Jump to content

RegAsm.exe and other .exe files generating in \temp


Go to solution Solved by kevinf80,

Recommended Posts

I tried running a suspicious copy of Adobe Premiere and now I seem to have a plethora of the latest viruses on my PC 🙃

Malwarebytes initially scanned and quarantined the following:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/29/21
Scan Time: 8:20 PM
Log File: 32a56a3a-0941-11ec-892b-6045cba08bf4.json

-Software Information-
Version: 4.4.5.130
Components Version: 1.0.1430
Update Package Version: 1.0.44469
License: Trial

-System Information-
OS: Windows 10 (Build 19043.1165)
CPU: x64
File System: NTFS
User: DESKTOP-0NDNAHI\Knoop

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 299123
Threats Detected: 10
Threats Quarantined: 10
Time Elapsed: 1 min, 46 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.KeyLogger, HKU\S-1-5-21-1062094570-161052252-1746623260-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SYSTEM, Quarantined, 1916, 359516, 1.0.44469, , ame, , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 9
Trojan.KeyLogger, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\A357.EXE, Quarantined, 1916, 359516, , , , , A2968300E88E5C7F392EA704E39FF9B4, 4DDAB2F07510C05F41F1913FDFFBA8B41FF30F7E67932BC54CA81B13A5BF41F8
Trojan.Downloader, C:\USERS\WHOOP\APPDATA\ROAMING\CACHED FILES\SETUP5.EXE, Quarantined, 540, 973860, 1.0.44469, , ame, , EB0B592E96CFAACC113491B333BADFFF, 4CB95D155A76825093B430C7293245F29EA4389CAA1E0F3F460B74398170ECEB
PUP.Optional.BundleInstaller, C:\$RECYCLE.BIN\S-1-5-21-1062094570-161052252-1746623260-1001\$RMUDNHH.EXE, Quarantined, 527, 875791, 1.0.44469, , ame, , 1FjMjtzom8sQqT4RxQCTwt8xSZ8N4UKdE5, 50E6C4EBE44719DEB4CEC7822571CD1BBA99E0148D8A8843EBCE12254AECF961
Spyware.AgentTesla, C:\USERS\WHOOP\APPDATA\LOCAL\LICENSE\ONSE.EXE, Quarantined, 524, 932069, 1.0.44469, 17F67A0A18FCEA8BED6C325D, dds, 01399324, 7BC69F6FAC0D853781B1A72CBA8C770F, 0D2C9B94A19E43C0A017A18C4E386F3A2BB5BDC82D1D8FD69F9864B41B7B7B28
RiskWare.BitCoinMiner, C:\USERS\WHOOP\APPDATA\ROAMINGGPUXTREME.EXE, Quarantined, 921, 947687, 1.0.44469, 498DF7D249CF1491FCB30114, dds, 01399324, A5B21C9FA5B21D80FFA920F959E2BC0F, D45EA79896106F7AFE990FB919C3F610F846CAA4CD11717DAA5B092A7B1653A4
Trojan.Downloader, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\MSI5915.TMP, Quarantined, 540, 939219, 1.0.44469, 603C3B0B4216587476FAC480, dds, 01399324, D300E84764270BB3DB881C1C0FB7425C, 6E2CCA1A24AE47BB636BC279302C99602C4EB2FA9EB5669883CAFA68AA6953C8
Trojan.Dropper, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\A83A.EXE, Quarantined, 606, 967801, 1.0.44469, BD2E2708BD2E7C2EFC9F00C3, dds, 01399324, 451B216BB01CF83BE534048A34BBD598, E9F16A751542FB2841BFCFB29FB0BBCE15635E23ADF99D093A1A2D6394BF33DC
Trojan.Downloader, C:\USERS\WHOOP\APPDATA\LOCAL\TEMP\ADOBEIPCBROKER.EXE, Quarantined, 540, 939219, 1.0.44469, 603C3B0B4216587476FAC480, dds, 01399324, D300E84764270BB3DB881C1C0FB7425C, 6E2CCA1A24AE47BB636BC279302C99602C4EB2FA9EB5669883CAFA68AA6953C8
Trojan.Downloader, C:\WINDOWS\INSTALLER\1B7CDBA.MSI, Quarantined, 540, 939219, 1.0.44469, , ame, , C39E2404C20C9805D2619C0C8033A5A5, B99D5598E3F50A9F76F41BA358AC974883BBB54BDA8294DA2A7864DB1B63BBE4

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

I scanned once again after this, but with rootkits enabled this time and got no detections. Despite this my viruses seem to persist. I get notification like this all the time from Malwarebytes:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/29/21
Protection Event Time: 9:44 PM
Log File: ea4a9330-094c-11ec-a07a-6045cba08bf4.json

-Software Information-
Version: 4.4.5.130
Components Version: 1.0.1430
Update Package Version: 1.0.44469
License: Trial

-System Information-
OS: Windows 10 (Build 19043.1165)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users\whoop\AppData\Local\Temp\RegAsm.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: 
IP Address: 45.134.225.35
Port: 7821
Type: Outbound
File: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe



(end)

I downloaded AdwCleaner and did a scan, but nothing turns up either:

# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build:    06-29-2021
# Database: 2021-06-29.1 (Local)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    08-29-2021
# Duration: 00:00:12
# OS:       Windows 10 Home
# Scanned:  31984
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

I downloaded and scanned with FRST. Here are the results of my FRST scan:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-08-2021
Ran by Knoop (administrator) on DESKTOP-0NDNAHI (29-08-2021 21:59:55)
Running from F:\SORT THIS
Loaded Profiles: Knoop
Platform: Windows 10 Home Version 21H1 19043.1165 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Adobe Inc. -> Adobe Inc) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\IPCBox\AdobeIPCBroker.exe
(Adobe Inc. -> Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe
(Discord Inc. -> Discord Inc.) C:\Users\whoop\AppData\Local\Discord\app-1.0.9002\Discord.exe <6>
(Electronic Arts, Inc. -> Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
(Firebit OU -> Rainmeter) C:\Program Files\Rainmeter\Rainmeter.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <55>
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe
(Hauke Hasselberg) C:\Program Files\WindowsApps\HaukeGtze.NotepadEditor_1.812.1.0_x64__6bk20wvc8rfx2\notepad++_.exe
(June Fabrics Technology Inc. -> ) C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
(Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub.exe <3>
(Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub_agent.exe
(Logitech Inc -> Logitech, Inc.) C:\Program Files\LGHUB\lghub_updater.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Malwarebytes Inc -> Malwarebytes) F:\SORT THIS\adwcleaner_8.3.0.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <17>
(Microsoft Corporation -> Microsoft Corporation) C:\Users\whoop\AppData\Local\Temp\RegAsm.exe <7>
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_3.2106.14307.0_x64__8wekyb3d8bbwe\Cortana.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_12107.1001.15.0_x64__8wekyb3d8bbwe\WinStore.App.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SecurityHealthHost.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MsMpEng.exe
(Node.js Foundation -> Node.js) C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
(Notepad++ -> Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(NVIDIA Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <3>
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe <3>
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\NVDisplay.Container.exe <2>
(Valve -> Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve -> Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe <7>
(Valve -> Valve Corporation) C:\Program Files (x86)\Steam\steam.exe
(Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Co., Ltd. -> Wacom Co. Ltd.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Wacom Technology Corp. -> Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [Discord] => C:\ProgramData\SquirrelMachineInstalls\Discord.exe [61370712 2020-07-22] (Discord Inc. -> Discord Inc.)
HKLM-x32\...\Run: [Adobe CCXProcess] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [129288 2021-01-25] (Adobe Inc. -> )
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [4110568 2021-07-20] (Valve -> Valve Corporation)
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [Discord] => C:\Users\whoop\AppData\Local\Discord\Update.exe [1512760 2020-12-03] (Discord Inc. -> GitHub)
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Run: [LGHUB] => C:\Program Files\LGHUB\lghub.exe [136443296 2021-07-30] (Logitech Inc -> Logitech, Inc.)
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Winlogon: [Shell] explorer.exe, <==== ATTENTION
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\92.0.4515.159\Installer\chrmstp.exe [2021-08-18] (Google LLC -> Google LLC)
Startup: C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk [2020-07-22]
ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe (June Fabrics Technology Inc. -> )
Startup: C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2020-07-23]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Firebit OU -> Rainmeter)

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {025597BC-07BF-4262-B6A7-82F4130C3A0C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {07FC8EEE-4B7A-4DE6-B2C1-0F6E301D0DEC} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {20D96084-13BE-43E8-872C-61B3F0E103E7} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [646456 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {48177F83-5092-4E06-932F-2D14667AA437} - System32\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {52D19885-5EF0-4E4B-A8A3-74BE3C6CE179} - System32\Tasks\Firefox Default Browser Agent C3E1DB00FF43B845 => C:\Users\whoop\AppData\Roaming\wahvgcc [65440 2021-06-19] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
Task: {5FB84654-68B2-45DD-A587-67DFAAFFF9AE} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [3301176 2020-10-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {634B8201-999F-4D43-BB10-E106A674FFCB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-07-22] (Google LLC -> Google LLC)
Task: {67127676-CE87-426D-A5A0-BC3BBE3D1050} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-07-22] (Google LLC -> Google LLC)
Task: {7604EDE2-ECD8-4B45-81DA-16FC8301C9B2} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [907240 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {9234DF23-4404-40E2-990E-3E59FB043762} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {9C3DE8E7-9B64-4A92-A47A-6B86E9DE1E41} - System32\Tasks\NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {A053C074-2702-4463-8E23-8F174798DA5D} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [874472 2020-10-17] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvDriverUpdateCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerDriverUpdateCheck.log
Task: {AD16C3A0-F322-44B6-A824-BD23B05A6931} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {BF117608-EFB0-4422-BEBD-C463639BB0BD} - System32\Tasks\NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {D62CA360-A06E-4000-80BC-35D1E09FB0CA} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [874472 2020-10-17] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvBackend\NvBatteryBoostCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerBatteryBoostCheck.log
Task: {E414F87E-EA97-4F60-8D86-4A49615CE9BD} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MpCmdRun.exe [673816 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {F46096B4-49DD-4670-9E07-9D3A94669651} - System32\Tasks\NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1128424 2020-10-19] (NVIDIA Corporation -> NVIDIA Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 74.40.74.41
Tcpip\..\Interfaces\{c4a56b54-0624-4212-87ab-fc20de671cdb}: [DhcpNameServer] 192.168.0.1 74.40.74.41
Tcpip\..\Interfaces\{cd50cc4a-4ab4-4e72-80b7-773c0a0aa172}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{fc47bd4c-c1a5-430d-a1a3-52bd938f084d}: [DhcpNameServer] 8.8.8.8

Edge: 
=======
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
Edge Profile: C:\Users\whoop\AppData\Local\Microsoft\Edge\User Data\Default [2021-08-29]

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation ->  Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation ->  Microsoft Corporation)

Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default [2021-08-29]
CHR Notifications: Default -> hxxps://voice.google.com; hxxps://www.netflix.com
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.tumblr.com/blog/whoopscloplockbox"
CHR DefaultSearchURL: Default -> hxxps://dral.eu/
CHR Extension: (Slides) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2020-07-22]
CHR Extension: (BetterTTV) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2021-08-28]
CHR Extension: (Docs) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2020-07-22]
CHR Extension: (Google Drive) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-10-23]
CHR Extension: (Dark Theme for Google™) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apiabgjfojnkcepfmbdechlhfocpeenc [2021-07-10]
CHR Extension: (YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2020-07-22]
CHR Extension: (Slinky Elegant) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmanlajnpdncmhfkiccmbgeocgbncfln [2020-07-22]
CHR Extension: (TagPro Capture the Flag) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bommelfnddjcbmbcfhmhjikpfphlebjh [2020-07-22]
CHR Extension: (Adblock Plus - free ad blocker) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2021-07-27]
CHR Extension: (Watch2Gether) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\cimpffimgeipdhnhjohpbehjkcdpjolg [2021-06-19]
CHR Extension: (Tampermonkey) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2021-06-19]
CHR Extension: (Sheets) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2020-07-22]
CHR Extension: (Window Expander For YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkpaakpeehepibjpdmoocdaonognfiog [2020-07-22]
CHR Extension: (Tails Verification) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaghffbplpialpoeclgjkkbknblfajdl [2020-07-22]
CHR Extension: (Google Docs Offline) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-07-01]
CHR Extension: (Windowed - floating Youtube/every website) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gibipneadnbflmkebnmcbgjdkngkbklb [2021-01-02]
CHR Extension: (YouTube Windowed FullScreen) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkkmiofalnjagdcjheckamobghglpdpm [2020-07-24]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2021-06-19]
CHR Extension: (DarkCloud) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjicdmidmifkppilbbcanmnljpffmfmh [2020-08-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-01-29]
CHR Extension: (Tumblr Savior) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\oefddkjnflmjbclpnnoegglmmdfkidip [2021-08-21]
CHR Extension: (Adfly Notification Bypass) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\oniljfenfhbbjpmpcphgnpjhbapcapek [2021-02-28]
CHR Extension: (Gmail) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-10-22]
CHR Extension: (Chrome Media Router) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-07-27]
CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Guest Profile [2021-08-29]
CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1 [2021-08-24]
CHR Extension: (Slides) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2021-08-24]
CHR Extension: (Docs) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2021-08-24]
CHR Extension: (Google Drive) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2021-08-24]
CHR Extension: (YouTube) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2021-08-24]
CHR Extension: (Sheets) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2021-08-24]
CHR Extension: (Google Docs Offline) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-08-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-08-24]
CHR Extension: (Gmail) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2021-08-24]
CHR Extension: (Chrome Media Router) - C:\Users\whoop\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-08-24]
CHR Profile: C:\Users\whoop\AppData\Local\Google\Chrome\User Data\System Profile [2021-08-29]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [8912272 2021-06-18] (BattlEye Innovations e.K. -> )
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [803440 2020-02-28] (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
S3 EQU8_13; C:\ProgramData\EQU8\Diabotical\bin\anticheat.x64.equ8.exe [5561024 2020-09-04] (Int3 Software AB -> Int3 Software AB)
R2 LGHUBUpdaterService; C:\Program Files\LGHUB\lghub_updater.exe [10787232 2021-07-30] (Logitech Inc -> Logitech, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7497336 2021-08-29] (Malwarebytes Inc -> Malwarebytes)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2556048 2021-07-15] (Electronic Arts, Inc. -> Electronic Arts)
R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [3474584 2021-07-15] (Electronic Arts, Inc. -> Electronic Arts)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\NisSrv.exe [2727416 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\MsMpEng.exe [136656 2021-08-04] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus2.sys [159864 2021-06-29] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
S3 EQU8_HELPER_13; C:\Windows\system32\DRIVERS\EQU8_HELPER_13.sys [38080 2020-09-04] (Int3 Software AB -> )
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [160176 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R2 LGHUBTemperatureService; C:\Program Files\LGHUB\logi_core_temp.sys [22864 2021-07-30] (Logitech Inc -> Logitech)
R3 logi_joy_bus_enum; C:\Windows\system32\drivers\logi_joy_bus_enum.sys [37200 2021-03-17] (Logitech Inc -> Logitech)
R3 logi_joy_vir_hid; C:\Windows\system32\drivers\logi_joy_vir_hid.sys [25928 2021-03-17] (Logitech Inc -> Logitech)
R3 logi_joy_xlcore; C:\Windows\system32\drivers\logi_joy_xlcore.sys [66896 2021-03-17] (Logitech Inc -> Logitech)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210344 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-08-29] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [198888 2021-08-29] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [68528 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2021-08-29] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [149424 2021-08-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [167280 2020-11-11] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
R3 SteamStreamingMicrophone; C:\Windows\system32\drivers\SteamStreamingMicrophone.sys [40736 2017-07-28] (Valve Corp. -> )
R3 SteamStreamingSpeakers; C:\Windows\system32\drivers\SteamStreamingSpeakers.sys [40736 2017-07-20] (Valve Corp. -> )
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49568 2021-08-04] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [434424 2021-08-04] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [78072 2021-08-04] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-29 21:08 - 2021-08-29 21:08 - 000000000 ____D C:\Users\whoop\Documents\Adobe
2021-08-29 21:08 - 2021-08-29 21:08 - 000000000 ____D C:\Users\whoop\AppData\Local\Adobe
2021-08-29 20:58 - 2021-08-29 22:00 - 000000000 ____D C:\FRST
2021-08-29 20:57 - 2021-08-29 20:59 - 000000000 ____D C:\AdwCleaner
2021-08-29 20:12 - 2021-08-29 20:12 - 000248992 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2021-08-29 20:12 - 2021-08-29 20:12 - 000210344 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2021-08-29 20:12 - 2021-08-29 20:12 - 000198888 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2021-08-29 20:12 - 2021-08-29 20:12 - 000149424 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2021-08-29 20:12 - 2021-08-29 20:12 - 000068528 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2021-08-29 20:12 - 2021-08-29 20:12 - 000002036 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2021-08-29 20:12 - 2021-08-29 20:12 - 000002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2021-08-29 20:12 - 2021-08-29 20:12 - 000000000 ____D C:\Users\whoop\AppData\Local\mbam
2021-08-29 20:12 - 2021-08-29 20:11 - 000160176 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2021-08-29 20:12 - 2021-08-29 20:11 - 000019912 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamElam.sys
2021-08-29 20:11 - 2021-08-29 20:11 - 000000000 ____D C:\ProgramData\Malwarebytes
2021-08-29 20:05 - 2021-08-29 20:05 - 000000000 ____D C:\Program Files\Malwarebytes
2021-08-29 20:03 - 2021-08-29 20:04 - 002120496 _____ (Malwarebytes) C:\Users\whoop\Downloads\MBSetup-119967.119967-consumer.exe
2021-08-29 19:31 - 2021-08-29 20:24 - 000000000 ____D C:\Users\whoop\AppData\Local\license
2021-08-29 19:31 - 2021-08-29 19:54 - 005294080 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\icacls.exe
2021-08-29 19:30 - 2021-08-29 20:24 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Cached files
2021-08-29 19:30 - 2021-08-29 19:54 - 000474112 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\rdrleakdiag.exe
2021-08-29 19:30 - 2021-08-29 19:54 - 000473088 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\gpresult.exe
2021-08-29 19:30 - 2021-08-29 19:30 - 000003728 _____ C:\Windows\system32\Tasks\Firefox Default Browser Agent C3E1DB00FF43B845
2021-08-29 19:29 - 2021-08-29 19:37 - 000001133 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro 2021.lnk
2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Users\Public\Documents\Adobe
2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files\Common Files\Adobe
2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files\Adobe
2021-08-29 19:29 - 2021-08-29 19:29 - 000000000 ____D C:\Program Files (x86)\Adobe
2021-08-29 19:27 - 2021-08-29 19:27 - 000000000 ____D C:\ProgramData\Adobe
2021-08-22 19:47 - 2021-08-29 18:51 - 000000000 ____D C:\Users\whoop\AppData\Local\BitTorrentHelper
2021-08-22 19:46 - 2021-08-29 20:37 - 000000000 ____D C:\Users\whoop\AppData\Roaming\BitTorrent
2021-08-22 19:46 - 2021-08-22 19:46 - 000000919 _____ C:\Users\whoop\Desktop\BitTorrent.lnk
2021-08-22 19:01 - 2021-08-22 19:05 - 000000000 ____D C:\Users\whoop\AppData\Roaming\OBS
2021-08-10 18:07 - 2021-08-10 18:07 - 002755584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2021-08-10 18:07 - 2021-08-10 18:07 - 002755584 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2021-08-10 18:07 - 2021-08-10 18:07 - 001823280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2021-08-10 18:07 - 2021-08-10 18:07 - 001393480 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2021-08-10 18:07 - 2021-08-10 18:07 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll
2021-08-10 18:07 - 2021-08-10 18:07 - 000288768 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll
2021-08-10 18:07 - 2021-08-10 18:07 - 000011347 _____ C:\Windows\system32\DrtmAuthTxt.wim
2021-08-10 18:01 - 2021-08-10 18:01 - 000000000 ___HD C:\$WinREAgent
2021-08-02 12:37 - 2021-06-29 05:43 - 000159864 _____ (Samsung Electronics Co., Ltd.) C:\Windows\system32\Drivers\ssudbus2.sys
2021-08-01 14:29 - 2021-08-01 14:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi
2021-08-01 14:29 - 2021-08-01 14:29 - 000000000 ____D C:\Program Files\LGHUB

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-29 21:53 - 2020-07-22 16:25 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Discord
2021-08-29 21:49 - 2020-07-22 16:24 - 000000000 ____D C:\Program Files (x86)\Steam
2021-08-29 21:34 - 2020-07-22 16:25 - 000000000 ____D C:\Users\whoop\AppData\Local\Discord
2021-08-29 21:29 - 2020-07-22 15:10 - 000000000 ____D C:\Program Files (x86)\Google
2021-08-29 21:08 - 2020-07-22 14:51 - 000000000 ____D C:\Users\whoop\AppData\Roaming\Adobe
2021-08-29 20:26 - 2019-12-07 02:03 - 000032768 _____ C:\Windows\system32\config\ELAM
2021-08-29 20:12 - 2019-12-07 02:14 - 000000000 ___HD C:\Windows\ELAMBKUP
2021-08-29 19:54 - 2020-07-23 22:38 - 000000000 ____D C:\Users\whoop\AppData\Local\CrashDumps
2021-08-29 19:47 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-08-29 19:28 - 2020-07-22 22:50 - 000000000 ____D C:\Users\whoop\AppData\Local\D3DSCache
2021-08-29 19:28 - 2020-07-22 15:49 - 000000000 ____D C:\ProgramData\Package Cache
2021-08-29 19:11 - 2020-07-22 14:18 - 000000000 ____D C:\Windows\system32\SleepStudy
2021-08-29 12:25 - 2020-07-22 15:49 - 000000000 ____D C:\ProgramData\NVIDIA
2021-08-29 11:32 - 2020-07-22 14:24 - 000840602 _____ C:\Windows\system32\PerfStringBackup.INI
2021-08-29 11:32 - 2019-12-07 02:13 - 000000000 ____D C:\Windows\INF
2021-08-29 11:26 - 2020-07-24 13:48 - 000000000 ____D C:\Users\whoop\AppData\Roaming\LGHUB
2021-08-29 11:26 - 2020-07-24 13:48 - 000000000 ____D C:\Users\whoop\AppData\Local\LGHUB
2021-08-29 11:26 - 2020-07-24 01:24 - 000000000 ____D C:\Users\whoop\AppData\Roaming\WTablet
2021-08-29 11:25 - 2020-07-22 14:46 - 000000000 ____D C:\Users\whoop
2021-08-29 11:25 - 2020-07-22 14:18 - 000008192 ___SH C:\DumpStack.log.tmp
2021-08-29 11:25 - 2020-07-22 14:18 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-08-28 23:16 - 2020-08-28 21:27 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-08-28 23:16 - 2019-12-07 02:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-08-28 23:16 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\AppReadiness
2021-08-22 22:03 - 2020-07-22 14:52 - 000003378 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1062094570-161052252-1746623260-1001
2021-08-22 22:03 - 2020-07-22 14:46 - 000002382 _____ C:\Users\whoop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2021-08-18 18:15 - 2020-07-22 15:18 - 000002304 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2021-08-15 13:11 - 2020-08-28 21:27 - 000003480 _____ C:\Windows\system32\Tasks\LLW6bSoGD3bA7iUyUa9LzVsAWoZUNsMZCa
2021-08-15 13:11 - 2020-08-28 21:27 - 000003356 _____ C:\Windows\system32\Tasks\LLW6bSoGD3bA7iUyUa9LzVsAWoZUNsMZCa
2021-08-14 20:56 - 2020-07-22 21:53 - 000000000 ____D C:\Users\whoop\AppData\Local\Battle.net
2021-08-14 19:56 - 2020-07-22 21:52 - 000000000 ____D C:\Program Files (x86)\Battle.net
2021-08-11 03:33 - 2020-07-22 14:18 - 000257824 _____ C:\Windows\system32\FNTCACHE.DAT
2021-08-11 03:33 - 2019-12-07 02:03 - 000524288 _____ C:\Windows\system32\config\BBI
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ___SD C:\Windows\system32\UNP
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\SysWOW64\Dism
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\SystemResources
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\oobe
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\Dism
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ShellComponents
2021-08-11 03:32 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\bcastdvr
2021-08-11 03:32 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\servicing
2021-08-10 18:09 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\CbsTemp
2021-08-10 17:59 - 2020-07-28 11:55 - 000000000 ____D C:\Windows\system32\MRT
2021-08-10 17:57 - 2020-07-28 11:54 - 133215968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2021-08-10 05:42 - 2020-07-22 14:51 - 000000000 ____D C:\Users\whoop\AppData\Local\Packages
2021-08-08 19:51 - 2020-07-22 14:52 - 000000000 ___RD C:\Users\whoop\OneDrive
2021-08-07 01:55 - 2020-07-28 02:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlestate Games
2021-08-04 11:09 - 2020-07-22 15:10 - 000003420 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2021-08-04 11:09 - 2020-07-22 15:10 - 000003296 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
2021-08-04 09:00 - 2020-07-22 14:18 - 000000000 ____D C:\Windows\system32\Drivers\wd
2021-07-31 12:02 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\LiveKernelReports

==================== Files in the root of some directories ========

2021-08-29 19:30 - 2021-08-29 19:54 - 000473088 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\gpresult.exe
2021-08-29 19:31 - 2021-08-29 19:54 - 005294080 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\icacls.exe
2021-07-13 21:19 - 2021-07-13 21:19 - 000000285 _____ () C:\Users\whoop\AppData\Roaming\PureRef.ini
2021-08-29 19:30 - 2021-08-29 19:54 - 000474112 _____ (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\rdrleakdiag.exe
2021-06-19 16:18 - 2021-06-19 16:18 - 000248375 ___SH () C:\Users\whoop\AppData\Roaming\tdvbusa
2021-06-19 16:18 - 2021-06-19 16:18 - 000065440 ___SH (Microsoft Corporation) C:\Users\whoop\AppData\Roaming\wahvgcc

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-08-2021
Ran by Knoop (29-08-2021 22:01:08)
Running from F:\SORT THIS
Windows 10 Home Version 21H1 19043.1165 (X64) (2020-07-22 21:20:11)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-1062094570-161052252-1746623260-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1062094570-161052252-1746623260-503 - Limited - Disabled)
Guest (S-1-5-21-1062094570-161052252-1746623260-501 - Limited - Disabled)
Knoop (S-1-5-21-1062094570-161052252-1746623260-1001 - Administrator - Enabled) => C:\Users\whoop
WDAGUtilityAccount (S-1-5-21-1062094570-161052252-1746623260-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 19.00 (x64) (HKLM\...\7-Zip) (Version: 19.00 - Igor Pavlov)
Adobe Premiere Pro 2021 (HKLM-x32\...\{2B1EBFAA-E2D6-494D-9E24-DA06217F5FA2}) (Version: 1.0.0 - IGI)
Adobe Premiere Pro 2021 (HKLM-x32\...\PPRO_15_2) (Version: 15.2 - Adobe Inc.)
AdoptOpenJDK JRE with Hotspot 11.0.8.10 (x64) (HKLM\...\{E70F16B5-3394-48B9-B75B-023E27AE6917}) (Version: 11.0.8.10 - AdoptOpenJDK)
Apex Legends (HKLM-x32\...\{D7FBF176-382D-484E-863A-DFD1124A2A1C}) (Version: 1.0.7.1 - Electronic Arts, Inc.)
AutoHotkey 1.1.33.09 (HKLM\...\AutoHotkey) (Version: 1.1.33.09 - Lexikos)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Battlestate Games Launcher 12.9.0.1521 (HKLM-x32\...\{B0FDA062-7581-4D67-B085-C4E7C358037F}_is1) (Version: 12.9.0.1521 - Battlestate Games)
BitTorrent (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\BitTorrent) (Version: 7.10.5.46011 - BitTorrent Inc.)
Call of Duty Modern Warfare (HKLM-x32\...\Call of Duty Modern Warfare) (Version:  - Blizzard Entertainment)
Discord (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\Discord) (Version: 0.0.309 - Discord Inc.)
Epic Games Launcher (HKLM-x32\...\{0EE6DDEF-E36B-45EB-9E03-5A266EC8A8F8}) (Version: 1.1.279.0 - Epic Games, Inc.)
Escape from Tarkov (HKLM-x32\...\EscapeFromTarkov) (Version: 0.12.7.8334 - Battlestate Games)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 92.0.4515.159 - Google LLC)
Launcher Prerequisites (x64) (HKLM-x32\...\{43a03b9c-4770-409c-a999-587b60700b63}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Logitech G HUB (HKLM\...\{521c89be-637f-4274-a840-baaf7460c2b2}) (Version: 2021.8.792 - Logitech)
Malwarebytes version 4.4.5.130 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.5.130 - Malwarebytes)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 92.0.902.84 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\OneDriveSetup.exe) (Version: 21.150.0725.0001 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50918.0 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{852D8FE5-BC66-4061-B1C4-CADF51E5B27D}) (Version: 2.82.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29334 (HKLM-x32\...\{a9cfe9c7-e54f-46cd-9c5c-542ff8e3e8c4}) (Version: 14.28.29334.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.28.29334 (HKLM-x32\...\{b2d0f752-adc5-496e-8f70-8669de01f746}) (Version: 14.28.29334.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Minecraft Launcher (HKLM-x32\...\{F6678473-0198-46D0-A88F-2A247E6FA03C}) (Version: 1.0.0.0 - Mojang)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.8.9 - Notepad++ Team)
NVIDIA FrameView SDK 1.1.4923.29214634 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_FrameViewSdk) (Version: 1.1.4923.29214634 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.20.5.70 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.20.5.70 - NVIDIA Corporation)
NVIDIA Graphics Driver 460.79 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 460.79 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.38.40 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.38.40 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.19.0218 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.19.0218 - NVIDIA Corporation)
Origin (HKLM-x32\...\Origin) (Version: 10.5.102.48654 - Electronic Arts, Inc.)
Overwatch (HKLM-x32\...\Overwatch) (Version:  - Blizzard Entertainment)
paint.net (HKLM\...\{6FED3D93-C0FA-4BD7-A36F-7FC53698244F}) (Version: 4.2.15 - dotPDN LLC)
PdaNet+ for Android 5.22 (HKLM-x32\...\PdaNet_is1) (Version:  - June Fabrics Technology)
PostyBirb+ 3.0.36 (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\caa559a3-e745-546c-923c-94a7ab26447f) (Version: 3.0.36 - Michael DiCarlo)
PureRef (HKLM-x32\...\PureRef) (Version: 1.10.4 - Idyllic Pixel)
Rainmeter (HKLM-x32\...\Rainmeter) (Version: 4.3.1 r3321 - Rainmeter)
REDlauncher (HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\{7258BA11-600C-430E-A759-27E2C691A335}-REDlauncher_is1) (Version:  - GOG.com)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Titanfall™ 2 (HKLM-x32\...\{4BD80373-FEE7-45B6-8249-6E8E98717405}) (Version: 1.0.1.3 - Electronic Arts, Inc.)
Tom Clancy's Rainbow Six Siege (HKLM-x32\...\Uplay Install 635) (Version:  - Ubisoft Montreal)
Trackmania (HKLM-x32\...\Uplay Install 5595) (Version:  - Ubisoft)
Ubisoft Connect (HKLM-x32\...\Uplay) (Version: 112.2 - Ubisoft)
UE4 Prerequisites (x64) (HKLM\...\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}) (Version: 1.0.14.0 - Epic Games, Inc.) Hidden
UE4 Prerequisites (x64) (HKLM-x32\...\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}) (Version: 1.0.14.0 - Epic Games, Inc.) Hidden
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.40-2 - Wacom Technology Corp.)

Packages:
=========
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2020-07-23] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2020-07-23] (Microsoft Corporation) [MS Ad]
Notepad++ Editor -> C:\Program Files\WindowsApps\HaukeGtze.NotepadEditor_1.812.1.0_x64__6bk20wvc8rfx2 [2021-07-31] (Hauke Hasselberg)
NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.961.0_x64__56jybvy8sckqj [2021-05-25] (NVIDIA Corp.)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.166.580.0_x86__zpdnekdrzrea0 [2021-08-25] (Spotify AB) [Startup Task]
Xbox One SmartGlass -> C:\Program Files\WindowsApps\Microsoft.XboxOneSmartGlass_2.2.1702.2004_x64__8wekyb3d8bbwe [2020-09-08] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2020-07-15] (Notepad++ -> )
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-08-29] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_8e68f77150e57b50\nvshext.dll [2020-12-04] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-08-29] (Malwarebytes Corporation -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2021-08-01 14:29 - 2021-07-30 19:13 - 000634880 _____ () [File not signed] \\?\C:\Program Files\LGHUB\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
2020-07-22 16:24 - 2019-02-21 09:00 - 000078336 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2020-07-22 22:50 - 2020-07-22 22:50 - 001282048 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\LIBEAY32.dll
2020-07-22 22:50 - 2020-07-22 22:50 - 000279040 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files (x86)\Origin\ssleay32.dll
2020-07-22 22:50 - 2020-07-22 22:50 - 001611264 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\platforms\qwindows.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 005487104 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Core.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 005841920 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Gui.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 001179136 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Network.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 000146432 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5WebSockets.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 005089792 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Widgets.dll
2021-07-28 11:00 - 2020-07-22 22:50 - 000184832 _____ (The Qt Company Ltd) [File not signed] C:\Program Files (x86)\Origin\Qt5Xml.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========


==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 02:14 - 2019-12-07 02:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files\AdoptOpenJDK\jre-11.0.8.10-hotspot\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\Control Panel\Desktop\\Wallpaper -> F:\Arts n Draws\References\Urban\tumblr_oh093gcs9Q1qzi9p6o7_1280.jpg
DNS Servers: 192.168.0.1 - 74.40.74.41
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run32: => "Discord"
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\StartupApproved\Run: => "Steam"
HKU\S-1-5-21-1062094570-161052252-1746623260-1001\...\StartupApproved\Run: => "Discord"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{C5AED672-3B5F-48D6-AF45-C246ACFD01F1}C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [UDP Query User{C96DFC2D-C5BF-4F5A-B9C0-8C87FE66C4A0}C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\whoop\appdata\roaming\bittorrent\bittorrent.exe (BitTorrent Inc -> BitTorrent Inc.)

==================== Restore Points =========================

10-08-2021 17:59:17 Windows Modules Installer
19-08-2021 15:07:53 Scheduled Checkpoint
28-08-2021 23:48:12 Scheduled Checkpoint

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (08/29/2021 07:54:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8
Faulting module name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8
Exception code: 0xc0000005
Fault offset: 0x0000178d
Faulting process id: 0x348
Faulting application start time: 0x01d79d4a584ec454
Faulting application path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe
Faulting module path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe
Report Id: f0e74dc9-4b30-4afd-bc0e-fb56230e228e
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/29/2021 07:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: A83A.exe, version: 5.0.1.1, time stamp: 0xbaa599a4
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1151, time stamp: 0x891df6d3
Exception code: 0xe0434352
Fault offset: 0x0000000000034ed9
Faulting process id: 0x1d84
Faulting application start time: 0x01d79d479b0b1815
Faulting application path: C:\Users\whoop\AppData\Local\Temp\A83A.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 4ce7e010-fc24-4a15-983c-1b1adce3b9ec
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/29/2021 07:35:15 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: A83A.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Net.WebException
   at System.Net.HttpWebRequest.EndGetResponse(System.IAsyncResult)
   at System.Net.WebClient.GetWebResponse(System.Net.WebRequest, System.IAsyncResult)
   at System.Net.WebClient.DownloadBitsResponseCallback(System.IAsyncResult)

Exception Info: System.Reflection.TargetInvocationException
   at System.ComponentModel.AsyncCompletedEventArgs.RaiseExceptionIfNecessary()
   at Rymacojpzn.Program.Client_DownloadDataCompleted(System.Object, System.Net.DownloadDataCompletedEventArgs)
   at System.Net.WebClient.OnDownloadDataCompleted(System.Net.DownloadDataCompletedEventArgs)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()

Error: (08/29/2021 07:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 10.0.19041.1151, time stamp: 0x63a3353b
Faulting module name: ntdll.dll, version: 10.0.19041.1110, time stamp: 0x8a32a22a
Exception code: 0xc0000374
Fault offset: 0x000e6c23
Faulting process id: 0x1e5c
Faulting application start time: 0x01d79d47a9b1c17d
Faulting application path: C:\Windows\SysWOW64\explorer.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 35a25cdc-05c7-4ff5-8767-57ee8ce7c9dd
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/29/2021 07:30:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8
Faulting module name: RegAsm.exe, version: 4.8.4084.0, time stamp: 0x6012c0b8
Exception code: 0xc0000005
Fault offset: 0x0000178d
Faulting process id: 0x3674
Faulting application start time: 0x01d79d4705026366
Faulting application path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe
Faulting module path: C:\Users\whoop\AppData\Local\Temp\RegAsm.exe
Report Id: fff3efb2-a944-44c9-a769-cef42660008a
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/26/2021 03:55:00 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on 3TB Drive (F:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/19/2021 03:07:51 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on 3TB Drive (F:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/17/2021 05:33:00 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program hl2.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 4734

Start Time: 01d793553a4aafd6

Termination Time: 84

Application Path: C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe

Report Id: 2eaf8469-78b4-4219-8745-aede01589b1e

Faulting package full name: 

Faulting package-relative application ID: 

Hang type: Unknown


System errors:
=============
Error: (08/29/2021 11:25:57 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The system cannot find the file specified.

Error: (08/29/2021 11:25:57 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:10:28 AM on ‎8/‎29/‎2021 was unexpected.

Error: (08/28/2021 11:10:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The system cannot find the file specified.

Error: (08/28/2021 11:10:12 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 5:28:55 PM on ‎8/‎27/‎2021 was unexpected.

Error: (08/28/2021 11:10:03 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

Error: (08/24/2021 08:08:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The system cannot find the file specified.

Error: (08/24/2021 08:08:54 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:43:45 PM on ‎8/‎24/‎2021 was unexpected.

Error: (08/22/2021 04:43:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMChameleon service failed to start due to the following error: 
The system cannot find the file specified.


Windows Defender:
================
Date: 2021-08-29 20:04:41
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.BWK!MTB&threatid=2147784179&enterprise=0
Name: Trojan:MSIL/AgentTesla.BWK!MTB
Severity: Severe
Category: Trojan
Path: file:_C:\Users\whoop\AppData\Roaming\SysResetErr.exe; winlogonshell:_HKCU@S-1-5-21-1062094570-161052252-1746623260-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:"C:\Users\whoop\AppData\Roaming\SysResetErr.exe"
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: User
Process Name: Unknown
Security intelligence Version: AV: 1.347.655.0, AS: 1.347.655.0, NIS: 1.347.655.0
Engine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5

Date: 2021-08-29 20:02:10
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.AUE!MTB&threatid=2147780834&enterprise=0
Name: Trojan:MSIL/AgentTesla.AUE!MTB
Severity: Severe
Category: Trojan
Path: containerfile:_F:\Video Editing\Software\AdobeIPCBroker.exe; file:_F:\Video Editing\Software\AdobeIPCBroker.exe->[MSILRES:costura.newtonsoft.json.dll]
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.347.655.0, AS: 1.347.655.0, NIS: 1.347.655.0
Engine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5

Date: 2021-08-27 10:08:58
Description: 
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-08-26 09:40:59
Description: 
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-08-24 10:43:37
Description: 
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

CodeIntegrity:
===============
Date: 2020-08-05 02:49:20
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe) attempted to load \Device\HarddiskVolume3\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info =========================== 

BIOS: American Megatrends Inc. 0612 05/15/2017
Motherboard: ASUSTeK COMPUTER INC. PRIME X370-PRO
Processor: AMD Ryzen 7 1700 Eight-Core Processor 
Percentage of memory in use: 48%
Total physical RAM: 16311.9 MB
Available physical RAM: 8329.47 MB
Total Virtual: 34743.9 MB
Available Virtual: 21879.44 MB

==================== Drives ================================

Drive c: (SSD) (Fixed) (Total:465.65 GB) (Free:73.34 GB) NTFS
Drive f: (3TB Drive) (Fixed) (Total:2794.4 GB) (Free:1243.26 GB) NTFS

\\?\Volume{0debd0f1-82ff-455c-bbcf-7bc1426ee9be}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
\\?\Volume{16b759e1-cfac-4bd3-bc07-e83e4fb40598}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Protective MBR) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 1 (Size: 465.8 GB) (Disk ID: F9A7AECF)

Partition: GPT.

==================== End of Addition.txt =======================

Hopefully that is all relevant information needed to help me, I desperately need it. I cant seem to get rid of these pesky .exe files still floating around my system. 😭

Link to post
Share on other sites

Hello Knooper and welcome to Malwarebytes,

Please do not not use Code or Quote boxes for any of your replies or requested logs. I want you to run FRST again, please attach the produced logs to your reply..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done attach the new logs. "FRST.txt" and "Addition.txt" to your reply

user posted image

If English is not your primary language Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename")
 
Thank you,
 
Kevin.
Link to post
Share on other sites

  • Solution

Hiya Knooper,

Thanks for those attached logs, continue;

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin



Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Full Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

let me see those logs in your reply...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.