilla
2021-01-26 08:15 - 2015-03-15 22:29 - 000000000 ____D C:\ProgramData\Mozilla
2021-01-26 05:22 - 2020-10-22 12:05 - 000000870 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2021-01-26 05:22 - 2020-10-22 12:05 - 000000870 _____ C:\ProgramData\Desktop\RogueKiller.lnk
2021-01-26 05:22 - 2020-10-11 23:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2021-01-26 05:22 - 2020-10-11 23:06 - 000000000 ____D C:\Program Files\RogueKiller
2021-01-26 04:29 - 2020-02-14 15:58 - 000000000 ____D C:\Users\First\AppData\Local\Run It Once Poker
2021-01-26 04:27 - 2018-01-28 03:01 - 000000059 _____ C:\Users\First\AppData\Local\UserProducts.xml
2021-01-26 04:27 - 2018-01-28 03:01 - 000000000 ____D C:\Program Files (x86)\Skillbrains
2021-01-26 04:23 - 2015-10-31 22:46 - 000000000 ____D C:\Program Files (x86)\Adobe
2021-01-26 04:20 - 2015-02-11 06:20 - 000000000 ____D C:\Users\First\AppData\LocalLow\Adblock Plus for IE
2021-01-26 04:18 - 2017-12-20 17:12 - 000000000 ____D C:\Users\First\Documents\My Digital Editions
2021-01-26 01:51 - 2015-02-10 12:06 - 000000000 ____D C:\Users\First
2021-01-25 23:25 - 2015-02-10 15:43 - 000000000 ____D C:\Program Files (x86)\Steam
2021-01-24 19:45 - 2015-02-10 14:48 - 000000000 ____D C:\Users\First\AppData\Local\PokerStars.EU
2021-01-24 15:26 - 2017-03-26 20:55 - 000000000 ____D C:\Users\First\AppData\Roaming\discord
2021-01-22 15:15 - 2020-12-09 14:55 - 000000000 ____D C:\Users\First\AppData\Roaming\Telegram Desktop
2021-01-22 06:44 - 2015-02-10 14:46 - 000000000 ____D C:\Program Files (x86)\PokerStars.EU
2021-01-16 14:06 - 2013-08-22 15:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2021-01-08 13:08 - 2020-11-14 20:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2021-01-08 03:39 - 2015-02-17 20:40 - 000001171 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2021-01-06 22:22 - 2015-02-11 04:59 - 000002244 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2021-01-06 22:22 - 2015-02-11 04:59 - 000002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2021-01-06 22:22 - 2015-02-11 04:59 - 000002203 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2020-12-31 05:15 - 2015-03-18 20:42 - 000000000 ____D C:\Users\First\Desktop\Games

==================== Files in the root of some directories ========

2020-05-01 13:44 - 2020-05-01 13:44 - 000004338 _____ () C:\Users\First\AppData\Local\recently-used.xbel
2015-12-22 14:10 - 2020-12-14 14:16 - 000007592 _____ () C:\Users\First\AppData\Local\Resmon.ResmonCfg
2018-01-28 03:01 - 2018-01-28 03:01 - 000000003 _____ () C:\Users\First\AppData\Local\updater.log
2018-01-28 03:01 - 2021-01-26 04:27 - 000000059 _____ () C:\Users\First\AppData\Local\UserProducts.xml

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

LastRegBack: 2021-01-21 22:42
==================== End of FRST.txt ========================


 

Addition.txt wscapture.pcapng.gz

[kevinf80]

Are these policy restrictions known to you...

GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

Do you have the logs from RogueKiller available...

 

[kexas]

No (not entirely sure what they are).

I'll check for RK logs.

[kexas]

No (not entirely sure what they are).

I'll check for RK logs.

Edit: attached RK logs.

rk_log1.txt rk_log1_rem.txt rk_log2.txt rk_log2_rem.txt

[kevinf80]

Hiya kexas,

Thanks for the update and logs. When you use tools such as roguekiller you have to be careful what you remove. I would always advise uploading to VirusTotal or similar if you are not 100% sure the files are malicious and have them checked..

C:\Windows\system32\sppsvc.exe was flagged so you removed it, that file is a definite system file as its running from the correct folder. It has been known to be exploited but in that case would run from a totally different place... This is a quote regarding that file and its functions..

Quote

This Windows service enables the download, installation and enforcement of digital licenses for Windows and Windows applications. If the service is disabled, the operating system and licensed applications may run in a notification mode. It is strongly recommended that you not disable the Software Protection service.

The temp files that were flagged may or may not have been malicious, not really sure. Again they should have been uploaded to an online service such as ViruTotal. Temp files and temp folders can be used by malware, but they are also used by windows and other software, programs and applications..

Continue please:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Let me see those logs in your reply... Thank you, Kevin..

fixlist.txt

[kexas]

I'll attempt FRST fix. I take it it's normal for Chrome to block it as dangerous? Just in case I'll attach the one I got. Could you confirm it's correct?

Regarding .tmp files. I was wrong about the file being the same one. Seems like RK detects different file one at a time. That's the weird part. If it was due to I/O error, then a lot more files would be detected instead of just one.

fixlist.txt

[kevinf80]

You`ve uploaded fixlist.txt, I need to see fixlog.txt

[kexas]

Yes, that was my intention to confirm it wasn't altered.

Attaching fixlog now.

Fixlog.txt

[kevinf80]

Hiya kexas,

Have you also run Microsoft's Safety Scanner..

Thank you,

Kevin..

[kexas]

I'm running it right now. It FRST fix took a long time (due to I/O errors likely) and PC took a long way to start-up – it was stuck on desktop with just wallpaper loaded for a while.

[kevinf80]

Yes I also note sfc /scannow did not complete as part of FRST fix, lets wait for scan results...

[kexas]

Attached logs.
I see a lot of scan errors in msert. Are those normal? And no path to were the removed item was. Did it use some tricky hiding mechanism since it didn't get detected previously?

FRST still detects NTUSER.pol. Should I try deleting it?
 

msert.log FRST.txt Addition.txt

[kevinf80]

Hiya kexas,

Yes the output log from msert is very much normal and as expected. AutoKMS is a hack tool used to exploit versions of Windows and MS Office to make them appear legitimate, hence cheating activation.

There was no sign of AutoKMS in you FRST logs, what msert flagged was a root certificate used to allow AutoKMS to run on your system, that would indicate that it has been on your system previously.

The latest FRST logs are clean, no signs of any malware, infection or exploits. How do you feel your system is now responding, any remaining issues or concerns..?

Thank you,

Kevin.

[kexas]

Is NTUSER.pol non-malicious either?
Also, COM Surrogate instances (2 or 3 at a time) running from time to time, but whenever I open Task Manager the end themselves after 1 second.

I'll see how everything is tomorrow.

[kevinf80]

Hello kexas,

Com surrogate is a genuine windows file, I`ve just opened Taskmanager and see 3 instances running on my system. Have a read at the following link for a concise explanation. https://helpdeskgeek.com/windows-10/com-surrogate-windows-10-virus/ Your listed NTUSER.pol is not malicious in my opinion, it is running from the correct folder so is of no real concern...   Let me know how your system is respong tomorrow..   Thank you,   Kevin

 

 

[kexas]

Yeah, I just found it weird that the processes close as soon as I open Task Manager. As for svchost it sometimes shows as a blank process (no name).

What about .tmp files getting detected by RK? Can they be created by undetected malware?

[kevinf80]

Temp files are constantly created by windows and other software, just because RK flags them does not mean they are definitely malicious. If you have doubts upload them to VirusTotal and have them checked out...

One more indepth scan to be sure your system is clean...

Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

[kexas]

So Sophos scan was clean.

However, startup is wonky again. Yesterday startup was bad and I noticed Windows Error Reporting running, so I disabled it and after then startup seemed fine (attempted several times). My guess that it was trying to access temp folders some of which aren't readable (FRST fix probably wasn't able to delete all Temp files either).

But today startup is messed up again. Wallpaper and taskbar load (but it's not usable), but the only thing I can open is Task Manager.

One of the potentially dangerous things I noticed (after opening Recourse Monitor) is that MBAM processes were suspended despite being displayed in Task Manager.

Command line for Windows Explorer when starting up is "...explorer.exe /LOADSAVEDWINDOWS" and I saw this line mentioned in malicious context (Evader and bypassing AV) on a few websites, but I'm not competent to look into it.

[kevinf80]

Scan with Autoruns Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop. Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:   Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Settings check the box next to Run this program as an administrator Click on Apply then click OK   Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them: Hide empty locations Hide Windows entries   Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options: Verify code signatures Check VirusTotal.com   Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns. Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder Attach the ZIP folder you just created to your next reply

[kexas]

Attached Autoruns saved file. Process Explorer also shows Spooler Sub's process as 1/75 for VT.

Other observations during bad startup: Resource Monitor showed that a lot of things had very high response time (incl. files in System32 and SysWOW64). Event viewer naturally had a lot of errors (it's a huge mess) and a lot of them were due to time-outs.
Also, WerFault.exe, which I disabled (mentioned in previous comment), was still reading, despite not being displayed in Task Manager (only visible in Resource Monitor).
High Page File write.
wlanext.exe had 959213309280 in command line (Running from correct folder though. Don't know if this is standard, since I haven't noticed wlanext before).
taskeng.exe had {DECDD35A-154E-489F-AB6C-85279175D4C2} in command line (and another combination later).
Bluetooth with a name "SendTo from Explorer Application" had command line /Install.

for_mbf.7z

[kexas]

Could this be a result of a polymorphic file infector?

[kevinf80]

You zip folder is either corrupt or damaged, it will not open..

[kexas]

Compressed to .zip and attached. But Autoruns seem fine.

for_mbf.zip