Jump to content

New exe files keep generating in my temp folder

Attira

By Attira
in Resolved Malware Removal Logs

 Share
Go to solution Solved by kevinf80,

Recommended Posts

Attira

Attira

Posted
Posted

Hello everyone,

two days ago I've noticed weird programs running (4 letter names with random icons, such as the Whatsapp icon, File explorer icon etc.). I ran MalwareBytes, quarantined flagged files and though it was over.

I then visited the %temp% folder and found like 4 .exe files (all were 4 letter names with random letters and numbers). I then wiped my %temp% folder and though it was finally over.

Just before going to bed, a cmd pop up appeared on the screen trying to execute a command, it was something like "-k START %path to temp virus file". I clicked no, but it kept reappearing on my screen asking to repeat the action.

Recently I had downloaded and ran three files (Internet Download Manager, a pirated version of Adobe Premiere 2021 Pro and DragonBones Pro). I'm really suspicious of the IDM, because the app and the website look outdated, I uninstalled it after 10 minutes of use.

What I had done: ran MalwareBytes multiple times, cleared my %temp% folder multiple times, deleted IDM from my PC

Shortly: New .exe files keep generating and trying to run thru the cmd.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Hello Attira and welcome to Malwarebytes,

Lets grab some logs and see whats going on, continue with the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

If our tools do not run because of windows smart screen or your security, consider the following:

Disable smart screen if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....


Thank you,

Kevin....
Link to post
Share on other sites
Attira

Attira

Posted
  • Author
Posted

Hi Kevin,

thank you for trying to help me out.

Here are the logs:

Adwcleaner

Quote

# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build:    06-29-2021
# Database: 2021-08-09.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    08-28-2021
# Duration: 00:00:01
# OS:       Windows 10 Pro
# Cleaned:  14
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Program Files\Hola
Deleted       C:\ProgramData\IObit\Advanced SystemCare
Deleted       C:\Users\38599\AppData\Roaming\Hola
Deleted       C:\Users\38599\AppData\Roaming\IObit\Advanced SystemCare

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

Deleted       C:\Windows\System32\Tasks\DRIVER BOOSTER SCHEDULER

***** [ Registry ] *****

Deleted       HKCU\Software\Hola
Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4B3A6F10-0D13-4304-B0D4-EB040D197011} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Booster Scheduler
Deleted       HKLM\Software\Hola
Deleted       HKLM\Software\Wow6432Node\Cheat Engine\OpenCandy
Deleted       HKLM\Software\Wow6432Node\Hola
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{8BF0126F-A5B7-4720-ABB2-2414A0AF5474}

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

Deleted       Honey - jid1-93CWPmRbVPjRQA@jetpack

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2482 octets] - [28/08/2021 00:24:50]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 

 

FRST.txt

Quote

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2021
Ran by Mario (administrator) on MARIO (28-08-2021 02:55:24)
Running from C:\Users\38599\Desktop
Loaded Profiles: Mario
Platform: Windows 10 Pro Version 20H2 19042.1165 (X64) Language: English (United States) -> English (United Kingdom)
Default browser: Brave
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe <12>
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.GamingServices_2.56.11001.0_x64__8wekyb3d8bbwe\gamingservices.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.GamingServices_2.56.11001.0_x64__8wekyb3d8bbwe\gamingservicesnet.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\alg.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\GameBarPresenceWriter.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(NVIDIA Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <3>
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe <3>
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe
(Nvidia Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nvmdi.inf_amd64_9dda6a81a12e6ac4\Display.NvContainer\NVDisplay.Container.exe <2>
(TunnelBear Inc -> TunnelBear) C:\Program Files (x86)\TunnelBear\TunnelBear.Maintenance.exe
(UBISOFT ENTERTAINMENT INC. -> ) C:\Users\38599\AppData\Local\Growtopia\Growtopia.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Riot Vanguard] => C:\Program Files\Riot Vanguard\vgtray.exe [3180256 2021-08-17] (Riot Games, Inc. -> Riot Games, Inc.)
HKLM\...\Run: [SteelSeriesGG] => C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesGG.exe [15176528 2021-05-24] (SteelSeries ApS -> SteelSeries ApS)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2410968 2018-09-13] (Adobe Systems Incorporated -> Adobe Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [706288 2021-04-09] (Oracle America, Inc. -> Oracle Corporation)
HKLM-x32\...\Run: [Adobe CCXProcess] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [129288 2021-01-25] (Adobe Inc. -> )
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [33770112 2021-05-20] (Piriform Software Ltd -> Piriform Software Ltd)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [uTorrent] => C:\Users\38599\AppData\Roaming\uTorrent\uTorrent.exe [2133544 2021-07-05] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [Spotify] => C:\Users\38599\AppData\Roaming\Spotify\Spotify.exe [23947336 2021-05-06] (Spotify AB -> Spotify Ltd)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [Discord] => C:\Users\38599\AppData\Local\Discord\Update.exe [1512760 2020-12-03] (Discord Inc. -> GitHub)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [4110568 2021-07-21] (Valve -> Valve Corporation)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [EpicGamesLauncher] => C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe [33309664 2021-08-26] (Epic Games Inc. -> Epic Games, Inc.)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [NetLimiter] => C:\Program Files\Locktime Software\NetLimiter 4\nlclientapp.exe [93048 2020-08-05] (Locktime Software s.r.o. -> Locktime Software)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [com.squirrel.Teams.Teams] => C:\Users\38599\AppData\Local\Microsoft\Teams\Update.exe [2454184 2021-05-20] (Microsoft 3rd Party Application Component -> Microsoft Corporation)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [ut] => C:\Users\38599\AppData\Roaming\uTorrent\uTorrent.exe [2133544 2021-07-05] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3144816 2021-08-03] (Electronic Arts, Inc. -> Electronic Arts)
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\Policies\Explorer\DisallowRun: [1] irsetup.exe
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\MountPoints2: {086adcb0-3d0c-11eb-aaa8-c9e661bdfd03} - "D:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\MountPoints2: {7250891b-7b5b-11eb-aab8-0020ed63d749} - "F:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\MountPoints2: {7a9c13ef-eda5-11eb-aac0-0020ed63d749} - "D:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\MountPoints2: {7a9c14b5-eda5-11eb-aac0-0020ed63d749} - "D:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\...\MountPoints2: {c6953348-cd07-11eb-aabe-0020ed63d749} - "D:\HiSuiteDownLoader.exe" 
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files\Google\Chrome\Application\92.0.4515.159\Installer\chrmstp.exe [2021-08-18] (Google LLC -> Google LLC)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\92.1.28.106\Installer\chrmstp.exe [2021-08-25] (Brave Software, Inc. -> Brave Software, Inc.)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {01E3242E-269F-45FC-B275-FB64C951D841} - System32\Tasks\NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1261424 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {069E4AEA-8F73-40BE-9C58-67A55B2B4E67} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-12-24] (Google LLC -> Google LLC)
Task: {0DC74644-6288-4178-8E4A-F2FF7C43D105} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [645488 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {10356792-4D9A-4FE3-A20F-A67A8B9E2D76} - System32\Tasks\Opera GX scheduled Autoupdate 1612130070 => C:\Users\38599\AppData\Local\Programs\Opera GX\launcher.exe
Task: {14EC9A52-28FB-437F-867D-AD7B88192377} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [5722536 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {215B8C0D-5914-47C9-BF24-F66DA7A554FF} - System32\Tasks\Driver Booster SkipUAC (38599) => C:\Program Files (x86)\IObit\Driver Booster\7.2.0\DriverBooster.exe
Task: {2E9DA118-7A7E-4FC4-B1A2-D77DBF7B41DC} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [905072 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {32E23E2E-606A-4ED8-B510-2F29566D6BAD} - System32\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1261424 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {352B576C-5E9F-4081-A55F-536041C8FCBE} - System32\Tasks\ParkControl => C:\Program Files\ParkControl\parkcontrol.exe
Task: {37E80F4A-F217-499C-910A-5B91B9294BFD} - System32\Tasks\Intel PTT EK Recertification => C:\WINDOWS\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe [918288 2020-04-22] (Intel(R) Trust Services -> Intel(R) Corporation)
Task: {38E81E10-F0D5-46D1-BFE4-EEBD41A555EB} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [5722536 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {44929930-FDDC-49D3-93B0-1C3259D13295} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [903024 2021-05-04] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvDriverUpdateCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerDriverUpdateCheck.log
Task: {456ABE4A-DA8C-4D54-A45B-F13B70C8B1F3} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [139112 2021-08-14] (Microsoft Corporation -> Microsoft Corporation)
Task: {514C0CDA-4C42-41DF-A2ED-720401E8EC46} - System32\Tasks\NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1261424 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {65FC0310-769A-4EEE-9EB5-BAA95C678765} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [28158080 2021-05-20] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {68440224-F6D0-4993-BAE5-B6305A8B2EDA} - System32\Tasks\NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1261424 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {69CF7B89-26C1-42D8-9543-18D6BD6C6BB1} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-06-03] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {774A11A4-6CAE-4C45-8B15-E1ED325FFA6D} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1024180935-1169056584-2464113435-1002 => C:\Users\38599\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Task: {8476A8CC-F5B4-4141-BE04-7D00D11DA682} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23253888 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {85E553CF-5849-49F1-B3C8-9E1D3812A917} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [905072 2021-06-09] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {8B34E355-1242-4062-BB5D-9C4F622B4B03} - System32\Tasks\Driver Booster SkipUAC (Mario) => C:\Program Files (x86)\IObit\Driver Booster\8.0.2\DriverBooster.exe [8075024 2020-10-12] (IObit Information Technology -> IObit)
Task: {8C90C369-B878-4F80-80A1-35AFED26F9F4} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\explorer.exe /NOUACCHECK
Task: {8C9D294A-AF66-4F54-924D-57655B3518F3} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1024180935-1169056584-2464113435-500 => C:\Users\38599\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Task: {A3F5921E-9553-448C-8E88-AA32F0B6C972} - System32\Tasks\Opera GX scheduled assistant Autoupdate 1614864523 => C:\Users\38599\AppData\Local\Programs\Opera GX\launcher.exe -> --scheduledautoupdate --component-name=assistant --component-path="C:\Users\38599\AppData\Local\Programs\Opera GX\assistant" $(Arg0)
Task: {A7654CB3-89A1-4FF0-9530-6DD4AD478337} - System32\Tasks\Microsoft\VisualStudio\Updates\BackgroundDownload => C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe [65448 2021-06-11] (Microsoft Corporation -> Microsoft)
Task: {A9D2F099-F064-4001-87B7-9A076EA879EE} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [903024 2021-05-04] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvBackend\NvBatteryBoostCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerBatteryBoostCheck.log
Task: {BBF07A04-45A5-48F2-AE6D-B37D2A16DC71} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [3339120 2021-06-15] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {CAAB795C-14BE-4D61-82E7-ED053777A3F3} - System32\Tasks\Opera scheduled assistant Autoupdate 1582827582 => C:\Users\marko\AppData\Local\Programs\Opera\launcher.exe -> --scheduledautoupdate --component-name=assistant --component-path="C:\Users\marko\AppData\Local\Programs\Opera\assistant" $(Arg0)
Task: {D0409783-E191-4929-8036-68DD56F24ECD} - System32\Tasks\Driver Booster Update => C:\Program Files (x86)\IObit\Driver Booster\8.0.2\AutoUpdate.exe [2264336 2020-09-14] (IObit Information Technology -> IObit)
Task: {D30B0200-ADBB-4DFE-A302-0F0CAD6F1ED7} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [684976 2021-05-20] (Piriform Software Ltd -> Piriform)
Task: {D48E789A-DE4D-4F57-B162-144C32379668} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23253888 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {DA0BD029-025B-4925-A77B-97C7C4E58FF3} - System32\Tasks\Opera scheduled Autoupdate 1580402225 => C:\Users\marko\AppData\Local\Programs\Opera\launcher.exe
Task: {E906F25C-A761-4CC2-BF40-779C6894DA0F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-12-24] (Google LLC -> Google LLC)
Task: {EA3AC38B-6B2A-4029-86EA-FB515C747099} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [139112 2021-08-14] (Microsoft Corporation -> Microsoft Corporation)
Task: {ED444A35-1A5C-4553-B64D-B0A221BFA261} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-06-03] (Brave Software, Inc. -> BraveSoftware Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Task: C:\WINDOWS\Tasks\Intel PTT EK Recertification.job => C:\WINDOWS\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{6efbc64f-2f8c-49b0-903d-c9865332ebda}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{90ced387-49e7-4ceb-8700-f9662fdb5532}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{90ced387-49e7-4ceb-8700-f9662fdb5532}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{b0317ffb-1f04-4e85-9eb5-ba1784762d08}: [NameServer] 8.8.8.8,8.8.4.4
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

Edge: 
=======
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
Edge DefaultProfile: Default
Edge Profile: C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default [2021-08-27]
Edge Extension: (Honey) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\amnbcmdbanbkjhnfoeceemmmdiepnbpp [2021-08-24]
Edge Extension: (Outlook) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bjhmmnoficofgoiacjaajpkfndojknpb [2020-11-19]
Edge Extension: (BlockSite - Stay Focused & Control Your Time) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2021-02-25]
Edge Extension: (Word) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hikhggiobiflkdfdgdajcfklmcibbopi [2020-11-19]
Edge Extension: (Night Messenger) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hjhnmilbfdehpgfcojlmmooknnkhgdmh [2020-06-06]
Edge Extension: (Excel) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\leffmjdabcgaflkikcefahmlgpodjkdm [2020-11-19]
Edge Extension: (PowerPoint) - C:\Users\38599\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\opfacbhaojodjaojgocnibmklknchehf [2020-11-19]
Edge HKU\S-1-5-21-1024180935-1169056584-2464113435-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [llbjbkhnmlidjebalopleeepgdfgcpec] - C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx <not found>

FireFox:
========
FF DefaultProfile: ocpikvz6.default
FF ProfilePath: C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default [2021-08-24]
FF NetworkProxy: Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default -> backup.ftp", "181.78.11.123 "
FF Notifications: Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default -> hxxps://spark.adobe.com
FF Extension: (BetterTTV) - C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default\Extensions\firefox@betterttv.net.xpi [2020-12-18]
FF Extension: (Simple Translate) - C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default\Extensions\simple-translate@sienori.xpi [2021-01-11]
FF Extension: (Twitch Channel Points Autoclicker) - C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default\Extensions\{3c9b993f-29b9-44c2-a913-def7b93a70b1}.xpi [2021-01-15]
FF Extension: (Instant Gaming) - C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ytcvdpmq.dev-edition-default\Extensions\{b5dd9324-33b6-4ef0-81b6-97496dd6e81d}.xpi [2020-12-05]
FF ProfilePath: C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\ocpikvz6.default [2020-09-30]
FF ProfilePath: C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\z7eaeo2h.default-release [2021-08-24]
FF Notifications: Mozilla\Firefox\Profiles\z7eaeo2h.default-release -> hxxps://tinder.com
FF Extension: (UnblurTinder) - C:\Users\38599\AppData\Roaming\Mozilla\Firefox\Profiles\z7eaeo2h.default-release\Extensions\{135319ef-05d8-4b12-9388-67a0d256bf2e}.xpi [2020-09-30]
FF Plugin: @java.com/DTPlugin,version=11.291.2 -> C:\Program Files\Java\jre1.8.0_291\bin\dtplugin\npDeployJava1.dll [2021-05-05] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.291.2 -> C:\Program Files\Java\jre1.8.0_291\bin\plugin2\npjp2.dll [2021-05-05] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2021-05-27] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2018-09-13] (Adobe Systems Incorporated -> Adobe Systems)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2021-05-27] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=3.0.12 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2021-01-04] (VideoLAN -> VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2018-09-13] (Adobe Systems Incorporated -> Adobe Systems)

Chrome: 
=======
CHR Profile: C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default [2021-08-25]
CHR Extension: (Slides) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2021-07-28]
CHR Extension: (Docs) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2021-07-28]
CHR Extension: (Google Drive) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2021-07-28]
CHR Extension: (YouTube) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2021-07-28]
CHR Extension: (Sheets) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2021-07-28]
CHR Extension: (Google Docs Offline) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-07-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-07-28]
CHR Extension: (Gmail) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2021-07-28]
CHR Extension: (Chrome Media Router) - C:\Users\38599\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-07-28]

Opera: 
=======
OPR Profile: C:\Users\38599\AppData\Roaming\Opera Software\Opera Stable [2021-06-07]
OPR DefaultSuggestURL: Opera Stable -> hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}
OPR Extension: (Rich Hints Agent) - C:\Users\38599\AppData\Roaming\Opera Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2020-12-23]
StartMenuInternet: (HKU\S-1-5-21-1024180935-1169056584-2464113435-1001) Opera GXStable - "C:\Users\38599\AppData\Local\Programs\Opera GX\Launcher.exe"

Brave: 
=======
BRA Profile: C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default [2021-08-28]
BRA Extension: (Hola Free VPN Proxy Unblocker - Best VPN) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2021-08-07]
BRA Extension: (Twitch Channel Points Auto Redeem) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\klmjghhmchlbcjechkhmgcjhkbbbjglb [2021-08-14]
BRA Extension: (OP.GG Darkmode) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ladhbdfdpfjaeonkdmdnogplgbpoiaja [2021-08-12]
BRA Extension: (Brave Local Data Files Updater) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal [2021-08-10]
BRA Extension: (Brave Ad Block Updater (Default)) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\cffkpbalmllkdoenhmdmpbkajipdjfam [2021-08-28]
BRA Extension: (Brave SpeedReader Updater) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\jicbkmdloagakknpihibphagfckhjdih [2021-08-28]
BRA Extension: (Brave NTP sponsored images) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\mjpbonbjgpinifgnneajcbigekbpfige [2021-08-28]
BRA Extension: (Crypto Wallets) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\odbfpeeihdkbihmopkbjmoonfanlbfcl [2021-06-03]
BRA Extension: (Brave HTTPS Everywhere Updater) - C:\Users\38599\AppData\Local\BraveSoftware\Brave-Browser\User Data\oofiananboodjbbmdelgdommihjbkfag [2021-08-24]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [8912272 2021-06-26] (BattlEye Innovations e.K. -> )
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-06-03] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-06-03] (Brave Software, Inc. -> BraveSoftware Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [9142128 2021-08-05] (Microsoft Corporation -> Microsoft Corporation)
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [818304 2021-07-23] (EasyAntiCheat Oy -> Epic Games, Inc)
S3 EQU8_19; C:\ProgramData\EQU8\Totally Accurate Battlegrounds\bin\anticheat.x64.equ8.exe [5715032 2021-04-28] (Int3 Software AB -> Int3 Software AB)
S2 HuaweiHiSuiteService64.exe; C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe [190784 2019-10-31] (Huawei Technologies Co., Ltd. -> ) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7456464 2021-03-25] (Malwarebytes Inc -> Malwarebytes)
S2 nlsvc; C:\Program Files\Locktime Software\NetLimiter 4\NLSvc.exe [314232 2020-08-05] (Locktime Software s.r.o. -> Locktime Software)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2556048 2021-08-03] (Electronic Arts, Inc. -> Electronic Arts)
S2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [3474584 2021-08-03] (Electronic Arts, Inc. -> Electronic Arts)
S3 Rockstar Service; A:\Launcher\RockstarService.exe [1856816 2021-08-10] (Rockstar Games, Inc. -> Rockstar Games)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5394872 2021-08-11] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 SteelSeriesUpdateService; C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesUpdateService.exe [31568 2021-05-24] (SteelSeries ApS -> )
R2 TunnelBearMaintenance; C:\Program Files (x86)\TunnelBear\TunnelBear.Maintenance.exe [135496 2021-06-03] (TunnelBear Inc -> TunnelBear)
S3 uncheater_bgl; C:\Program Files\Common Files\Uncheater\uncheater_bgl.exe [2097008 2020-11-29] (Wellbia.com Co., Ltd. -> Wellbia.com Co., Ltd.)
S3 vgc; C:\Program Files\Riot Vanguard\vgc.exe [10112672 2021-08-17] (Riot Games, Inc. -> Riot Games, Inc.)
S3 VSStandardCollectorService150; C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe [147392 2019-04-30] (Microsoft Corporation -> Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2005.5-0\NisSrv.exe [2484256 2020-06-04] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2005.5-0\MsMpEng.exe [103168 2020-06-04] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_9dda6a81a12e6ac4\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_9dda6a81a12e6ac4\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthA2dp; C:\WINDOWS\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
S3 DroidCam; C:\WINDOWS\System32\drivers\droidcam.sys [32240 2020-04-10] (Microsoft Windows Hardware Compatibility Publisher -> Dev47Apps)
S3 DroidCamVideo; C:\WINDOWS\System32\drivers\droidcamvideo.sys [33784 2020-10-04] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)
S3 EQU8_HELPER_19; C:\WINDOWS\system32\DRIVERS\EQU8_HELPER_19.sys [38032 2021-04-28] (Int3 Software AB -> )
S3 ew_usbccgpfilter; C:\WINDOWS\System32\drivers\ew_usbccgpfilter.sys [18944 2020-06-29] (Microsoft Windows Hardware Compatibility Publisher -> Huawei Technologies Co., Ltd.)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2020-01-18] (Martin Malik - REALiX -> REALiX(tm))
U5 hw_usbdev; C:\Windows\System32\Drivers\hw_usbdev.sys [116864 2019-10-31] (Microsoft Windows Hardware Compatibility Publisher -> Huawei Technologies Co., Ltd.)
S3 iriuna0; C:\WINDOWS\system32\drivers\iriuna0.sys [46976 2020-10-29] (Iriun Oy -> Windows (R) Win 7 DDK provider)
R3 keyboard; C:\Windows\System32\Drivers\keyboard.sys [18536 2021-07-28] (Francisco Lopes da Silva -> Oblita)
S3 ManyCam; C:\WINDOWS\system32\DRIVERS\mcvidrv.sys [66952 2018-07-30] (ManyCam (VISICOM MÉDIA INC.) -> Visicom Media Inc.)
S0 MbamElam; C:\WINDOWS\System32\DRIVERS\MbamElam.sys [19912 2021-03-25] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [248992 2021-08-28] (Malwarebytes Inc -> Malwarebytes)
S3 mcaudrv_simple; C:\WINDOWS\system32\drivers\mcaudrv_x64.sys [35960 2014-12-29] (ManyCam -> Visicom Media Inc.)
R3 mouse; C:\Windows\System32\Drivers\mouse.sys [18536 2021-07-28] (Francisco Lopes da Silva -> Oblita)
R0 nldrv; C:\WINDOWS\System32\drivers\nldrv.sys [183528 2020-08-05] (Locktime Software s.r.o. -> Locktime Software)
R3 ssdevfactory; C:\WINDOWS\System32\drivers\ssdevfactory.sys [48848 2021-04-06] (SteelSeries ApS -> SteelSeries ApS)
R3 sshid; C:\WINDOWS\system32\DRIVERS\sshid.sys [57440 2020-10-09] (SteelSeries ApS -> SteelSeries ApS)
R3 tap-tb-0901; C:\WINDOWS\System32\drivers\tap-tb-0901.sys [38656 2019-10-15] (TunnelBear, Inc. -> The OpenVPN Project)
S3 tap0901; C:\WINDOWS\System32\drivers\tap0901.sys [27136 2016-04-21] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
S3 tapnordvpn; C:\WINDOWS\System32\drivers\tapnordvpn.sys [44896 2020-06-09] (TEFINCOM S.A. -> The OpenVPN Project)
S3 tapprotonvpn; C:\WINDOWS\System32\drivers\tapprotonvpn.sys [49024 2020-12-30] (Microsoft Windows Hardware Compatibility Publisher -> The OpenVPN Project)
S3 tapwindscribe0901; C:\WINDOWS\System32\drivers\tapwindscribe0901.sys [54896 2018-07-06] (Windscribe Limited -> The OpenVPN Project)
S3 uvhid; C:\WINDOWS\System32\drivers\uvhid.sys [28128 2020-04-21] (Unified Intents AB -> Windows (R) Win 7 DDK provider)
R1 vgk; C:\Program Files\Riot Vanguard\vgk.sys [8232160 2021-08-17] (Riot Games, Inc. -> Riot Games, Inc.)
S3 ViGEmBus; C:\WINDOWS\System32\drivers\ViGEmBus.sys [69168 2020-01-10] (Microsoft Windows Hardware Compatibility Publisher -> Benjamin Höglinger-Stelzer)
S3 WdBoot; C:\WINDOWS\system32\drivers\wd\WdBoot.sys [45960 2020-06-04] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\wd\WdFilter.sys [401120 2020-06-04] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [64224 2020-06-04] (Microsoft Windows -> Microsoft Corporation)
R3 wovad_micarray; C:\WINDOWS\system32\drivers\womic.sys [34288 2019-07-04] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)
S3 xhunter1; C:\WINDOWS\xhunter1.sys [74552 2020-12-17] (Wellbia.com Co., Ltd. -> Wellbia.com Co., Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-28 02:55 - 2021-08-28 02:56 - 000033290 _____ C:\Users\38599\Desktop\FRST.txt
2021-08-28 02:54 - 2021-08-28 02:54 - 002300928 _____ (Farbar) C:\Users\38599\Desktop\FRST64.exe
2021-08-28 02:54 - 2021-08-28 02:54 - 000002412 _____ C:\Users\38599\Desktop\copypastereply.txt
2021-08-28 02:48 - 2021-08-28 02:48 - 008553680 _____ (Malwarebytes) C:\Users\38599\Desktop\adwcleaner_8.3.0.exe
2021-08-28 02:47 - 2021-08-28 02:47 - 000006161 _____ C:\Users\38599\Desktop\malwarebytes-scan.txt
2021-08-28 01:10 - 2021-08-28 01:10 - 000000020 _____ C:\Users\38599\Desktop\provjeritempfolder.txt
2021-08-28 00:49 - 2021-08-28 02:55 - 000000000 ____D C:\FRST
2021-08-28 00:24 - 2021-08-28 00:25 - 000000000 ____D C:\AdwCleaner
2021-08-27 23:41 - 2021-08-27 23:40 - 005294080 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\icacls.exe
2021-08-27 23:41 - 2021-08-27 23:40 - 000461824 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\SysResetErr.exe
2021-08-27 14:24 - 2021-08-27 14:24 - 000000000 ____D C:\Users\38599\AppData\Local\.IdentityService
2021-08-27 13:25 - 2021-08-27 13:25 - 000000000 ____D C:\Users\38599\Creative Cloud Files
2021-08-27 10:03 - 2021-08-27 10:53 - 000000000 ____D C:\Users\38599\Desktop\crnjo
2021-08-26 23:20 - 2021-08-26 23:20 - 000000000 ____D C:\Users\38599\AppData\Roaming\EgretAppManager
2021-08-26 23:08 - 2021-08-27 11:24 - 000000000 ____D C:\Users\38599\AppData\Roaming\DragonBonesPro
2021-08-26 21:49 - 2021-08-26 21:49 - 000000000 ____D C:\Users\38599\AppData\Roaming\CC
2021-08-26 21:47 - 2021-08-26 21:47 - 000000000 ____D C:\Users\38599\AppData\Local\UniSDK
2021-08-26 16:14 - 2021-08-26 16:14 - 005002718 _____ C:\Users\38599\Desktop\Iron Xerath.fantome
2021-08-26 15:11 - 2021-08-26 15:11 - 001288399 _____ C:\Users\38599\Desktop\Ronald_McDonald_Shaco_-_1.1_by_BaeckerSkins.fantome
2021-08-26 15:11 - 2021-08-26 15:11 - 000387386 _____ C:\Users\38599\Desktop\Donald Duck Veigar.fantome
2021-08-26 15:03 - 2021-08-26 15:03 - 000000000 ____D C:\Users\38599\AppData\Local\moonshadow565
2021-08-26 15:03 - 2021-08-26 15:03 - 000000000 ____D C:\Users\38599\AppData\Local\cache
2021-08-26 15:02 - 2021-08-27 16:50 - 000000000 ____D C:\Users\38599\Desktop\lolcustomskin-tools-64
2021-08-26 14:59 - 2021-08-26 14:59 - 004868538 _____ C:\Users\38599\Desktop\Sultan Draven - 1.2 (by Valf).fantome
2021-08-25 23:26 - 2021-08-25 23:30 - 000000332 _____ C:\Users\38599\Desktop\UCENJE.txt
2021-08-25 08:36 - 2021-08-25 08:36 - 000007602 _____ C:\Users\38599\AppData\Local\Resmon.ResmonCfg
2021-08-25 08:26 - 2021-08-25 08:26 - 000000000 ____D C:\Users\38599\AppData\Local\mbam
2021-08-25 06:23 - 2021-08-25 06:23 - 000000000 ____D C:\Users\38599\Documents\Adobe
2021-08-25 06:23 - 2021-08-25 06:22 - 005324800 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\diskraid.exe
2021-08-25 06:22 - 2021-08-25 08:40 - 000000000 ____D C:\Users\38599\AppData\Local\license
2021-08-25 06:22 - 2021-08-25 06:20 - 000473600 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\TokenBrokerCookies.exe
2021-08-25 06:20 - 2021-08-25 08:40 - 000000000 ____D C:\Users\38599\AppData\Roaming\Cached files
2021-08-25 06:19 - 2021-08-25 06:19 - 000001130 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro 2021.lnk
2021-08-25 06:19 - 2021-08-25 06:19 - 000000000 ____D C:\Users\Public\Documents\Adobe
2021-08-25 06:18 - 2021-08-25 08:40 - 000000000 ____D C:\Users\38599\AppData\Roaming\license
2021-08-25 06:18 - 2021-08-25 06:23 - 000000000 ____D C:\Users\38599\AppData\Local\Adobe
2021-08-25 06:08 - 2021-08-25 06:17 - 000000000 ____D C:\Users\38599\AppData\LocalLow\uTorrent
2021-08-25 04:53 - 2021-08-27 11:23 - 000000000 ____D C:\Program Files\Egret
2021-08-25 04:53 - 2021-08-25 04:53 - 000000000 ____D C:\Users\38599\AppData\Roaming\EgretScriptManager
2021-08-25 04:53 - 2021-08-25 04:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Egret
2021-08-25 04:53 - 2021-08-25 04:53 - 000000000 ____D C:\Program Files\Common Files\Egret
2021-08-25 04:48 - 2021-08-26 23:22 - 000000000 ____D C:\Users\38599\AppData\Roaming\DragonBonesProInstaller
2021-08-25 04:48 - 2021-08-26 23:08 - 000000000 ____D C:\Users\38599\AppData\Roaming\Egret
2021-08-25 04:48 - 2021-08-25 04:48 - 000000000 ____D C:\Users\38599\AppData\Roaming\Macromedia
2021-08-25 04:25 - 2021-08-25 04:26 - 000551510 _____ C:\Users\38599\Downloads\watch_2.htm
2021-08-25 04:21 - 2021-08-25 04:21 - 000473034 _____ C:\Users\38599\Downloads\watch.htm
2021-08-25 04:20 - 2021-08-25 04:20 - 000000000 ____D C:\Users\38599\Downloads\Video
2021-08-25 04:20 - 2021-08-25 04:20 - 000000000 ____D C:\Users\38599\Downloads\Compressed
2021-08-25 04:07 - 2021-08-25 04:10 - 000000000 ____D C:\Program Files (x86)\Digiarty
2021-08-25 04:07 - 2021-08-25 04:09 - 000000000 ____D C:\Users\38599\AppData\Roaming\VideoProc
2021-08-25 04:07 - 2021-08-25 04:07 - 000000000 ____D C:\Users\38599\AppData\Roaming\Digiarty
2021-08-24 02:54 - 2021-08-24 02:54 - 000000000 ____D C:\Users\38599\Desktop\Wallpapers
2021-08-24 02:53 - 2021-08-24 02:53 - 000000000 ____D C:\Users\38599\Desktop\Stream
2021-08-24 02:52 - 2021-08-24 02:52 - 000000000 ____D C:\Users\38599\Desktop\Wordpress
2021-08-24 02:37 - 2021-08-24 02:37 - 000000000 __SHD C:\AI_RecycleBin
2021-08-22 22:18 - 2021-08-22 22:18 - 000000000 ____D C:\Users\38599\AppData\Local\pip
2021-08-22 19:51 - 2021-08-22 20:26 - 000000000 ____D C:\Users\38599\AppData\Roaming\Parsec
2021-08-21 04:15 - 2021-08-21 04:15 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Python 3.9
2021-08-21 04:15 - 2021-08-21 04:15 - 000000000 ____D C:\Users\38599\AppData\Local\Package Cache
2021-08-21 03:49 - 2021-08-22 22:29 - 000000000 ____D C:\Users\38599\Desktop\course 1
2021-08-21 03:32 - 2021-08-21 03:32 - 000000000 ____D C:\Program Files\VideoLAN
2021-08-20 18:06 - 2021-08-20 18:06 - 000000000 ____D C:\Users\38599\AppData\Local\BattlEye
2021-08-20 18:05 - 2021-08-20 18:14 - 000000000 ____D C:\Users\38599\AppData\Local\Ubisoft Game Launcher
2021-08-19 17:38 - 2021-08-25 23:31 - 000000116 _____ C:\Users\38599\Desktop\growtopiaearning.txt
2021-08-18 05:24 - 2021-08-18 05:24 - 000000000 ____D C:\Users\38599\AppData\Local\paint.net
2021-08-17 05:42 - 2021-08-24 02:36 - 000000000 ____D C:\ProgramData\Adguard
2021-08-17 05:18 - 2021-08-18 16:48 - 000000032 _____ C:\Users\38599\AppData\Roaming\.machineId
2021-08-17 05:16 - 2021-08-17 05:16 - 000000000 ____D C:\Users\38599\AppData\Local\Overwolf
2021-08-12 16:29 - 2021-08-12 16:29 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zoom
2021-08-11 22:51 - 2021-08-11 22:51 - 000000000 ____D C:\Users\38599\AppData\Local\Athena
2021-08-11 19:11 - 2021-08-11 19:11 - 002755584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.tlb
2021-08-11 19:11 - 2021-08-11 19:11 - 002755584 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.tlb
2021-08-11 19:11 - 2021-08-11 19:11 - 001823280 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2021-08-11 19:11 - 2021-08-11 19:11 - 001393480 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2021-08-11 19:11 - 2021-08-11 19:11 - 001333760 _____ C:\WINDOWS\SysWOW64\TextInputMethodFormatter.dll
2021-08-11 19:11 - 2021-08-11 19:11 - 000288768 _____ C:\WINDOWS\system32\Windows.Management.InprocObjects.dll
2021-08-11 19:11 - 2021-08-11 19:11 - 000011347 _____ C:\WINDOWS\system32\DrtmAuthTxt.wim
2021-08-11 19:06 - 2021-08-11 19:06 - 000000000 ___HD C:\$WinREAgent
2021-08-11 02:16 - 2021-08-11 02:16 - 000000000 ____D C:\Users\38599\Desktop\ilspy
2021-08-11 02:13 - 2021-08-11 02:13 - 000000000 ____D C:\Users\38599\AppData\Local\SymbolSourceSymbols
2021-08-11 02:13 - 2021-08-11 02:13 - 000000000 ____D C:\Users\38599\AppData\Local\RefSrcSymbols
2021-08-11 02:13 - 2021-08-11 02:13 - 000000000 ____D C:\Users\38599\AppData\Local\NuGet
2021-08-11 02:11 - 2021-08-11 02:13 - 000000000 ____D C:\Users\38599\AppData\Local\JetBrains
2021-08-11 00:32 - 2021-08-11 00:32 - 000000000 ____D C:\Users\38599\AppData\Local\VirtualStore
2021-08-10 18:52 - 2021-08-10 18:52 - 000000000 ____D C:\Users\38599\AppData\Local\ServiceHub
2021-08-10 18:42 - 2021-08-10 18:43 - 000000000 ____D C:\Users\38599\AppData\Local\Rockstar Games
2021-08-10 18:41 - 2021-08-10 18:47 - 000000000 ____D C:\Users\38599\Desktop\modest
2021-08-10 16:45 - 2021-08-10 16:45 - 002159759 _____ C:\Users\38599\Desktop\Prva_pomoc.pdf
2021-08-06 15:46 - 2021-08-06 15:46 - 000038032 _____ C:\WINDOWS\system32\Drivers\EQU8_HELPER_36.sys
2021-08-06 15:46 - 2021-08-06 15:46 - 000000000 ____D C:\Users\38599\AppData\Local\PortalWars
2021-08-03 19:29 - 2021-08-03 19:30 - 000000000 ____D C:\Users\38599\Documents\Battlefield 1
2021-08-03 17:53 - 2021-08-04 00:15 - 000000000 ____D C:\Program Files (x86)\Origin Games
2021-08-03 17:51 - 2021-08-03 17:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin
2021-08-03 17:51 - 2021-08-03 17:51 - 000000000 ____D C:\Program Files (x86)\Origin
2021-08-03 17:50 - 2021-08-11 00:32 - 000000000 ____D C:\Users\38599\AppData\Local\Origin
2021-07-31 20:22 - 2021-07-31 20:22 - 000000000 ____D C:\Users\38599\AppData\Local\FortniteGame
2021-07-31 20:22 - 2021-07-31 20:22 - 000000000 ____D C:\Users\38599\AppData\Local\CrashReportClient
2021-07-31 16:11 - 2021-08-25 06:14 - 000000000 ____D C:\Users\38599\AppData\Local\BitTorrentHelper
2021-07-31 00:26 - 2021-07-31 00:26 - 000000000 ____D C:\Users\38599\AppData\Local\Maine
2021-07-29 16:29 - 2021-07-29 16:29 - 000000000 ____D C:\Users\38599\AppData\Local\PlaceholderTileLogoFolder
2021-07-29 14:28 - 2021-08-24 02:38 - 000000000 ____D C:\Users\38599\AppData\Local\Blizzard Entertainment

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-28 02:45 - 2020-01-20 13:56 - 000000000 ____D C:\Program Files (x86)\Google
2021-08-28 02:29 - 2020-11-19 09:43 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2021-08-28 01:16 - 2021-07-27 22:50 - 000000000 ____D C:\Users\38599\AppData\Local\Growtopia
2021-08-28 01:16 - 2021-07-27 21:43 - 000000000 ____D C:\Users\38599\AppData\Local\CrashDumps
2021-08-28 01:16 - 2019-12-07 11:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-08-28 00:25 - 2020-01-18 20:08 - 000000000 ____D C:\ProgramData\NVIDIA
2021-08-28 00:25 - 2020-01-18 20:04 - 000000000 ____D C:\Users\38599\AppData\Roaming\IObit
2021-08-28 00:25 - 2020-01-18 20:04 - 000000000 ____D C:\ProgramData\IObit
2021-08-28 00:17 - 2019-12-07 11:13 - 000000000 ____D C:\WINDOWS\INF
2021-08-28 00:08 - 2020-11-19 09:54 - 000840830 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2021-08-28 00:04 - 2020-05-10 12:51 - 000000001 _____ C:\WINDOWS\vgkbootstatus.dat
2021-08-28 00:03 - 2020-01-18 20:53 - 000000000 ____D C:\Program Files\CCleaner
2021-08-28 00:02 - 2020-07-13 17:51 - 000000717 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2021-08-28 00:01 - 2021-03-25 04:20 - 000248992 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2021-08-28 00:01 - 2020-12-13 08:25 - 000008192 ___SH C:\DumpStack.log.tmp
2021-08-28 00:01 - 2020-11-19 09:43 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2021-08-27 23:59 - 2020-11-19 09:43 - 000438920 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2021-08-27 23:59 - 2019-12-07 11:03 - 000262144 _____ C:\WINDOWS\system32\config\BBI
2021-08-27 23:58 - 2021-05-08 05:42 - 000000000 ____D C:\Program Files\Riot Vanguard
2021-08-27 23:58 - 2020-12-13 08:27 - 000000000 ____D C:\Users\38599
2021-08-27 23:58 - 2019-12-07 11:54 - 000000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2021-08-27 23:58 - 2019-12-07 11:52 - 000000000 ____D C:\WINDOWS\OCR
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ___SD C:\WINDOWS\system32\UNP
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\SystemResources
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\system32\oobe
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\system32\Dism
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\ShellComponents
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2021-08-27 23:58 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\bcastdvr
2021-08-27 23:58 - 2019-12-07 11:03 - 000000000 ____D C:\WINDOWS\servicing
2021-08-27 23:54 - 2020-02-07 19:53 - 000000000 ____D C:\Users\38599\AppData\Roaming\Discord
2021-08-27 18:49 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\AppReadiness
2021-08-27 18:08 - 2020-12-17 05:06 - 000000000 ____D C:\Users\38599\AppData\Roaming\obs-studio
2021-08-27 16:54 - 2020-07-30 16:32 - 000000000 ____D C:\Users\38599\AppData\Local\Discord
2021-08-27 15:33 - 2020-01-18 21:13 - 000000000 ____D C:\ProgramData\Riot Games
2021-08-27 14:21 - 2020-07-30 21:14 - 000000000 ____D C:\Program Files (x86)\Steam
2021-08-27 13:32 - 2021-01-22 21:46 - 000000000 ____D C:\Users\38599\AppData\Roaming\vlc
2021-08-26 19:28 - 2021-05-07 22:59 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2021-08-26 15:08 - 2021-07-28 03:29 - 000000000 ____D C:\Users\38599\AppData\Local\D3DSCache
2021-08-25 16:18 - 2019-12-07 11:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-08-25 16:17 - 2020-11-19 09:46 - 000002446 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-08-25 16:11 - 2020-12-13 15:35 - 000003394 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore1d6d10c3371840e
2021-08-25 16:11 - 2020-11-19 09:46 - 000003488 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-08-25 13:33 - 2021-06-03 02:27 - 000002360 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2021-08-25 06:23 - 2020-01-18 19:58 - 000000000 ____D C:\Users\38599\AppData\Roaming\Adobe
2021-08-25 06:19 - 2020-02-17 17:21 - 000000000 ____D C:\Program Files\Common Files\Adobe
2021-08-25 06:19 - 2020-02-17 17:18 - 000000000 ____D C:\Program Files\Adobe
2021-08-25 06:18 - 2020-02-17 17:17 - 000000000 ____D C:\Program Files (x86)\Adobe
2021-08-25 06:18 - 2020-01-18 21:06 - 000000000 ____D C:\ProgramData\Package Cache
2021-08-25 06:17 - 2020-01-18 21:41 - 000000000 ____D C:\Users\38599\AppData\Roaming\uTorrent
2021-08-24 18:38 - 2021-02-15 00:07 - 002163152 _____ (Microsoft Corporation) C:\WINDOWS\system32\xgameruntime.dll
2021-08-24 18:38 - 2021-02-15 00:07 - 000307648 _____ (Microsoft Corporation) C:\WINDOWS\system32\gameplatformservices.dll
2021-08-24 18:38 - 2021-02-15 00:07 - 000213456 _____ (Microsoft Corporation) C:\WINDOWS\system32\gamingservicesproxy.dll
2021-08-24 18:38 - 2021-02-15 00:07 - 000188856 _____ (Microsoft Corporation) C:\WINDOWS\system32\gameconfighelper.dll
2021-08-24 18:38 - 2021-02-15 00:07 - 000131072 _____ (Microsoft Corporation) C:\WINDOWS\system32\gamingtcuihelpers.dll
2021-08-24 18:38 - 2021-02-15 00:07 - 000061904 _____ (Microsoft Corporation) C:\WINDOWS\system32\gamemodcontrol.exe
2021-08-24 05:01 - 2020-08-09 18:53 - 000000000 ____D C:\Users\38599\AppData\Roaming\Warner Bros. Interactive Entertainment
2021-08-24 02:54 - 2020-07-24 21:51 - 000000000 ____D C:\Users\38599\Desktop\Pics
2021-08-24 02:53 - 2020-10-21 21:46 - 000000000 ____D C:\Users\38599\Desktop\Text
2021-08-24 02:53 - 2020-01-18 19:58 - 000000000 ____D C:\Users\38599\AppData\Local\Packages
2021-08-24 02:45 - 2021-06-24 22:12 - 000000000 ____D C:\Users\38599\AppData\Roaming\EasyAntiCheat
2021-08-24 02:45 - 2021-04-28 22:53 - 000000000 ____D C:\ProgramData\EQU8
2021-08-24 02:37 - 2021-06-23 18:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Blackmagic Design
2021-08-24 02:37 - 2021-06-11 21:35 - 000000000 ____D C:\Program Files (x86)\Proton Technologies
2021-08-24 02:36 - 2020-04-12 01:55 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rockstar Games
2021-08-24 02:35 - 2021-06-23 18:19 - 000000000 ____D C:\Program Files\Blackmagic Design
2021-08-24 02:34 - 2021-06-17 00:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\R.G. Mechanics
2021-08-23 22:02 - 2020-05-28 19:04 - 000000000 ____D C:\Users\38599\AppData\Roaming\Code
2021-08-23 16:26 - 2019-12-07 11:03 - 000000000 ____D C:\WINDOWS\CbsTemp
2021-08-21 04:31 - 2020-05-28 19:04 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Visual Studio Code
2021-08-20 15:19 - 2020-06-11 19:19 - 000000000 ____D C:\Users\38599\Documents\The Witcher 3
2021-08-19 23:05 - 2020-02-09 21:56 - 000000000 ____D C:\Users\38599\AppData\Roaming\.minecraft
2021-08-19 23:04 - 2020-02-09 21:59 - 000000000 ____D C:\Users\38599\AppData\Roaming\.tlauncher
2021-08-19 23:02 - 2021-05-05 19:50 - 000000000 ____D C:\Users\38599\Desktop\MCSERVER
2021-08-18 00:46 - 2020-12-24 11:11 - 000002243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2021-08-14 14:57 - 2021-05-07 02:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit
2021-08-14 14:57 - 2021-05-05 19:57 - 000068936 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2021-08-14 14:57 - 2021-05-05 19:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2021-08-14 14:57 - 2021-05-05 19:57 - 000000000 ____D C:\Program Files\Java
2021-08-14 03:22 - 2020-03-18 22:24 - 000000000 ____D C:\Program Files\Microsoft Office
2021-08-13 13:51 - 2020-10-05 19:20 - 000000000 ____D C:\Program Files\Microsoft Update Health Tools
2021-08-12 16:29 - 2021-04-26 12:38 - 000000000 ____D C:\Users\38599\AppData\Roaming\Zoom
2021-08-11 22:51 - 2021-07-28 20:28 - 000000000 ____D C:\Users\38599\AppData\Local\UnrealEngine
2021-08-11 19:05 - 2020-01-21 00:42 - 000000000 ____D C:\WINDOWS\system32\MRT
2021-08-11 19:03 - 2020-01-21 00:42 - 133215968 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2021-08-11 02:12 - 2021-02-08 01:52 - 000000000 ____D C:\Users\38599\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JetBrains
2021-08-11 01:00 - 2020-03-14 17:03 - 000000000 ____D C:\ProgramData\Origin
2021-08-11 00:38 - 2021-03-25 04:20 - 000199128 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2021-08-11 00:32 - 2021-01-18 04:02 - 000000000 ____D C:\Users\38599\AppData\Roaming\Origin
2021-08-11 00:30 - 2019-12-07 11:14 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2021-08-11 00:30 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files\Common Files\System
2021-08-09 20:56 - 2021-07-28 02:51 - 000000000 ____D C:\Users\38599\AppData\Local\Google
2021-08-04 22:40 - 2020-12-13 08:31 - 000003470 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
2021-08-04 22:40 - 2020-12-13 08:31 - 000003346 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
2021-07-29 08:16 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared

==================== Files in the root of some directories ========

2021-03-09 02:09 - 2021-03-09 02:09 - 000000258 _____ () C:\ProgramData\fontcacheev1.dat
2021-08-17 05:18 - 2021-08-18 16:48 - 000000032 _____ () C:\Users\38599\AppData\Roaming\.machineId
2021-06-09 16:33 - 2021-06-09 16:33 - 000065440 ___SH (Microsoft Corporation) C:\Users\38599\AppData\Roaming\bajgdjw
2021-08-25 06:23 - 2021-08-25 06:22 - 005324800 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\diskraid.exe
2021-06-09 16:33 - 2021-06-09 16:33 - 000248375 ___SH () C:\Users\38599\AppData\Roaming\fcsavua
2020-09-07 17:14 - 2020-04-19 02:30 - 000001927 _____ () C:\Users\38599\AppData\Roaming\FOR SERVERS ONLY - SET THESE IN SERVER.PROPERTIES.txt
2021-08-27 23:41 - 2021-08-27 23:40 - 005294080 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\icacls.exe
2020-04-01 20:15 - 2021-07-28 20:44 - 000000653 _____ () C:\Users\38599\AppData\Roaming\jd-gui.cfg
2020-09-07 17:14 - 2020-03-09 23:21 - 000003945 _____ () C:\Users\38599\AppData\Roaming\options.txt
2020-09-07 17:14 - 2020-03-06 22:26 - 000001433 _____ () C:\Users\38599\AppData\Roaming\optionsof.txt
2020-09-07 17:14 - 2020-04-11 00:52 - 000000372 _____ () C:\Users\38599\AppData\Roaming\optionsshaders.txt
2020-09-07 17:14 - 2020-04-20 10:06 - 000023642 _____ () C:\Users\38599\AppData\Roaming\RLCraft v2.8.2 ChangeLog.txt
2021-08-27 23:41 - 2021-08-27 23:40 - 000461824 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\SysResetErr.exe
2021-08-25 06:22 - 2021-08-25 06:20 - 000473600 _____ (Microsoft Corporation) C:\Users\38599\AppData\Roaming\TokenBrokerCookies.exe
2020-12-04 01:54 - 2020-12-04 01:59 - 000034856 _____ () C:\Users\38599\AppData\Roaming\VoiceMeeterBananaDefault.xml
2020-12-04 22:47 - 2020-12-04 23:11 - 000060428 _____ () C:\Users\38599\AppData\Roaming\VoiceMeeterPotatoDefault.xml
2020-12-24 22:58 - 2020-12-24 22:58 - 000000049 _____ () C:\Users\38599\AppData\Roaming\~SiMPLEX.ini
2021-08-25 08:36 - 2021-08-25 08:36 - 000007602 _____ () C:\Users\38599\AppData\Local\Resmon.ResmonCfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

 

MalwareBytes log and Addition.txt are attached.

Thank you!

Addition.txt malwarebytes-scan.txt

Link to post
Share on other sites
  • Solution
kevinf80

kevinf80

Posted
  • Solution
Posted (edited)

Hiya Attira,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your next reply...

Thank you,

Kevin.

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites
Attira

Attira

Posted
  • Author
Posted

Hi again,

I've done all the things you told me to.

 

msert.log

Quote


---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.347, (build 1.347.571.0)
Started On Sat Aug 28 14:31:56 2021

Engine: 1.1.18500.10
Signatures: 1.347.571.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Quick Scan Results:
-------------------
Threat Detected: VirTool:Win32/DefenderTamperingRestore and Removed!
  Action: Remove, Result: 0x00000000
    regkeyvalue://hklm\software\policies\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sat Aug 28 14:36:30 2021


Return code: 6 (0x6)
 

 

Also the fixlog.txt is attached.

Fixlog.txt

Link to post
Share on other sites
Attira

Attira

Posted
  • Author
Posted

Hello Kevin,

I think the issue has been resolved. No new .exe files are being generated, the two Bitcoin miners were also removed and I can't find anything sketchy in the task manager.

There hasn't been any issues since I ran the Adwcleaner that you linked.

Thanks!

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya Attira,

Thanks for the update, good to hear your system is ok for you now. Continue to finish up:

Right click on FRST here: C:\Users\38599\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge..

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.