Knooper Posted August 30, 2021 ID:1477393 Share Posted August 30, 2021 I tried running a suspicious copy of Adobe Premiere and now I seem to have a plethora of the latest viruses on my PC 🙃 Malwarebytes initially scanned and quarantined the following: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/29/21 Scan Time: 8:20 PM Log File: 32a56a3a-0941-11ec-892b-6045cba08bf4.json -Software Information- Version: 4.4.5.130 Components Version: 1.0.1430 Update Package Version: 1.0.44469 License: Trial -System Information- OS: Windows 10 (Build 19043.1165) CPU: x64 File System: NTFS User: DESKTOP-0NDNAHI\Knoop -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 299123 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.KeyLogger, HKU\S-1-5-21-1062094570-161052252-1746623260-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SYSTEM, Quarantined, 1916, 359516, 1.0.44469, , ame, , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Trojan.KeyLogger, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\A357.EXE, Quarantined, 1916, 359516, , , , , A2968300E88E5C7F392EA704E39FF9B4, 4DDAB2F07510C05F41F1913FDFFBA8B41FF30F7E67932BC54CA81B13A5BF41F8 Trojan.Downloader, C:\USERS\WHOOP\APPDATA\ROAMING\CACHED FILES\SETUP5.EXE, Quarantined, 540, 973860, 1.0.44469, , ame, , EB0B592E96CFAACC113491B333BADFFF, 4CB95D155A76825093B430C7293245F29EA4389CAA1E0F3F460B74398170ECEB PUP.Optional.BundleInstaller, C:\$RECYCLE.BIN\S-1-5-21-1062094570-161052252-1746623260-1001\$RMUDNHH.EXE, Quarantined, 527, 875791, 1.0.44469, , ame, , 1FjMjtzom8sQqT4RxQCTwt8xSZ8N4UKdE5, 50E6C4EBE44719DEB4CEC7822571CD1BBA99E0148D8A8843EBCE12254AECF961 Spyware.AgentTesla, C:\USERS\WHOOP\APPDATA\LOCAL\LICENSE\ONSE.EXE, Quarantined, 524, 932069, 1.0.44469, 17F67A0A18FCEA8BED6C325D, dds, 01399324, 7BC69F6FAC0D853781B1A72CBA8C770F, 0D2C9B94A19E43C0A017A18C4E386F3A2BB5BDC82D1D8FD69F9864B41B7B7B28 RiskWare.BitCoinMiner, C:\USERS\WHOOP\APPDATA\ROAMINGGPUXTREME.EXE, Quarantined, 921, 947687, 1.0.44469, 498DF7D249CF1491FCB30114, dds, 01399324, A5B21C9FA5B21D80FFA920F959E2BC0F, D45EA79896106F7AFE990FB919C3F610F846CAA4CD11717DAA5B092A7B1653A4 Trojan.Downloader, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\MSI5915.TMP, Quarantined, 540, 939219, 1.0.44469, 603C3B0B4216587476FAC480, dds, 01399324, D300E84764270BB3DB881C1C0FB7425C, 6E2CCA1A24AE47BB636BC279302C99602C4EB2FA9EB5669883CAFA68AA6953C8 Trojan.Dropper, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\A83A.EXE, Quarantined, 606, 967801, 1.0.44469, BD2E2708BD2E7C2EFC9F00C3, dds, 01399324, 451B216BB01CF83BE534048A34BBD598, E9F16A751542FB2841BFCFB29FB0BBCE15635E23ADF99D093A1A2D6394BF33DC Trojan.Downloader, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\ADOBEIPCBROKER.EXE, Quarantined, 540, 939219, 1.0.44469, 603C3B0B4216587476FAC480, dds, 01399324, D300E84764270BB3DB881C1C0FB7425C, 6E2CCA1A24AE47BB636BC279302C99602C4EB2FA9EB5669883CAFA68AA6953C8 Trojan.Downloader, C:\WINDOWS\INSTALLER\1B7CDBA.MSI, Quarantined, 540, 939219, 1.0.44469, , ame, , C39E2404C20C9805D2619C0C8033A5A5, B99D5598E3F50A9F76F41BA358AC974883BBB54BDA8294DA2A7864DB1B63BBE4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) I scanned once again after this, but with rootkits enabled this time and got no detections. Despite this my viruses seem to persist. I get notification like this all the time from Malwarebytes: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/29/21 Protection Event Time: 9:44 PM Log File: ea4a9330-094c-11ec-a07a-6045cba08bf4.json -Software Information- Version: 4.4.5.130 Components Version: 1.0.1430 Update Package Version: 1.0.44469 License: Trial -System Information- OS: Windows 10 (Build 19043.1165) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Users\whoop\AppData\Local\Temp\RegAsm.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: IP Address: 45.134.225.35 Port: 7821 Type: Outbound File: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe (end) I downloaded AdwCleaner and did a scan, but nothing turns up either: # ------------------------------- # Malwarebytes AdwCleaner 8.3.0.0 # ------------------------------- # Build: 06-29-2021 # Database: 2021-06-29.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 08-29-2021 # Duration: 00:00:12 # OS: Windows 10 Home # Scanned: 31984 # Detected: 0 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. ***** [ Hosts File Entries ] ***** No malicious hosts file entries found. ***** [ Preinstalled Software ] ***** No Preinstalled Software found. ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ########## I downloaded and scanned with FRST. Here are the results of my FRST scan: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-08-2021 Ran by Knoop (administrator) on DESKTOP-0NDNAHI (29-08-2021 21:59:55) Running from F:\SORT THIS Loaded Profiles: Knoop Platform: Windows 10 Home Version 21H1 19043.1165 (X64) Language: English (United States) Default browser: Chrome Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Adobe Inc. -> Adobe Inc) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\IPCBox\AdobeIPCBroker.exe (Adobe Inc. -> Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe (Discord Inc. -> Discord Inc.) C:\Users\whoop\AppData\Local\Discord\app-1.0.9002\Discord.exe <6> (Electronic Arts, Inc. -> Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe (Firebit OU -> Rainmeter) C:\Program Files\Rainmeter\Rainmeter.exe (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <55> (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe (Hauke Hasselberg) C:\Program Files\WindowsApps\HaukeGtze.NotepadEditor_1.812.1.0_x64__6bk20wvc8rfx2\notepad++_.exe (June Fabrics Technology Inc. -> ) C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe (Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub.exe <3> (Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub_agent.exe (Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub_updater.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Malwarebytes Inc -> Malwarebytes) F:\SORT THIS\adwcleaner_8.3.0.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <17> (Microsoft Corporation -> Microsoft Corporation) C:\Users\whoop\AppData\Local\Temp\RegAsm.exe <7> (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_3.2106.14307.0_x64__8wekyb3d8bbwe\Cortana.exe (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_12107.1001.15.0_x64__8wekyb3d8bbwe\WinStore.App.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SecurityHealthHost.exe <2> (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Taskmgr.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MsMpEng.exe (Node.js Foundation -> Node.js) C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe (Notepad++ -> Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe (NVIDIA Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <3> (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe <3> (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe (NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\NVDisplay.Container.exe <2> (Valve -> Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve -> Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe <7> (Valve -> Valve Corporation) C:\Program Files (x86)\Steam\steam.exe (Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe (Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe (Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe (Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe (Wacom Technology Corp. -> Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe ==================== Registry (Whitelisted) =================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [Discord] => C:\ProgramData\SquirrelMachineInstalls\Discord.exe [61370712 2020-07-22] (Discord Inc. -> Discord Inc.) HKLM-x32\...\Run: [Adobe CCXProcess] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [129288 2021-01-25] (Adobe Inc. -> ) HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [4110568 2021-07-20] (Valve -> Valve Corporation) HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [Discord] => C:\Users\whoop\AppData\Local\Discord\Update.exe [1512760 2020-12-03] (Discord Inc. -> GitHub) HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [LGHUB] => C:\Program Files\LGHUB\lghub.exe [136443296 2021-07-30] (Logitech Inc -> Logitech, Inc.) HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Winlogon: [Shell] explorer.exe, <==== ATTENTION HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\92.0.4515.159\Installer\chrmstp.exe [2021-08-18] (Google LLC -> Google LLC) Startup: C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk [2020-07-22] ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe (June Fabrics Technology Inc. -> ) Startup: C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2020-07-23] ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Firebit OU -> Rainmeter) ==================== Scheduled Tasks (Whitelisted) ============ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {025597BC-07BF-4262-B6A7-82F4130C3A0C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) Task: {07FC8EEE-4B7A-4DE6-B2C1-0F6E301D0DEC} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {20D96084-13BE-43E8-872C-61B3F0E103E7} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [646456 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {48177F83-5092-4E06-932F-2D14667AA437} - System32\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {52D19885-5EF0-4E4B-A8A3-74BE3C6CE179} - System32\Tasks\Firefox Default Browser Agent C3E1DB00FF43B845 => C:\Users\whoop\AppData\Roaming\wahvgcc [65440 2021-06-19] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION Task: {5FB84654-68B2-45DD-A587-67DFAAFFF9AE} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [3301176 2020-10-20] (NVIDIA Corporation -> NVIDIA Corporation) Task: {634B8201-999F-4D43-BB10-E106A674FFCB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-07-22] (Google LLC -> Google LLC) Task: {67127676-CE87-426D-A5A0-BC3BBE3D1050} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-07-22] (Google LLC -> Google LLC) Task: {7604EDE2-ECD8-4B45-81DA-16FC8301C9B2} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {9234DF23-4404-40E2-990E-3E59FB043762} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) Task: {9C3DE8E7-9B64-4A92-A47A-6B86E9DE1E41} - System32\Tasks\NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {A053C074-2702-4463-8E23-8F174798DA5D} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [874472 2020-10-17] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvDriverUpdateCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerDriverUpdateCheck.log Task: {AD16C3A0-F322-44B6-A824-BD23B05A6931} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) Task: {BF117608-EFB0-4422-BEBD-C463639BB0BD} - System32\Tasks\NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) Task: {D62CA360-A06E-4000-80BC-35D1E09FB0CA} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [874472 2020-10-17] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvBackend\NvBatteryBoostCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerBatteryBoostCheck.log Task: {E414F87E-EA97-4F60-8D86-4A49615CE9BD} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) Task: {F46096B4-49DD-4670-9E07-9D3A94669651} - System32\Tasks\NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 74.40.74.41 Tcpip\..\Interfaces\{c4a56b54-0624-4212-87ab-fc20de671cdb}: [DhcpNameServer] 192.168.0.1 74.40.74.41 Tcpip\..\Interfaces\{cd50cc4a-4ab4-4e72-80b7-773c0a0aa172}: [DhcpNameServer] 75.75.75.75 75.75.76.76 Tcpip\..\Interfaces\{fc47bd4c-c1a5-430d-a1a3-52bd938f084d}: [DhcpNameServer] 8.8.8.8 Edge: ======= Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found] Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found] Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found] Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found] Edge Profile: C:\Users\whoop\AppData\Local\Microsoft\Edge\User Data\Default [2021-08-29] FireFox: ======== FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation) Chrome: ======= CHR DefaultProfile: Default CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default [2021-08-29] CHR Notifications: Default -> hxxps://voice.google.com; hxxps://www.netflix.com CHR HomePage: Default -> hxxps://www.google.com/ CHR StartupUrls: Default -> "hxxp://www.tumblr.com/blog/whoopscloplockbox" CHR DefaultSearchURL: Default -> hxxps://dral.eu/ CHR Extension: (Slides) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2020-07-22] CHR Extension: (BetterTTV) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2021-08-28] CHR Extension: (Docs) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2020-07-22] CHR Extension: (Google Drive) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-10-23] CHR Extension: (Dark Theme for Google™) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apiabgjfojnkcepfmbdechlhfocpeenc [2021-07-10] CHR Extension: (YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2020-07-22] CHR Extension: (Slinky Elegant) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmanlajnpdncmhfkiccmbgeocgbncfln [2020-07-22] CHR Extension: (TagPro Capture the Flag) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bommelfnddjcbmbcfhmhjikpfphlebjh [2020-07-22] CHR Extension: (Adblock Plus - free ad blocker) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2021-07-27] CHR Extension: (Watch2Gether) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\cimpffimgeipdhnhjohpbehjkcdpjolg [2021-06-19] CHR Extension: (Tampermonkey) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2021-06-19] CHR Extension: (Sheets) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2020-07-22] CHR Extension: (Window Expander For YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkpaakpeehepibjpdmoocdaonognfiog [2020-07-22] CHR Extension: (Tails Verification) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaghffbplpialpoeclgjkkbknblfajdl [2020-07-22] CHR Extension: (Google Docs Offline) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-07-01] CHR Extension: (Windowed - floating Youtube/every website) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gibipneadnbflmkebnmcbgjdkngkbklb [2021-01-02] CHR Extension: (YouTube Windowed FullScreen) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkkmiofalnjagdcjheckamobghglpdpm [2020-07-24] CHR Extension: (Reddit Enhancement Suite) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2021-06-19] CHR Extension: (DarkCloud) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjicdmidmifkppilbbcanmnljpffmfmh [2020-08-12] CHR Extension: (Chrome Web Store Payments) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-01-29] CHR Extension: (Tumblr Savior) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\oefddkjnflmjbclpnnoegglmmdfkidip [2021-08-21] CHR Extension: (Adfly Notification Bypass) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\oniljfenfhbbjpmpcphgnpjhbapcapek [2021-02-28] CHR Extension: (Gmail) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-10-22] CHR Extension: (Chrome Media Router) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-07-27] CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Guest Profile [2021-08-29] CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1 [2021-08-24] CHR Extension: (Slides) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2021-08-24] CHR Extension: (Docs) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2021-08-24] CHR Extension: (Google Drive) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2021-08-24] CHR Extension: (YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2021-08-24] CHR Extension: (Sheets) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2021-08-24] CHR Extension: (Google Docs Offline) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-08-24] CHR Extension: (Chrome Web Store Payments) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-08-24] CHR Extension: (Gmail) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2021-08-24] CHR Extension: (Chrome Media Router) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-08-24] CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\System Profile [2021-08-29] ==================== Services (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [8912272 2021-06-18] (BattlEye Innovations e.K. -> ) S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [803440 2020-02-28] (EasyAntiCheat Oy -> EasyAntiCheat Ltd) S3 EQU8_13; C:\ProgramData\EQU8\Diabotical\bin\anticheat.x64.equ8.exe [5561024 2020-09-04] (Int3 Software AB -> Int3 Software AB) R2 LGHUBUpdaterService; C:\Program Files\LGHUB\lghub_updater.exe [10787232 2021-07-30] (Logitech Inc -> Logitech, Inc.) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7497336 2021-08-29] (Malwarebytes Inc -> Malwarebytes) S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2556048 2021-07-15] (Electronic Arts, Inc. -> Electronic Arts) R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [3474584 2021-07-15] (Electronic Arts, Inc. -> Electronic Arts) S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\NisSrv.exe [2727416 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MsMpEng.exe [136656 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation) R2 NVDisplay.ContainerLocalSystem; C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem ===================== Drivers (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed] S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus2.sys [159864 2021-06-29] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.) S3 EQU8_HELPER_13; C:\Windows\system32\DRIVERS\EQU8_HELPER_13.sys [38080 2020-09-04] (Int3 Software AB -> ) R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [160176 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) R2 LGHUBTemperatureService; C:\Program Files\LGHUB\logi_core_temp.sys [22864 2021-07-30] (Logitech Inc -> Logitech) R3 logi_joy_bus_enum; C:\Windows\system32\drivers\logi_joy_bus_enum.sys [37200 2021-03-17] (Logitech Inc -> Logitech) R3 logi_joy_vir_hid; C:\Windows\system32\drivers\logi_joy_vir_hid.sys [25928 2021-03-17] (Logitech Inc -> Logitech) R3 logi_joy_xlcore; C:\Windows\system32\drivers\logi_joy_xlcore.sys [66896 2021-03-17] (Logitech Inc -> Logitech) R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210344 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-08-29] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes) R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [198888 2021-08-29] (Malwarebytes Inc -> Malwarebytes) R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [68528 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2021-08-29] (Malwarebytes Inc -> Malwarebytes) R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [149424 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [167280 2020-11-11] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.) R3 SteamStreamingMicrophone; C:\Windows\system32\drivers\SteamStreamingMicrophone.sys [40736 2017-07-28] (Valve Corp. -> ) R3 SteamStreamingSpeakers; C:\Windows\system32\drivers\SteamStreamingSpeakers.sys [40736 2017-07-20] (Valve Corp. -> ) S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49568 2021-08-04] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation) R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [434424 2021-08-04] (Microsoft Windows -> Microsoft Corporation) S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [78072 2021-08-04] (Microsoft Windows -> Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One month (created) (Whitelisted) ========= (If an entry is included in the fixlist, the file/folder will be moved.) 2021-08-29 21:08 - 2021-08-29 21:08 - 000000000 ____D C:\Users\whoop\Documents\Adobe 2021-08-29 21:08 - 2021-08-29 21:08 - 000000000 ____D C:\Users\whoop\AppData\Local\Adobe 2021-08-29 20:58 - 2021-08-29 22:00 - 000000000 ____D C:\FRST 2021-08-29 20:57 - 2021-08-29 20:59 - 000000000 ____D C:\AdwCleaner 2021-08-29 20:12 - 2021-08-29 20:12 - 000248992 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys 2021-08-29 20:12 - 2021-08-29 20:12 - 000210344 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys 2021-08-29 20:12 - 2021-08-29 20:12 - 000198888 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys 2021-08-29 20:12 - 2021-08-29 20:12 - 000149424 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys 2021-08-29 20:12 - 2021-08-29 20:12 - 000068528 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2021-08-29 20:12 - 2021-08-29 20:12 - 000002036 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk 2021-08-29 20:12 - 2021-08-29 20:12 - 000002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2021-08-29 20:12 - 2021-08-29 20:12 - 000000000 ____D C:\Users\whoop\AppData\Local\mbam 2021-08-29 20:12 - 2021-08-29 20:11 - 000160176 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys 2021-08-29 20:12 - 2021-08-29 20:11 - 000019912 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamElam.sys 2021-08-29 20:11 - 2021-08-29 20:11 - 000000000 ____D C:\ProgramData\Malwarebytes 2021-08-29 20:05 - 2021-08-29 20:05 - 000000000 ____D C:\Program Files\Malwarebytes 2021-08-29 20:03 - 2021-08-29 20:04 - 002120496 _____ (Malwarebytes) C:\Users\whoop\Downloads\MBSetup-119967.119967-consumer.exe 2021-08-29 19:31 - 2021-08-29 20:24 - 000000000 ____D C:\Users\whoop\AppData\Local\license 2021-08-29 19:31 - 2021-08-29 19:54 - 005294080 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\icacls.exe 2021-08-29 19:30 - 2021-08-29 20:24 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Cached files 2021-08-29 19:30 - 2021-08-29 19:54 - 000474112 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\rdrleakdiag.exe 2021-08-29 19:30 - 2021-08-29 19:54 - 000473088 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\gpresult.exe 2021-08-29 19:30 - 2021-08-29 19:30 - 000003728 _____ C:\Windows\system32\Tasks\Firefox Default Browser Agent C3E1DB00FF43B845 2021-08-29 19:29 - 2021-08-29 19:37 - 000001133 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro 2021.lnk 2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Users\Public\Documents\Adobe 2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files\Common Files\Adobe 2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files\Adobe 2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files (x86)\Adobe 2021-08-29 19:27 - 2021-08-29 19:27 - 000000000 ____D C:\ProgramData\Adobe 2021-08-22 19:47 - 2021-08-29 18:51 - 000000000 ____D C:\Users\whoop\AppData\Local\BitTorrentHelper 2021-08-22 19:46 - 2021-08-29 20:37 - 000000000 ____D C:\Users\whoop\AppData\Roaming\BitTorrent 2021-08-22 19:46 - 2021-08-22 19:46 - 000000919 _____ C:\Users\whoop\Desktop\BitTorrent.lnk 2021-08-22 19:01 - 2021-08-22 19:05 - 000000000 ____D C:\Users\whoop\AppData\Roaming\OBS 2021-08-10 18:07 - 2021-08-10 18:07 - 002755584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2021-08-10 18:07 - 2021-08-10 18:07 - 002755584 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2021-08-10 18:07 - 2021-08-10 18:07 - 001823280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi 2021-08-10 18:07 - 2021-08-10 18:07 - 001393480 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi 2021-08-10 18:07 - 2021-08-10 18:07 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll 2021-08-10 18:07 - 2021-08-10 18:07 - 000288768 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll 2021-08-10 18:07 - 2021-08-10 18:07 - 000011347 _____ C:\Windows\system32\DrtmAuthTxt.wim 2021-08-10 18:01 - 2021-08-10 18:01 - 000000000 ___HD C:\$WinREAgent 2021-08-02 12:37 - 2021-06-29 05:43 - 000159864 _____ (Samsung Electronics Co., Ltd.) C:\Windows\system32\Drivers\ssudbus2.sys 2021-08-01 14:29 - 2021-08-01 14:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi 2021-08-01 14:29 - 2021-08-01 14:29 - 000000000 ____D C:\Program Files\LGHUB ==================== One month (modified) ================== (If an entry is included in the fixlist, the file/folder will be moved.) 2021-08-29 21:53 - 2020-07-22 16:25 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Discord 2021-08-29 21:49 - 2020-07-22 16:24 - 000000000 ____D C:\Program Files (x86)\Steam 2021-08-29 21:34 - 2020-07-22 16:25 - 000000000 ____D C:\Users\whoop\AppData\Local\Discord 2021-08-29 21:29 - 2020-07-22 15:10 - 000000000 ____D C:\Program Files (x86)\Google 2021-08-29 21:08 - 2020-07-22 14:51 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Adobe 2021-08-29 20:26 - 2019-12-07 02:03 - 000032768 _____ C:\Windows\system32\config\ELAM 2021-08-29 20:12 - 2019-12-07 02:14 - 000000000 ___HD C:\Windows\ELAMBKUP 2021-08-29 19:54 - 2020-07-23 22:38 - 000000000 ____D C:\Users\whoop\AppData\Local\CrashDumps 2021-08-29 19:47 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2021-08-29 19:28 - 2020-07-22 22:50 - 000000000 ____D C:\Users\whoop\AppData\Local\D3DSCache 2021-08-29 19:28 - 2020-07-22 15:49 - 000000000 ____D C:\ProgramData\Package Cache 2021-08-29 19:11 - 2020-07-22 14:18 - 000000000 ____D C:\Windows\system32\SleepStudy 2021-08-29 12:25 - 2020-07-22 15:49 - 000000000 ____D C:\ProgramData\NVIDIA 2021-08-29 11:32 - 2020-07-22 14:24 - 000840602 _____ C:\Windows\system32\PerfStringBackup.INI 2021-08-29 11:32 - 2019-12-07 02:13 - 000000000 ____D C:\Windows\INF 2021-08-29 11:26 - 2020-07-24 13:48 - 000000000 ____D C:\Users\whoop\AppData\Roaming\LGHUB 2021-08-29 11:26 - 2020-07-24 13:48 - 000000000 ____D C:\Users\whoop\AppData\Local\LGHUB 2021-08-29 11:26 - 2020-07-24 01:24 - 000000000 ____D C:\Users\whoop\AppData\Roaming\WTablet 2021-08-29 11:25 - 2020-07-22 14:46 - 000000000 ____D C:\Users\whoop 2021-08-29 11:25 - 2020-07-22 14:18 - 000008192 ___SH C:\DumpStack.log.tmp 2021-08-29 11:25 - 2020-07-22 14:18 - 000000006 ____H C:\Windows\Tasks\SA.DAT 2021-08-28 23:16 - 2020-08-28 21:27 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk 2021-08-28 23:16 - 2019-12-07 02:14 - 000000000 ___HD C:\Program Files\WindowsApps 2021-08-28 23:16 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\AppReadiness 2021-08-22 22:03 - 2020-07-22 14:52 - 000003378 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1062094570-161052252-1746623260-1001 2021-08-22 22:03 - 2020-07-22 14:46 - 000002382 _____ C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2021-08-18 18:15 - 2020-07-22 15:18 - 000002304 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2021-08-15 13:11 - 2020-08-28 21:27 - 000003480 _____ C:\Windows\system32\Tasks\LLW6bSoGD3bA7iUyUa9LzVsAWoZUNsMZCa 2021-08-15 13:11 - 2020-08-28 21:27 - 000003356 _____ C:\Windows\system32\Tasks\LLW6bSoGD3bA7iUyUa9LzVsAWoZUNsMZCa 2021-08-14 20:56 - 2020-07-22 21:53 - 000000000 ____D C:\Users\whoop\AppData\Local\Battle.net 2021-08-14 19:56 - 2020-07-22 21:52 - 000000000 ____D C:\Program Files (x86)\Battle.net 2021-08-11 03:33 - 2020-07-22 14:18 - 000257824 _____ C:\Windows\system32\FNTCACHE.DAT 2021-08-11 03:33 - 2019-12-07 02:03 - 000524288 _____ C:\Windows\system32\config\BBI 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ___SD C:\Windows\system32\UNP 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\SysWOW64\Dism 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\SystemResources 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\oobe 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\Dism 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ShellComponents 2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\bcastdvr 2021-08-11 03:32 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\servicing 2021-08-10 18:09 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\CbsTemp 2021-08-10 17:59 - 2020-07-28 11:55 - 000000000 ____D C:\Windows\system32\MRT 2021-08-10 17:57 - 2020-07-28 11:54 - 133215968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe 2021-08-10 05:42 - 2020-07-22 14:51 - 000000000 ____D C:\Users\whoop\AppData\Local\Packages 2021-08-08 19:51 - 2020-07-22 14:52 - 000000000 ___RD C:\Users\whoop\OneDrive 2021-08-07 01:55 - 2020-07-28 02:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlestate Games 2021-08-04 11:09 - 2020-07-22 15:10 - 000003420 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA 2021-08-04 11:09 - 2020-07-22 15:10 - 000003296 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore 2021-08-04 09:00 - 2020-07-22 14:18 - 000000000 ____D C:\Windows\system32\Drivers\wd 2021-07-31 12:02 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\LiveKernelReports ==================== Files in the root of some directories ======== 2021-08-29 19:30 - 2021-08-29 19:54 - 000473088 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\gpresult.exe 2021-08-29 19:31 - 2021-08-29 19:54 - 005294080 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\icacls.exe 2021-07-13 21:19 - 2021-07-13 21:19 - 000000285 _____ () C:\Users\whoop\AppData\Roaming\PureRef.ini 2021-08-29 19:30 - 2021-08-29 19:54 - 000474112 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\rdrleakdiag.exe 2021-06-19 16:18 - 2021-06-19 16:18 - 000248375 ___SH () C:\Users\whoop\AppData\Roaming\tdvbusa 2021-06-19 16:18 - 2021-06-19 16:18 - 000065440 ___SH (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\wahvgcc ==================== SigCheck ============================ (There is no automatic fix for files that do not pass verification.) ==================== End of FRST.txt ======================== Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-08-2021 Ran by Knoop (29-08-2021 22:01:08) Running from F:\SORT THIS Windows 10 Home Version 21H1 19043.1165 (X64) (2020-07-22 21:20:11) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= (If an entry is included in the fixlist, it will be removed.) Administrator (S-1-5-21-1062094570-161052252-1746623260-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-1062094570-161052252-1746623260-503 - Limited - Disabled) Guest (S-1-5-21-1062094570-161052252-1746623260-501 - Limited - Disabled) Knoop (S-1-5-21-1062094570-161052252-1746623260-1001 - Administrator - Enabled) => C:\Users\whoop WDAGUtilityAccount (S-1-5-21-1062094570-161052252-1746623260-504 - Limited - Disabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 19.00 (x64) (HKLM\...\7-Zip) (Version: 19.00 - Igor Pavlov) Adobe Premiere Pro 2021 (HKLM-x32\...\{2B1EBFAA-E2D6-494D-9E24-DA06217F5FA2}) (Version: 1.0.0 - IGI) Adobe Premiere Pro 2021 (HKLM-x32\...\PPRO_15_2) (Version: 15.2 - Adobe Inc.) AdoptOpenJDK JRE with Hotspot 11.0.8.10 (x64) (HKLM\...\{E70F16B5-3394-48B9-B75B-023E27AE6917}) (Version: 11.0.8.10 - AdoptOpenJDK) Apex Legends (HKLM-x32\...\{D7FBF176-382D-484E-863A-DFD1124A2A1C}) (Version: 1.0.7.1 - Electronic Arts, Inc.) AutoHotkey 1.1.33.09 (HKLM\...\AutoHotkey) (Version: 1.1.33.09 - Lexikos) Battle.net (HKLM-x32\...\Battle.net) (Version: - Blizzard Entertainment) Battlestate Games Launcher 12.9.0.1521 (HKLM-x32\...\{B0FDA062-7581-4D67-B085-C4E7C358037F}_is1) (Version: 12.9.0.1521 - Battlestate Games) BitTorrent (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\BitTorrent) (Version: 7.10.5.46011 - BitTorrent Inc.) Call of Duty Modern Warfare (HKLM-x32\...\Call of Duty Modern Warfare) (Version: - Blizzard Entertainment) Discord (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Discord) (Version: 0.0.309 - Discord Inc.) Epic Games Launcher (HKLM-x32\...\{0EE6DDEF-E36B-45EB-9E03-5A266EC8A8F8}) (Version: 1.1.279.0 - Epic Games, Inc.) Escape from Tarkov (HKLM-x32\...\EscapeFromTarkov) (Version: 0.12.7.8334 - Battlestate Games) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 92.0.4515.159 - Google LLC) Launcher Prerequisites (x64) (HKLM-x32\...\{43a03b9c-4770-409c-a999-587b60700b63}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden Logitech G HUB (HKLM\...\{521c89be-637f-4274-a840-baaf7460c2b2}) (Version: 2021.8.792 - Logitech) Malwarebytes version 4.4.5.130 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.5.130 - Malwarebytes) Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 92.0.902.84 - Microsoft Corporation) Microsoft OneDrive (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\OneDriveSetup.exe) (Version: 21.150.0725.0001 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50918.0 - Microsoft Corporation) Microsoft Update Health Tools (HKLM\...\{852D8FE5-BC66-4061-B1C4-CADF51E5B27D}) (Version: 2.82.0.0 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation) Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29334 (HKLM-x32\...\{a9cfe9c7-e54f-46cd-9c5c-542ff8e3e8c4}) (Version: 14.28.29334.0 - Microsoft Corporation) Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.28.29334 (HKLM-x32\...\{b2d0f752-adc5-496e-8f70-8669de01f746}) (Version: 14.28.29334.0 - Microsoft Corporation) Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation) Minecraft Launcher (HKLM-x32\...\{F6678473-0198-46D0-A88F-2A247E6FA03C}) (Version: 1.0.0.0 - Mojang) Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.8.9 - Notepad++ Team) NVIDIA FrameView SDK 1.1.4923.29214634 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_FrameViewSdk) (Version: 1.1.4923.29214634 - NVIDIA Corporation) NVIDIA GeForce Experience 3.20.5.70 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.20.5.70 - NVIDIA Corporation) NVIDIA Graphics Driver 460.79 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 460.79 - NVIDIA Corporation) NVIDIA HD Audio Driver 1.3.38.40 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.38.40 - NVIDIA Corporation) NVIDIA PhysX System Software 9.19.0218 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.19.0218 - NVIDIA Corporation) Origin (HKLM-x32\...\Origin) (Version: 10.5.102.48654 - Electronic Arts, Inc.) Overwatch (HKLM-x32\...\Overwatch) (Version: - Blizzard Entertainment) paint.net (HKLM\...\{6FED3D93-C0FA-4BD7-A36F-7FC53698244F}) (Version: 4.2.15 - dotPDN LLC) PdaNet+ for Android 5.22 (HKLM-x32\...\PdaNet_is1) (Version: - June Fabrics Technology) PostyBirb+ 3.0.36 (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\caa559a3-e745-546c-923c-94a7ab26447f) (Version: 3.0.36 - Michael DiCarlo) PureRef (HKLM-x32\...\PureRef) (Version: 1.10.4 - Idyllic Pixel) Rainmeter (HKLM-x32\...\Rainmeter) (Version: 4.3.1 r3321 - Rainmeter) REDlauncher (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\{7258BA11-600C-430E-A759-27E2C691A335}-REDlauncher_is1) (Version: - GOG.com) Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation) Titanfall™ 2 (HKLM-x32\...\{4BD80373-FEE7-45B6-8249-6E8E98717405}) (Version: 1.0.1.3 - Electronic Arts, Inc.) Tom Clancy's Rainbow Six Siege (HKLM-x32\...\Uplay Install 635) (Version: - Ubisoft Montreal) Trackmania (HKLM-x32\...\Uplay Install 5595) (Version: - Ubisoft) Ubisoft Connect (HKLM-x32\...\Uplay) (Version: 112.2 - Ubisoft) UE4 Prerequisites (x64) (HKLM\...\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}) (Version: 1.0.14.0 - Epic Games, Inc.) Hidden UE4 Prerequisites (x64) (HKLM-x32\...\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}) (Version: 1.0.14.0 - Epic Games, Inc.) Hidden Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.40-2 - Wacom Technology Corp.) Packages: ========= Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2020-07-23] (Microsoft Corporation) [MS Ad] Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2020-07-23] (Microsoft Corporation) [MS Ad] Notepad++ Editor -> C:\Program Files\WindowsApps\HaukeGtze.NotepadEditor_1.812.1.0_x64__6bk20wvc8rfx2 [2021-07-31] (Hauke Hasselberg) NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.961.0_x64__56jybvy8sckqj [2021-05-25] (NVIDIA Corp.) Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.166.580.0_x86__zpdnekdrzrea0 [2021-08-25] (Spotify AB) [Startup Task] Xbox One SmartGlass -> C:\Program Files\WindowsApps\Microsoft.XboxOneSmartGlass_2.2.1702.2004_x64__8wekyb3d8bbwe [2020-09-08] (Microsoft Corporation) ==================== Custom CLSID (Whitelisted): ============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed] ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2020-07-15] (Notepad++ -> ) ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-08-29] (Malwarebytes Corporation -> Malwarebytes) ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed] ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\nvshext.dll [2020-12-04] (NVIDIA Corporation -> NVIDIA Corporation) ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed] ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-08-29] (Malwarebytes Corporation -> Malwarebytes) ==================== Codecs (Whitelisted) ==================== ==================== Shortcuts & WMI ======================== ==================== Loaded Modules (Whitelisted) ============= 2021-08-01 14:29 - 2021-07-30 19:13 - 000634880 _____ () [File not signed] \\?\C:\Program Files\LGHUB\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node 2020-07-22 16:24 - 2019-02-21 09:00 - 000078336 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll 2020-07-22 22:50 - 2020-07-22 22:50 - 001282048 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\LIBEAY32.dll 2020-07-22 22:50 - 2020-07-22 22:50 - 000279040 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\ssleay32.dll 2020-07-22 22:50 - 2020-07-22 22:50 - 001611264 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\platforms\qwindows.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 005487104 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Core.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 005841920 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Gui.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 001179136 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Network.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 000146432 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5WebSockets.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 005089792 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Widgets.dll 2021-07-28 11:00 - 2020-07-22 22:50 - 000184832 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Xml.dll ==================== Alternate Data Streams (Whitelisted) ======== ==================== Safe Mode (Whitelisted) ================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) ================= ==================== Internet Explorer (Whitelisted) ========== ==================== Hosts content: ========================= (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2019-12-07 02:14 - 2019-12-07 02:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts ==================== Other Areas =========================== (Currently there is no automatic fix for this section.) HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files\AdoptOpenJDK\jre-11.0.8.10-hotspot\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common HKU\S-1-5-21-1062094570-161052252-1746623260-1001\Control Panel\Desktop\\Wallpaper -> F:\Arts n Draws\References\Urban\tumblr_oh093gcs9Q1qzi9p6o7_1280.jpg DNS Servers: 192.168.0.1 - 74.40.74.41 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: ) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (If an entry is included in the fixlist, it will be removed.) HKLM\...\StartupApproved\Run32: => "Discord" HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\StartupApproved\Run: => "Steam" HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\StartupApproved\Run: => "Discord" ==================== FirewallRules (Whitelisted) ================ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [TCP Query User{C5AED672-3B5F-48D6-AF45-C246ACFD01F1}C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe (BitTorrent Inc -> BitTorrent Inc.) FirewallRules: [UDP Query User{C96DFC2D-C5BF-4F5A-B9C0-8C87FE66C4A0}C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe (BitTorrent Inc -> BitTorrent Inc.) ==================== Restore Points ========================= 10-08-2021 17:59:17 Windows Modules Installer 19-08-2021 15:07:53 Scheduled Checkpoint 28-08-2021 23:48:12 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============ ==================== Event log errors: ======================== Application errors: ================== Error: (08/29/2021 07:54:31 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8 Faulting module name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8 Exception code: 0xc0000005 Fault offset: 0x0000178d Faulting process id: 0x348 Faulting application start time: 0x01d79d4a584ec454 Faulting application path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe Faulting module path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe Report Id: f0e74dc9-4b30-4afd-bc0e-fb56230e228e Faulting package full name: Faulting package-relative application ID: Error: (08/29/2021 07:35:15 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: A83A.exe, version: 5.0.1.1, time stamp: 0xbaa599a4 Faulting module name: KERNELBASE.dll, version: 10.0.19041.1151, time stamp: 0x891df6d3 Exception code: 0xe0434352 Fault offset: 0x0000000000034ed9 Faulting process id: 0x1d84 Faulting application start time: 0x01d79d479b0b1815 Faulting application path: C:\Users\whoop\AppData\Local\Temp\A83A.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Report Id: 4ce7e010-fc24-4a15-983c-1b1adce3b9ec Faulting package full name: Faulting package-relative application ID: Error: (08/29/2021 07:35:15 PM) (Source: .NET Runtime) (EventID: 1026) (User: ) Description: Application: A83A.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.WebException at System.Net.HttpWebRequest.EndGetResponse(System.IAsyncResult) at System.Net.WebClient.GetWebResponse(System.Net.WebRequest, System.IAsyncResult) at System.Net.WebClient.DownloadBitsResponseCallback(System.IAsyncResult) Exception Info: System.Reflection.TargetInvocationException at System.ComponentModel.AsyncCompletedEventArgs.RaiseExceptionIfNecessary() at Rymacojpzn.Program.Client_DownloadDataCompleted(System.Object, System.Net.DownloadDataCompletedEventArgs) at System.Net.WebClient.OnDownloadDataCompleted(System.Net.DownloadDataCompletedEventArgs) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem() at System.Threading.ThreadPoolWorkQueue.Dispatch() Error: (08/29/2021 07:35:15 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: explorer.exe, version: 10.0.19041.1151, time stamp: 0x63a3353b Faulting module name: ntdll.dll, version: 10.0.19041.1110, time stamp: 0x8a32a22a Exception code: 0xc0000374 Fault offset: 0x000e6c23 Faulting process id: 0x1e5c Faulting application start time: 0x01d79d47a9b1c17d Faulting application path: C:\Windows\SysWOW64\explorer.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 35a25cdc-05c7-4ff5-8767-57ee8ce7c9dd Faulting package full name: Faulting package-relative application ID: Error: (08/29/2021 07:30:43 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8 Faulting module name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8 Exception code: 0xc0000005 Fault offset: 0x0000178d Faulting process id: 0x3674 Faulting application start time: 0x01d79d4705026366 Faulting application path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe Faulting module path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe Report Id: fff3efb2-a944-44c9-a769-cef42660008a Faulting package full name: Faulting package-relative application ID: Error: (08/26/2021 03:55:00 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: ) Description: The storage optimizer couldn't complete retrim on 3TB Drive (F:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A) Error: (08/19/2021 03:07:51 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: ) Description: The storage optimizer couldn't complete retrim on 3TB Drive (F:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A) Error: (08/17/2021 05:33:00 AM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program hl2.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 4734 Start Time: 01d793553a4aafd6 Termination Time: 84 Application Path: C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe Report Id: 2eaf8469-78b4-4219-8745-aede01589b1e Faulting package full name: Faulting package-relative application ID: Hang type: Unknown System errors: ============= Error: (08/29/2021 11:25:57 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMChameleon service failed to start due to the following error: The system cannot find the file specified. Error: (08/29/2021 11:25:57 AM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 9:10:28 AM on 8/29/2021 was unexpected. Error: (08/28/2021 11:10:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMChameleon service failed to start due to the following error: The system cannot find the file specified. Error: (08/28/2021 11:10:12 PM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 5:28:55 PM on 8/27/2021 was unexpected. Error: (08/28/2021 11:10:03 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY) Description: 3221225684A fatal error occurred processing the restoration data. Error: (08/24/2021 08:08:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMChameleon service failed to start due to the following error: The system cannot find the file specified. Error: (08/24/2021 08:08:54 PM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 6:43:45 PM on 8/24/2021 was unexpected. Error: (08/22/2021 04:43:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMChameleon service failed to start due to the following error: The system cannot find the file specified. Windows Defender: ================ Date: 2021-08-29 20:04:41 Description: Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.BWK!MTB&threatid=2147784179&enterprise=0 Name: Trojan:MSIL/AgentTesla.BWK!MTB Severity: Severe Category: Trojan Path: file:_C:\Users\whoop\AppData\Roaming\SysResetErr.exe; winlogonshell:_HKCU@S-1-5-21-1062094570-161052252-1746623260-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:"C:\Users\whoop\AppData\Roaming\SysResetErr.exe" Detection Origin: Local machine Detection Type: Concrete Detection Source: User Process Name: Unknown Security intelligence Version: AV: 1.347.655.0, AS: 1.347.655.0, NIS: 1.347.655.0 Engine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5 Date: 2021-08-29 20:02:10 Description: Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.AUE!MTB&threatid=2147780834&enterprise=0 Name: Trojan:MSIL/AgentTesla.AUE!MTB Severity: Severe Category: Trojan Path: containerfile:_F:\Video Editing\Software\AdobeIPCBroker.exe; file:_F:\Video Editing\Software\AdobeIPCBroker.exe->[MSILRES:costura.newtonsoft.json.dll] Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection Process Name: C:\Windows\explorer.exe Security intelligence Version: AV: 1.347.655.0, AS: 1.347.655.0, NIS: 1.347.655.0 Engine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5 Date: 2021-08-27 10:08:58 Description: Microsoft Defender Antivirus scan has been stopped before completion. Scan Type: Antimalware Scan Parameters: Quick Scan Date: 2021-08-26 09:40:59 Description: Microsoft Defender Antivirus scan has been stopped before completion. Scan Type: Antimalware Scan Parameters: Quick Scan Date: 2021-08-24 10:43:37 Description: Microsoft Defender Antivirus scan has been stopped before completion. Scan Type: Antimalware Scan Parameters: Quick Scan CodeIntegrity: =============== Date: 2020-08-05 02:49:20 Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe) attempted to load \Device\HarddiskVolume3\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements. ==================== Memory info =========================== BIOS: American Megatrends Inc. 0612 05/15/2017 Motherboard: ASUSTeK COMPUTER INC. PRIME X370-PRO Processor: AMD Ryzen 7 1700 Eight-Core Processor Percentage of memory in use: 48% Total physical RAM: 16311.9 MB Available physical RAM: 8329.47 MB Total Virtual: 34743.9 MB Available Virtual: 21879.44 MB ==================== Drives ================================ Drive c: (SSD) (Fixed) (Total:465.65 GB) (Free:73.34 GB) NTFS Drive f: (3TB Drive) (Fixed) (Total:2794.4 GB) (Free:1243.26 GB) NTFS \\?\Volume{0debd0f1-82ff-455c-bbcf-7bc1426ee9be}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32 \\?\Volume{16b759e1-cfac-4bd3-bc07-e83e4fb40598}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32 ==================== MBR & Partition Table ==================== ========================================================== Disk: 0 (Protective MBR) (Size: 2794.5 GB) (Disk ID: 00000000) Partition: GPT. ========================================================== Disk: 1 (Size: 465.8 GB) (Disk ID: F9A7AECF) Partition: GPT. ==================== End of Addition.txt ======================= Hopefully that is all relevant information needed to help me, I desperately need it. I cant seem to get rid of these pesky .exe files still floating around my system. 😭 Link to post Share on other sites More sharing options...
kevinf80 Posted August 30, 2021 ID:1477401 Share Posted August 30, 2021 Hello Knooper and welcome to Malwarebytes, Please do not not use Code or Quote boxes for any of your replies or requested logs. I want you to run FRST again, please attach the produced logs to your reply.. Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done attach the new logs. "FRST.txt" and "Addition.txt" to your reply If English is not your primary language Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename") Thank you, Kevin. Link to post Share on other sites More sharing options...
Knooper Posted August 30, 2021 Author ID:1477402 Share Posted August 30, 2021 FRST.txtAddition.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted August 30, 2021 Solution ID:1477417 Share Posted August 30, 2021 Hiya Knooper, Thanks for those attached logs, continue; Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Full Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... let me see those logs in your reply... Thank you, Kevin. fixlist.txt Link to post Share on other sites More sharing options...
Knooper Posted August 30, 2021 Author ID:1477444 Share Posted August 30, 2021 I followed your instructions exactly. Here are those logs you requested. Fixlog.txt msert.log Link to post Share on other sites More sharing options...
kevinf80 Posted August 30, 2021 ID:1477539 Share Posted August 30, 2021 Hiya Knooper, Thanks for those logs, how is your system responding now, any remaining issues or concerns..? Thanks, Kevin. Link to post Share on other sites More sharing options...
kevinf80 Posted September 9, 2021 ID:1479010 Share Posted September 9, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts