Jump to content

malware infected from USB drive


Recommended Posts

put a USB drive in my computer a few days ago, computer started acting strangly.  Adobe Illustrator not working properly, anti-virus programs not working properly, even FRST didn't load correctly until I re-downloaded it.  I notice a lot of entries in my process list using process explorer and dozens of outbound connections using svchost and system.   I had to  boot in safe mode and run an old copy of FRST because I couldn't downlaod a fresh copy without networking.

 

Addition.txtFRST.txt

Edited by AdvancedSetup
Removed unwanted text
Link to post
Share on other sites

  • Root Admin

Hello @malwareismyfriend :welcome:

You will need to have access to the Internet from another computer or some way to transfer files. (it seems you've already done so as you posted logs)

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

okay i got it running from my desktop.  this log looks completely different from the one above, very odd.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-08-2022
Ran by God (administrator) on FAST-DELL (Dell Inc. Inspiron 3891) (29-09-2022 00:16:11)
Running from C:\Users\gngn1\Desktop
Loaded Profiles: God
Platform: Microsoft Windows 11 Home Version 21H2 22000.978 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_appbroker.exe
(C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe
(C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe ->) (Logitech Inc -> Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\laclient.exe
(C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCopyAccelerator.exe
(DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxEM.exe
(explorer.exe ->) (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenu.exe
(explorer.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\Logitech\LogiOptions\LogiOptions.exe
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft OneDrive\OneDrive.exe
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(services.exe ->) (Apple Inc. -> Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(services.exe ->) (Code Sector -> ) C:\Program Files\TeraCopy\TeraCopyService.exe
(services.exe ->) (Dell Inc -> Dell Inc.) C:\Program Files\Dell\Fusion\FusionService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_f83b924791f3a52a\OneApp.IGCC.WinService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHDCPSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHeciSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\mewmiprov.inf_amd64_d4564390a9b1e980\WMIRegistrationService.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_7aa6ca9dbb25bff8\jhi_service.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_5d10f2aad7f84bec\LMS.exe
(services.exe ->) (Intel(R) Rapid Storage Technology -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iastorac.inf_amd64_68966115f2eef4e5\RstMwService.exe
(services.exe ->) (Károly Pados -> Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe <3>
(services.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe
(services.exe ->) (PhaseFive Systems LLC -> Phase Five Systems) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe
(services.exe ->) (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(services.exe ->) (voidtools -> voidtools) C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe
(services.exe ->) (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.) C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
(sihost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe\PAD.Console.Host.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163640 2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [509936 2018-04-11] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [3831808 2021-08-30] (Microsoft Windows Hardware Compatibility Publisher -> Logitech)
HKLM\...\Run: [LogiOptions] => C:\Program Files\Logitech\LogiOptions\LogiOptions.exe [1687616 2022-02-21] (Logitech Inc -> Logitech, Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [1067528 2022-07-25] (Adobe Inc. -> Adobe Inc.)
HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [3795376 2022-09-25] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Policies\Explorer: [HideSCAMeetNow] 1
HKU\S-1-5-21-1789883001-303321401-512692908-1003\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Startup: C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2021-12-30]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation -> Microsoft Corporation)
AlternateShell: 
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {02FEA731-D2DD-4A8E-A439-563F55D53DFC} - System32\Tasks\Opera scheduled Autoupdate 1638694259 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software)
Task: {0335EFB7-AF7E-416D-9978-D34ABA156C86} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {05297C63-34A6-4FCA-A5F8-891900D5D30E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {0AA9AE9F-7BC1-4CF7-B0D0-942E8D8AB388} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
Task: {193C0CD3-8DE7-4B74-A2DD-718AAF02C2ED} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {1AEF3D55-5909-4E1E-8853-22E99F844F7C} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {487D899D-40F2-476C-BEF0-2FF05589EC63} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [616832 2019-09-04] (Apple Inc. -> Apple Inc.)
Task: {500823C9-7F32-4788-B34D-40329A313066} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1003 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Task: {5FD92CFE-F4D2-4D63-9C80-AC2D101820F1} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002 => C:\Users\gngn1\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)
Task: {6500E3AE-98EC-4892-B4CC-620672E1ECD0} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {6D5E4CE5-B360-40C2-82EA-F9193CE82B45} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [815 2021-09-08] () [File not signed]
Task: {81645350-7A7E-4586-930D-AA1963354214} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {87B48BF5-2794-481C-9766-B28425BE7E49} - System32\Tasks\EOSv3 Scheduler onTime => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {940B0A62-EB07-406B-AF8C-69A42C245B77} - System32\Tasks\Opera scheduled assistant Autoupdate 1638694264 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software) -> --scheduledautoupdate --component-name=assistant --component-path="C:\Program Files\Opera\assistant" $(Arg0)
Task: {A7D8C990-6422-4667-87E3-FA40C47BB4B1} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {AC1FBF05-8B10-4509-AEF9-AB30ECDDC41C} - System32\Tasks\Microsoft\Windows\WaaSMedic\MaintenanceWork => {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}
Task: {B0DE073A-B771-46E8-8A43-62AAF41CD5E2} - System32\Tasks\OneDrive Per-Machine Standalone Update Task => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Task: {C2820938-5262-4E5B-BA4C-08EE29C71694} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {CFB3D3C2-5ED7-4025-973B-4173E78BFF79} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {D15035A4-388C-4B0C-B13E-2588A970C419} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [64408 2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Task: {D24345F4-A990-448B-97A8-778C14BE4C7C} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {E13FF481-BB09-4CA9-9478-463D38661FA9} - System32\Tasks\TinyWall Controller => C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26] (Károly Pados -> Károly Pados)
Task: {FA7BFA7D-63B4-4DE5-8D36-09A74B86FCA2} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 9.9.9.9 149.112.112.112
Tcpip\..\Interfaces\{666ad4d3-6ec5-4013-a092-a6d61e020286}: [DhcpNameServer] 9.9.9.9 149.112.112.112

Edge: 
=======
Edge Profile: C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default [2022-09-27]
Edge Extension: (Microsoft Power Automate) - C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\njjljiblognghfjfpcdpdbpbfcmhgafg [2022-08-08]
Edge HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [njjljiblognghfjfpcdpdbpbfcmhgafg]

FireFox:
========
FF DefaultProfile: cb410ea4.default
FF ProfilePath: C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\cb410ea4.default [2021-12-15]
FF ProfilePath: C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release [2022-09-28]
FF Session Restore: Mozilla\Firefox\Profiles\za350ywr.default-release -> is enabled.
FF Notifications: Mozilla\Firefox\Profiles\za350ywr.default-release -> hxxps://web.telegram.org; hxxps://www.kiiroo.com; hxxps://electrothreads.com
FF Extension: (Disconnect) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\2.0@disconnect.me.xpi [2022-01-11]
FF Extension: (Google Container) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\@contain-google.xpi [2022-01-11]
FF Extension: (Keepa - Amazon Price Tracker) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\amptra@keepa.com.xpi [2022-04-18]
FF Extension: (OneNote Web Clipper) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Clipper@OneNote.com.xpi [2022-04-14]
FF Extension: (Don't ***** With Paste) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Dont*****WithPaste@raim.ist.xpi [2022-01-11]
FF Extension: (Folx) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\folx5@eltima.com.xpi [2022-01-11]
FF Extension: (Disable WebRTC) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-5Fs7iTLscUaZBgwr@jetpack.xpi [2022-01-11]
FF Extension: (Honey) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-93CWPmRbVPjRQA@jetpack.xpi [2022-01-11]
FF Extension: (Decentraleyes) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-BoFifL9Vbdl2zQ@jetpack.xpi [2022-02-01]
FF Extension: (I don't care about cookies) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi [2022-09-15]
FF Extension: (Double-click Image Downloader) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xgtdawe3yyUeBQ@jetpack.xpi [2022-01-11]
FF Extension: (Reddit Enhancement Suite) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2022-02-02]
FF Extension: (Pinterest Save Button) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2022-03-02]
FF Extension: (JSONovich) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jsonovich@lackoftalent.org.xpi [2022-04-05]
FF Extension: (IDM Integration Module) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\mozilla_cc3@internetdownloadmanager.com.xpi [2022-05-27]
FF Extension: (Download Manager (S3)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\s3download@statusbar.xpi [2022-01-11]
FF Extension: (Save webP as PNG or JPEG) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\savewebpas@jeffersonscher.com.xpi [2022-09-23]
FF Extension: (LastPass: Free Password Manager) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\support@lastpass.com.xpi [2022-08-06]
FF Extension: (Google Translator for Firefox) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\translator@zoli.bod.xpi [2022-01-11]
FF Extension: (uBlock Origin) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\uBlock0@raymondhill.net.xpi [2022-09-20]
FF Extension: (Paste n' Go) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{000a756d-5efb-4897-b40c-57ef8c5caa59}.xpi [2022-01-11]
FF Extension: (Take Webpage Screenshots Entirely - FireShot) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}.xpi [2022-09-15]
FF Extension: (CSS Toggler) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{16898b73-edd0-419f-a0a9-e5afd2a4c904}.xpi [2022-05-02]
FF Extension: (Download All Images) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{32af1358-428a-446d-873e-5f8eb5f2a72e}.xpi [2022-08-22]
FF Extension: (Send to VLC (VideoLAN) media player) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{3e0ac434-26e0-4c03-b757-3078486800c3}.xpi [2022-01-11]
FF Extension: (Disable JavaScript) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{41f9e51d-35e4-4b29-af66-422ff81c8b41}.xpi [2022-01-11]
FF Extension: (Eno® from Capital One®) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d5b7a5e-5232-9e45-97f4-f8e1ca2626e5}.xpi [2022-07-20]
FF Extension: (Science Fiction Florest) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d6138be-7d98-4fed-8cb9-277c3a351183}.xpi [2022-01-11]
FF Extension: (Blue Carbon Fiber) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{5ab03bdd-3d91-4c73-801e-607ca27458d0}.xpi [2022-01-11]
FF Extension: (ColorZilla) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}.xpi [2022-01-11]
FF Extension: (Hot air balloons v5 by CP) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{790388bf-f135-4368-ab9b-36c8062a09c2}.xpi [2022-01-11]
FF Extension: (Plexus Crystals (Yellow)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{826d3ea1-5a85-4e6c-8749-aff3f72ccc5d}.xpi [2022-01-11]
FF Extension: (Clippings) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}.xpi [2022-09-19]
FF Extension: (Absolute Right Click) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{9350bc42-47fb-4598-ae0f-825e3dd9ceba}.xpi [2022-01-11]
FF Extension: (RESTClient) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ad0d925d-88f8-47f1-85ea-8463569e756e}.xpi [2022-04-05]
FF Extension: (Capital One Shopping: Online Coupon Tool) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{aff8af88-06a9-4eee-b383-3af08c47b8c8}.xpi [2022-09-26]
FF Extension: (The universe of ancient times.) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b6d370bd-f532-4049-9a82-f53b47f369b3}.xpi [2022-01-11]
FF Extension: (Video DownloadHelper) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2022-05-12]
FF Extension: (flashy pastel rainbow) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ced18bb2-3a5e-4d85-b0ad-5b99cb34fa73}.xpi [2022-01-11]
FF Extension: (Polynial design) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{d7dce9c0-165e-44ff-90b9-c5ce9f7a7721}.xpi [2022-01-11]
FF Extension: (Read Aloud: A Text to Speech Voice Reader) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ddc62400-f22d-4dd3-8b4a-05837de53c2e}.xpi [2022-09-01]
FF Extension: (Matte Black (Orange)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{e7c9fb23-17c0-4bb6-a8ba-ff52a7770b89}.xpi [2022-02-24]
FF Extension: (Plexus Crystals (Violet)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ff571d12-dfde-4e8f-be1d-38c145a98443}.xpi [2022-02-24]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2022-07-25] (Adobe Inc. -> Adobe Systems)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2022-07-25] (Adobe Inc. -> Adobe Systems)

Chrome: 
=======
CHR HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [gjgfobnenmnljakmhboildkafdkicala]

Opera: 
=======
OPR Profile: C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable [2022-09-26]
OPR Notifications: Opera Stable -> hxxps://web.telegram.org; hxxps://www.philadelphiaeagles.com
OPR DefaultSuggestURL: Opera Stable -> hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}
OPR Extension: (Rich Hints Agent) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2022-07-28]
OPR Extension: (Opera Crypto Wallet) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\gojhcdgcpbpfigcaejpfhfegekdgiblk [2022-07-28]
OPR Extension: (Amazon Assistant Promotion) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\kbmoiomgmchbpihhdpabemajcbjpcijk [2021-12-20]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [923656 2022-07-25] (Adobe Inc. -> Adobe Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [99104 2021-08-20] (Apple Inc. -> Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [12131256 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
S3 dcsvc; C:\Windows\system32\dcsvc.dll [831488 2022-09-13] (Microsoft Windows -> Microsoft Corporation)
R2 Everything; C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe [2266128 2022-09-22] (voidtools -> voidtools)
S3 FileSyncHelper; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncHelper.exe [3383688 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
R2 FusionService; C:\Program Files\Dell\Fusion\FusionService.exe [19096 2021-10-13] (Dell Inc -> Dell Inc.)
R2 JumpConnect; C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe [154080 2022-01-07] (PhaseFive Systems LLC -> Phase Five Systems)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7901368 2021-12-05] (Malwarebytes Inc -> Malwarebytes)
S3 OneDrive Updater Service; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\OneDriveUpdaterService.exe [3804032 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
R2 OptionsPlusUpdaterService; C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe [17029376 2022-09-12] (Logitech Inc -> Logitech, Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [12912936 2021-11-16] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
R2 TeraCopyService.exe; C:\Program Files\TeraCopy\TeraCopyService.exe [114384 2021-04-21] (Code Sector -> )
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26] (Károly Pados -> Károly Pados)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe [3125112 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe [133560 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
S2 Wondershare InstallAssist; C:\ProgramData\Wondershare\Service\InstallAssistService.exe [X]
R2 ZoomCptService; "C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\gngn1\AppData\Roaming\Zoom"

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AppleKmdfFilter; C:\Windows\System32\drivers\AppleKmdfFilter.sys [20032 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 AppleLowerFilter; C:\Windows\System32\drivers\AppleLowerFilter.sys [35976 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 DDDriver; C:\Windows\System32\drivers\dddriver64Dcsa.sys [43400 2021-09-09] (Microsoft Windows Hardware Compatibility Publisher -> Dell Technologies)
R0 fse; C:\Windows\System32\drivers\fse.sys [193888 2022-05-11] (Microsoft Windows -> Microsoft Corporation)
S3 IntelGNA; C:\Windows\System32\DriverStore\FileRepository\gna.inf_amd64_c08af0e43cbc91c3\gna.sys [83856 2020-08-04] (Gaussian Mixture Models and Neural Networks Accelerator -> Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210352 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-12-05] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2022-03-27] (Malwarebytes Inc -> Malwarebytes)
R3 MpKsl84bd6d14; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E54752FF-50C6-4067-A464-757ABA79C676}\MpKslDrv.sys [228600 2022-09-28] (Microsoft Windows -> Microsoft Corporation)
S3 MYFAULT; C:\Windows\system32\drivers\myfault.sys [27848 2022-09-27] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals)
R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [72792 2021-11-30] (Insecure.Com LLC -> Insecure.Com LLC.)
U5 PROCMON24; C:\Windows\System32\Drivers\PROCMON24.sys [95632 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals - www.sysinternals.com)
R3 USBPcap; C:\Windows\system32\DRIVERS\USBPcap.sys [52872 2020-05-22] (Tomasz Moń -> USBPcap)
S3 vmbusproxy; C:\Windows\system32\drivers\vmbusproxy.sys [90112 2022-04-06] (Microsoft Windows -> )
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49576 2022-09-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [453904 2022-09-07] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [94480 2022-09-07] (Microsoft Windows -> Microsoft Corporation)
R3 WiManH; C:\Windows\System32\DriverStore\FileRepository\wiman.inf_amd64_f0ed422f0b4a6c99\WiManH\WiManH.sys [172896 2020-11-23] (Intel Wireless Driver -> )
U4 npcap_wifi; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: DcSvc -> C:\Windows\system32\dcsvc.dll (Microsoft Corporation)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-09-29 00:16 - 2022-09-29 00:16 - 000031964 _____ C:\Users\gngn1\Desktop\FRST.txt
2022-09-29 00:16 - 2022-09-29 00:16 - 000000000 ____D C:\FRST
2022-09-29 00:14 - 2022-09-29 00:15 - 002371072 _____ (Farbar) C:\Users\gngn1\Desktop\frst64.exe
2022-09-28 22:41 - 2022-09-28 22:41 - 000000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2022-09-28 13:35 - 2022-09-28 13:35 - 000000519 _____ C:\Users\gngn1\Desktop\OS (C) - Shortcut.lnk
2022-09-27 03:10 - 2022-09-27 03:10 - 000027848 _____ (Sysinternals) C:\Windows\system32\Drivers\myfault.sys
2022-09-26 22:56 - 2022-09-26 22:56 - 000003194 _____ C:\Windows\system32\Tasks\OneDrive Per-Machine Standalone Update Task
2022-09-26 22:56 - 2022-09-26 22:56 - 000002104 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2022-09-26 05:16 - 2022-09-26 05:16 - 000095632 ____H (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON24.SYS
2022-09-26 01:57 - 2022-09-26 01:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\ClassicShell
2022-09-26 01:56 - 2022-09-26 01:56 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\ClassicShell
2022-09-26 01:33 - 2022-09-26 01:33 - 000210352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2022-09-26 00:31 - 2022-09-26 00:31 - 000000000 ____D C:\Users\Sokka\AppData\Local\Comms
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Local\Mozilla
2022-09-26 00:16 - 2022-09-26 22:56 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1003
2022-09-26 00:16 - 2022-09-26 00:16 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Logishrd
2022-09-26 00:15 - 2022-09-26 01:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\LogiOptionsPlus
2022-09-26 00:15 - 2022-09-26 00:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\D3DSCache
2022-09-26 00:15 - 2022-09-26 00:31 - 000000000 ____D C:\Users\Sokka\AppData\Local\Packages
2022-09-26 00:15 - 2022-09-26 00:15 - 000002411 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2022-09-26 00:15 - 2022-09-26 00:15 - 000000020 ___SH C:\Users\Sokka\ntuser.ini
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 __SHD C:\Users\Sokka\IntelGraphicsProfiles
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\TinyWall
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Adobe
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Intel
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\VirtualStore
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\Publishers
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\ConnectedDevicesPlatform
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka
2022-09-26 00:15 - 2022-08-16 04:55 - 000000000 ___RD C:\Users\Sokka\OneDrive
2022-09-26 00:15 - 2021-06-05 07:04 - 000001281 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk
2022-09-26 00:15 - 2021-06-05 07:04 - 000000407 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk
2022-09-26 00:12 - 2022-09-26 00:12 - 000000000 ____D C:\Users\Public\Documents\MDMDiagnostics
2022-09-24 13:51 - 2022-09-25 22:10 - 000000000 ____D C:\TDSSKiller_Quarantine
2022-09-24 13:45 - 2022-09-24 13:45 - 005054744 _____ (AO Kaspersky Lab) C:\Users\gngn1\Downloads\tdsskiller.exe
2022-09-24 13:43 - 2022-09-24 13:44 - 000000000 ____D C:\AdwCleaner
2022-09-24 13:43 - 2022-09-24 13:43 - 008551608 _____ (Malwarebytes) C:\Users\gngn1\Downloads\AdwCleaner.exe
2022-09-23 11:32 - 2022-09-24 11:44 - 000000000 ____D C:\Program Files\Mozilla Firefox
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\Users\gngn1\AppData\Local\falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\Program Files\Falkon
2022-09-23 01:42 - 2022-09-23 01:43 - 065878530 _____ C:\Users\gngn1\Downloads\Falkon.Installer.3.1.0.x64.exe
2022-09-23 01:33 - 2022-09-23 01:33 - 000022555 _____ C:\Users\gngn1\Downloads\surf-2.1.tar.gz
2022-09-23 00:58 - 2022-09-23 00:58 - 001418600 _____ (Thomas E Dickey ) C:\Users\gngn1\Downloads\lynx-newssl-setup.exe
2022-09-22 22:51 - 2022-09-22 22:52 - 000000000 ___HD C:\adobeTemp
2022-09-22 13:36 - 2022-09-22 13:36 - 029933858 _____ C:\Users\gngn1\AppData\LocalLow\wbk28E7.tmp
2022-09-22 12:12 - 2022-06-27 00:17 - 004946512 _____ (Intel Corporation) C:\Windows\system32\Drivers\Netwtw10.sys
2022-09-22 12:12 - 2022-06-27 00:17 - 001626200 _____ (Intel Corporation) C:\Windows\system32\IntelIHVRouter10.dll
2022-09-22 12:12 - 2022-06-25 21:53 - 055467080 _____ C:\Windows\system32\Drivers\Netwfw10.dat
2022-09-22 11:21 - 2022-09-26 00:14 - 000000000 ____D C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64
2022-09-22 11:21 - 2022-09-22 11:21 - 001804512 _____ C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64.zip
2022-09-21 22:30 - 2022-09-21 22:30 - 000003842 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onLogOn
2022-09-21 22:30 - 2022-09-21 22:30 - 000003400 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onTime
2022-09-21 16:58 - 2022-09-21 16:58 - 015274968 _____ (ESET) C:\Users\gngn1\Desktop\esetonlinescanner.exe
2022-09-21 16:58 - 2022-09-21 16:58 - 000001290 _____ C:\Users\gngn1\Desktop\ESET Online Scanner.lnk
2022-09-19 19:18 - 2022-09-19 19:18 - 000134259 _____ C:\Users\gngn1\Downloads\Beautiful identical blondes *****ing - XNXX.COM.mp4
2022-09-19 08:17 - 2022-09-19 08:17 - 000131268 _____ C:\Users\gngn1\Downloads\Blonde Blows and Toes - XNXX.COM.mp4
2022-09-19 02:21 - 2022-09-19 02:21 - 000132024 _____ C:\Users\gngn1\Downloads\Mad land owner put sexy brunette student in bondage and roug.mp4
2022-09-19 02:09 - 2022-09-19 02:09 - 000133819 _____ C:\Users\gngn1\Downloads\Femdom Pegging With Big Strapon - XNXX.COM.mp4
2022-09-17 02:23 - 2022-09-17 02:23 - 000000986 _____ C:\Users\Public\Desktop\PotPlayer 64 bit.lnk
2022-09-15 15:14 - 2022-09-15 15:14 - 000004158 _____ C:\Windows\system32\Tasks\Opera scheduled assistant Autoupdate 1638694264
2022-09-13 21:17 - 2022-09-13 21:17 - 000335872 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll
2022-09-13 21:17 - 2022-09-13 21:17 - 000015030 _____ C:\Windows\system32\DrtmAuthTxt.wim
2022-09-13 21:15 - 2022-09-13 21:15 - 000000000 ___HD C:\$WinREAgent
2022-09-13 13:14 - 2022-09-13 13:14 - 000000000 ____D C:\Users\gngn1\AppData\Local\FirmwareUpdateTool
2022-09-12 23:57 - 2022-09-28 22:58 - 000000000 ____D C:\Users\gngn1\AppData\Local\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-22 14:29 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\logioptionsplus
2022-09-12 23:57 - 2022-09-12 23:58 - 000000000 ____D C:\Program Files\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-12 23:57 - 000000931 _____ C:\Users\Public\Desktop\Logi Options+.lnk
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\LogiOptionsPlus
2022-09-07 09:15 - 2022-09-07 09:15 - 000003946 _____ C:\Windows\system32\Tasks\Opera scheduled Autoupdate 1638694259
2022-09-07 09:15 - 2022-09-07 09:15 - 000001075 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2022-09-02 20:34 - 2022-09-02 20:41 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Wireshark
2022-09-02 20:32 - 2022-09-02 20:32 - 000003460 _____ C:\Windows\system32\Tasks\npcapwatchdog
2022-09-02 20:32 - 2022-09-02 20:32 - 000001789 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\SysWOW64\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\system32\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\USBPcap
2022-09-02 20:31 - 2022-09-02 20:33 - 000000000 ____D C:\Program Files\Wireshark
2022-09-02 20:31 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\Npcap
2022-09-02 20:27 - 2022-09-02 20:28 - 077256616 _____ (Wireshark development team) C:\Users\gngn1\Downloads\Wireshark-win64-3.6.7.exe
2022-09-01 10:21 - 2022-09-28 15:26 - 000000000 ____D C:\AITEMP
2022-09-01 08:50 - 2022-09-21 16:58 - 000001396 _____ C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2022-09-01 08:50 - 2022-09-21 16:58 - 000000000 ____D C:\Users\gngn1\AppData\Local\ESET

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-09-29 00:15 - 2022-01-11 17:07 - 000000000 ____D C:\Users\gngn1\Documents\Outlook Files
2022-09-29 00:12 - 2021-12-15 02:36 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TinyWall
2022-09-28 23:59 - 2021-06-05 07:10 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ___HD C:\Program Files\WindowsApps
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\AppReadiness
2022-09-28 23:11 - 2021-12-06 03:03 - 000000000 ____D C:\Users\gngn1\AppData\Local\ClassicShell
2022-09-28 23:08 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemTemp
2022-09-28 23:03 - 2021-12-15 02:36 - 000000000 ____D C:\ProgramData\TinyWall
2022-09-28 23:03 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files\Opera
2022-09-28 23:03 - 2021-11-09 18:32 - 000980092 _____ C:\Windows\system32\PerfStringBackup.INI
2022-09-28 23:03 - 2021-06-05 07:09 - 000000000 ____D C:\Windows\INF
2022-09-28 22:58 - 2022-03-27 14:36 - 000000000 ____D C:\Intel
2022-09-28 22:58 - 2021-12-05 03:54 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2022-09-28 22:58 - 2021-12-05 03:23 - 000000000 ___RD C:\Users\gngn1\OneDrive
2022-09-28 22:58 - 2021-11-09 18:28 - 000012288 ___SH C:\DumpStack.log.tmp
2022-09-28 22:58 - 2021-11-09 18:28 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-09-28 22:57 - 2022-03-27 11:47 - 000692370 _____ C:\Windows\ntbtlog.txt
2022-09-28 22:57 - 2021-06-05 07:01 - 000786432 _____ C:\Windows\system32\config\BBI
2022-09-28 22:38 - 2021-12-05 03:10 - 000000000 ____D C:\Users\gngn1
2022-09-28 22:36 - 2021-12-15 02:18 - 000000000 ____D C:\Users\gngn1\AppData\LocalLow\Mozilla
2022-09-28 22:34 - 2022-03-25 05:54 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TeraCopy
2022-09-28 22:27 - 2021-11-09 18:28 - 000000000 ____D C:\Windows\system32\SleepStudy
2022-09-28 13:46 - 2022-01-12 13:20 - 000000000 ___RD C:\Users\gngn1\Creative Cloud Files
2022-09-28 13:35 - 2022-03-11 04:25 - 000036208 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2022-09-27 22:25 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Local\D3DSCache
2022-09-27 22:08 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Local\Packages
2022-09-27 22:08 - 2021-11-09 18:29 - 000000000 ____D C:\ProgramData\Packages
2022-09-27 22:06 - 2022-08-17 08:58 - 000000000 ____D C:\Program Files\Microsoft OneDrive
2022-09-27 21:15 - 2022-03-11 04:10 - 000000000 ____D C:\sysinternals
2022-09-26 22:56 - 2021-12-15 00:05 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001
2022-09-26 12:34 - 2022-04-06 22:49 - 000001623 _____ C:\Windows\system32\config\VSMIDK
2022-09-26 09:15 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\LiveKernelReports
2022-09-26 03:16 - 2022-02-07 01:19 - 000003118 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002
2022-09-26 02:18 - 2022-02-12 00:36 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2022-09-26 02:05 - 2022-01-08 17:39 - 000000000 ____D C:\Users\gngn1\AppData\Local\CrashDumps
2022-09-26 00:31 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\PrintDialog
2022-09-26 00:15 - 2021-11-09 18:52 - 000000000 __RHD C:\Users\Public\AccountPictures
2022-09-26 00:15 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2022-09-25 23:22 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Adobe
2022-09-24 22:56 - 2021-06-05 07:01 - 000000000 ____D C:\Windows\CbsTemp
2022-09-24 11:44 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2022-09-24 11:44 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\ServiceState
2022-09-23 13:32 - 2021-12-05 03:50 - 000001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2022-09-23 13:32 - 2021-12-05 03:50 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2022-09-23 12:35 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\SecurityHealth
2022-09-22 21:52 - 2022-07-08 12:14 - 000000000 ____D C:\ProgramData\boost_interprocess
2022-09-22 13:38 - 2022-01-11 17:45 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\vlc
2022-09-22 11:18 - 2022-08-04 21:50 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\QtProject
2022-09-21 12:09 - 2021-12-22 14:02 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Telegram Desktop
2022-09-21 12:02 - 2022-01-04 03:43 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Spotify
2022-09-21 12:00 - 2022-01-15 00:13 - 000000000 ____D C:\Users\gngn1\AppData\Local\Spotify
2022-09-20 17:51 - 2022-05-25 03:10 - 000000000 ____D C:\Users\gngn1\dwhelper
2022-09-18 02:58 - 2021-11-09 18:41 - 000000000 ____D C:\Program Files\Microsoft Office
2022-09-16 09:26 - 2022-02-19 22:29 - 001285856 _____ C:\Windows\system32\FNTCACHE.DAT
2022-09-16 09:26 - 2022-02-03 16:36 - 000000000 ____D C:\ProgramData\Logishrd
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SysWOW64\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemResources
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\setup
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\oobe
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\DDFs
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\appraiser
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\Provisioning
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\bcastdvr
2022-09-13 21:21 - 2021-12-06 16:53 - 000000000 ____D C:\Windows\system32\MRT
2022-09-13 21:19 - 2021-12-06 16:53 - 141646296 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2022-09-13 21:17 - 2021-11-09 18:31 - 003103744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2022-09-13 02:12 - 2022-01-12 13:12 - 000000000 ____D C:\Program Files\Common Files\Adobe
2022-09-07 04:33 - 2021-11-09 18:28 - 000000000 ____D C:\Windows\system32\Drivers\wd

==================== Files in the root of some directories ========

2022-06-23 03:39 - 2022-06-23 03:39 - 000000036 _____ () C:\Users\gngn1\AppData\Local\.__explain_this_is_writeable_not_delete__
2021-12-06 02:51 - 2022-08-25 23:21 - 000007686 _____ () C:\Users\gngn1\AppData\Local\Resmon.ResmonCfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-08-2022
Ran by God (29-09-2022 00:16:53)
Running from C:\Users\gngn1\Desktop
Microsoft Windows 11 Home Version 21H2 22000.978 (X64) (2021-12-05 08:22:38)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-1789883001-303321401-512692908-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1789883001-303321401-512692908-503 - Limited - Disabled)
God (S-1-5-21-1789883001-303321401-512692908-1001 - Administrator - Enabled) => C:\Users\gngn1
Guest (S-1-5-21-1789883001-303321401-512692908-501 - Limited - Disabled)
Sokka (S-1-5-21-1789883001-303321401-512692908-1003 - Limited - Enabled) => C:\Users\Sokka
WDAGUtilityAccount (S-1-5-21-1789883001-303321401-512692908-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 19.00 (x64 edition) (HKLM\...\{23170F69-40C1-2702-1900-000001000000}) (Version: 19.00.00.0 - Igor Pavlov)
7-Zip 21.06 (x64) (HKLM\...\7-Zip) (Version: 21.06 - Igor Pavlov)
Adobe Bridge 2022 (HKLM-x32\...\KBRG_12_0_1) (Version: 12.0.1 - Adobe Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 5.8.0.592 - Adobe Inc.)
Adobe Illustrator 2022 (HKLM-x32\...\ILST_26_0_2) (Version: 26.0.2 - Adobe Inc.)
Adobe Premiere Rush (HKLM-x32\...\RUSH_2_0) (Version: 2.0 - Adobe Inc.)
Apple Mobile Device Support (HKLM\...\{527DD209-8A66-482F-8779-C7B3BACCA8F1}) (Version: 15.0.0.16 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{A3985C05-7386-411F-A4BF-32A73F37EB44}) (Version: 2.6.3.1 - Apple Inc.)
Audacity 3.1.2 (HKLM\...\Audacity_is1) (Version: 3.1.2 - Audacity Team)
Autopsy (HKLM\...\{1633CA1B-52C0-47B5-9A31-5A7764F4BA83}) (Version: 4.19.3 - The Sleuth Kit)
Classic Shell (HKLM\...\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}) (Version: 4.3.1 - IvoSoft)
Dell SupportAssist OS Recovery Plugin for Dell Update (HKLM-x32\...\{ec40a028-983b-4213-af2c-77ed6f6fe1d5}) (Version: 5.4.1.14954 - Dell Inc.)
Dell SupportAssist Remediation (HKLM-x32\...\{0b3f567c-a2ee-437a-861f-bb6da9f2111b}) (Version: 5.5.0.16046 - Dell Inc.)
Dynamic Application Loader Host Interface Service (HKLM\...\{A28339C8-E641-4CCE-A316-56F405D1C245}) (Version: 1.0.0.0 - Intel Corporation) Hidden
EaseUS MobiSaver 8.0.2 (HKLM-x32\...\EaseUS MobiSaver_is1) (Version:  - EaseUS)
EaseUS MobiUnlock 3.0.1 (HKLM-x32\...\EaseUS MobiUnlock_is1) (Version:  - EaseUS)
Falkon 3.1.0 x64 (HKLM-x32\...\Falkon) (Version: 3.1.0 x64 - Falkon Team)
FastStone Image Viewer 7.5 (HKLM-x32\...\FastStone Image Viewer) (Version: 7.5 - FastStone Soft)
FileZilla Client 3.58.0 (HKLM-x32\...\FileZilla Client) (Version: 3.58.0 - Tim Kosse)
Fusion Service (HKLM\...\{599709E7-DD10-4FF5-96D5-7C6F6B5F62C0}) (Version: 1.92.22.0 - Dell.Inc) Hidden
Fusion Service (HKLM-x32\...\{81ce0187-37c1-4c23-8387-44454e1796ad}) (Version: 1.92.22.0 - Dell.Inc)
Google Earth Pro (HKLM\...\{C36E66A6-6EE5-47DB-945F-A6F03225D540}) (Version: 7.3.4.8573 - Google)
Intel(R) LMS (HKLM\...\{A0983640-26D2-4CD8-A512-747BF3CF3F82}) (Version: 1.0.0.0 - Intel Corporation) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 2101.15.0.2080 - Intel Corporation)
iTunes (HKLM\...\{0B3CC856-3A62-443A-B6CE-DED2D4495D56}) (Version: 12.12.2.2 - Apple Inc.)
Jump Desktop (HKLM\...\{388F7980-94E2-4BAD-9123-F07E05BD16A2}) (Version: 8.4.27.0 - Phase Five Systems)
Jump Desktop Connect (HKLM-x32\...\{081CADBE-4FE4-4AA9-A187-221A03078C6A}) (Version: 6.7.69.0 - Phase Five Systems)
Logi Options+ (HKLM\...\{850cdc16-85df-4052-b06e-4e3e9e83c5c6}) (Version: 1.22.5550 - Logitech)
Logitech Options (HKLM\...\LogiOptions) (Version: 9.60.87 - Logitech)
Malwarebytes version 4.4.11.149 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.11.149 - Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 105.0.1343.53 - Microsoft Corporation)
Microsoft OneDrive (HKLM\...\OneDriveSetup.exe) (Version: 22.191.0911.0001 - Microsoft Corporation)
Microsoft OneNote - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{6A2A8076-135F-4F55-BB02-DED67C8C6934}) (Version: 4.67.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 (HKLM-x32\...\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 (HKLM-x32\...\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 (HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 (HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 (HKLM-x32\...\{D401961D-3A20-3AC7-943B-6139D5BD490A}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 (HKLM-x32\...\{8122DAB1-ED4D-3676-BB0A-CA368196543E}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 (HKLM-x32\...\{2d507699-404c-4c8b-a54a-38e352f32cdd}) (Version: 14.32.31326.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 (HKLM-x32\...\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}) (Version: 14.32.31326.0 - Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31326 (HKLM\...\{38624EB5-356D-4B08-8357-C33D89A5C0C5}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31326 (HKLM\...\{C96241EA-9900-4FE8-85B3-1E238D509DF6}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326 (HKLM-x32\...\{A250E750-DB3F-40C1-8460-8EF77C7582DA}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326 (HKLM-x32\...\{46E11E7F-01E1-44D0-BB86-C67342D253DD}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\{7C0242A3-8B66-35D1-9FE0-13B426ACB609}) (Version: 10.0.60729 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.60724 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 105.0.1 (x64 en-US)) (Version: 105.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 94.0.2 - Mozilla)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.60 - Nmap Project)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20064 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20148 - Microsoft Corporation) Hidden
Opera Stable 90.0.4480.84 (HKLM-x32\...\Opera 90.0.4480.84) (Version: 90.0.4480.84 - Opera Software)
PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version: 220914 - Kakao Corp.)
PuTTY release 0.76 (64-bit) (HKLM\...\{1E0D5689-40F1-4E46-ABBB-EAAC68B5CD89}) (Version: 0.76.0.0 - Simon Tatham)
qBittorrent 4.3.9 (HKLM-x32\...\qBittorrent) (Version: 4.3.9 - The qBittorrent project)
Revo Uninstaller 2.3.8 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.3.8 - VS Revo Group, Ltd.)
Spotify (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Spotify) (Version: 1.1.94.870.gf994cb0b - Spotify AB)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.3.3 - Krzysztof Kowalczyk)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.24.5 - TeamViewer)
Telegram Desktop version 4.1.1 (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 4.1.1 - Telegram FZ-LLC)
TeraCopy (HKLM\...\{F8B0BB18-B1E6-4821-8C5B-883AA5DE3EEA}) (Version: 3.9.0 - Code Sector)
TinyWall (HKLM-x32\...\{6A366BCB-2A38-4D2A-80FD-A5E0C32C97C8}) (Version: 3.2.3.0 - Károly Pados)
USBPcap 1.5.4.0 (HKLM\...\USBPcap) (Version: 1.5.4.0 - Tomasz Mon)
UXP WebView Support (HKLM-x32\...\UXPW_1_1_0) (Version: 1.1.0 - Adobe Inc.)
VdhCoApp 1.6.3 (HKLM\...\weh-iss-net.downloadhelper.coapp_is1) (Version:  - DownloadHelper)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.16 - VideoLAN)
WinDirStat 1.1.2 (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\WinDirStat) (Version:  - )
WinMerge 2.16.16.0 x64 (HKLM\...\WinMerge_is1) (Version: 2.16.16.0 - Thingamahoochie Software)
WinRAR 6.02 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.02.0 - win.rar GmbH)
Wireshark 3.6.7 64-bit (HKLM-x32\...\Wireshark) (Version: 3.6.7 - The Wireshark developer community, hxxps://www.wireshark.org)
XnView 2.50.4 (HKLM-x32\...\XnView_is1) (Version: 2.50.4 - Gougelet Pierre-e)
Zoom (HKLM-x32\...\{1B8D4A17-201A-4113-A512-B7DEEF293AF1}) (Version: 5.8.2048 - Zoom)

Packages:
=========
Adobe Notification Client -> C:\Program Files\WindowsApps\AdobeNotificationClient_3.0.1.1_x86__enpm4xejd91yc [2022-04-28] (Adobe Systems Incorporated)
Dell Mobile Connect -> C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnectPlus_4.1.8330.0_x64__0vhbc3ng4wbp0 [2022-09-26] (Screenovate Technologies)
Intel® Optane™ Memory and Storage Management -> C:\Program Files\WindowsApps\AppUp.IntelOptaneMemoryandStorageManagement_18.1.1032.0_x64__8j3eq9eme6ctt [2022-09-26] (INTEL CORP)
MPEG-2 Video Extension -> C:\Program Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe [2022-09-26] (Microsoft Corporation)
Photos Media Engine Add-on -> C:\Program Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2022-04-02] (Microsoft Corporation)
Power Automate -> C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe [2022-09-26] (Microsoft Corporation) [Startup Task]
Unigram—Telegram for Windows -> C:\Program Files\WindowsApps\38833FF26BA1D.UnigramPreview_8.9.7687.0_x64__g9c9v27vpyspw [2022-09-05] (Unigram, Inc.) [Startup Task]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-231FB76D9980} -> [Creative Cloud Files] => C:\Users\gngn1\Creative Cloud Files [2022-01-12 13:20]
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{23B3E3D8-C162-4A8B-AB0C-0905DCB1DF19}\InprocServer32 -> C:\Users\gngn1\AppData\Local\Packages\Microsoft.PowerAutomateDesktop_8wekyb3d8bbwe\TempState\RDP\DVCPlugin\x64\Microsoft.Flow.RPA.Desktop.UIAutomation.RDP.DVC.Plugin.dll (Microsoft Corporation -> )
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32 -> C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe (Adobe Inc. -> Adobe Inc.)
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{375360E1-2D4B-4DEB-9C05-B3A3CA553923}\InprocServer32 -> C:\Program Files\Mozilla Firefox\notificationserver.dll (Mozilla Corporation -> Mozilla Foundation)
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Inc. -> Adobe Systems)
ShellIconOverlayIdentifiers: [    OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [    OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [   AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [   AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [   AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [  OptaneIconOverlay] -> {A3AF6F6C-8BED-3D93-8B5D-33427B5D38E9} => C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )
ShellIconOverlayIdentifiers-x32: [    OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [    OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers1: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers1: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers2: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers2: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers3: [OptaneContextMenu] -> {AD7EBB13-617D-3270-8FA8-46583499C4FB} => C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers4: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
ContextMenuHandlers6: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2022-02-21 11:25 - 2022-02-21 11:25 - 000144896 _____ () [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\libssh2.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000077824 _____ () [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\zlib.dll
2021-12-05 03:51 - 2021-11-24 09:00 - 000093696 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 003664184 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 000291128 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Windows\system32\StartMenuHelper64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll] C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll
2022-01-07 10:41 - 2022-01-07 10:41 - 013733888 _____ (Phase Five Systems) [File not signed] C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnectCore.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000355840 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBCURL.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 002286747 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBEAY32.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000416627 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\SSLEAY32.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled => "AlternateShell"="cmd.exe"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65395606.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\65395606.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

URLSearchHook: [S-1-5-21-1789883001-303321401-512692908-1001] ATTENTION => Default URLSearchHook is missing
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2022-08-16] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2021-06-05 07:08 - 2021-10-11 02:45 - 000334861 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
0.0.0.0 fr.a2dfp.net
0.0.0.0 mfr.a2dfp.net
0.0.0.0 ad.a8.net
0.0.0.0 asy.a8ww.net
0.0.0.0 static.a-ads.com
0.0.0.0 abcstats.com
0.0.0.0 track.acclaimnetwork.com
0.0.0.0 csh.actiondesk.com
0.0.0.0 ads.activepower.net
0.0.0.0 app.activetrail.com
0.0.0.0 ad2games.com
0.0.0.0 adadvisor.net
0.0.0.0 www.adchimp.com
0.0.0.0 pixel.adcrowd.com
0.0.0.0 ct1.addthis.com
0.0.0.0 static.uk.addynamo.com
0.0.0.0 adexc.net
0.0.0.0 static.adfclick1.com
0.0.0.0 server.adformdsp.net
0.0.0.0 s.adframesrc.com
0.0.0.0 media.adfrontiers.com
0.0.0.0 www.adgitize.com
0.0.0.0 www.ad-groups.com #[Ban Man Pro Banner Code]
0.0.0.0 adgrx.com
0.0.0.0 adhall.com
0.0.0.0 adhitzads.com
0.0.0.0 aj.adjungle.com
0.0.0.0 adserver-e7.com
0.0.0.0 n.admagnet.net

There are 8702 more lines.


2022-01-20 10:16 - 2022-08-07 23:11 - 000000374 _____ C:\Windows\system32\drivers\etc\hosts.ics

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1789883001-303321401-512692908-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1789883001-303321401-512692908-1003\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 9.9.9.9 - 149.112.112.112
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

Network Binding:
=============
Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) 
Bluetooth Network Connection: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) 
Wi-Fi: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) 
Wi-Fi: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled) 

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run: => "Everything"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "Opera Browser Assistant"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Opera Browser Assistant"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Speech Recognition"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [Microsoft-Windows-Unified-Telemetry-Client] => (Block) C:\Windows\system32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{C2A5E20E-1F04-4D7D-ADAA-9026D35A3B26}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{027E032D-A7ED-45B3-AB1D-5C808C685D7A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{4665FCD0-7E10-41E1-90FE-309580DEF7CD}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1E860482-8990-4E25-9246-9A99F50B6E0E}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{380E5FDE-93A1-4238-BE5C-FEF5E36946D7}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{B5C81192-EC77-485C-99B4-B8AAB7195F28}] => (Allow) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE (Logitech Inc -> Logitech, Inc.)
FirewallRules: [{93AB2033-C6B3-4FC4-9928-E46BFC60D137}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{97046305-7548-4DED-B501-487DBADD4D15}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{EA21E87C-9F2A-4449-8408-C08AF06912CD}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{EF0DC3B7-2A94-41EF-9F5A-7678A08AD664}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{2AE5D8DA-0340-43A6-A8DB-4DC1A0D30C42}] => (Allow) C:\Program Files\Opera\90.0.4480.54\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{8FEE7E9A-04FF-4D4E-9C6E-0149217D6928}] => (Allow) C:\Program Files\Opera\90.0.4480.84\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{BC39B814-683D-46EE-9ECB-9C7F751AA32E}] => (Allow) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe (Logitech Inc -> Logitech, Inc.)

==================== Restore Points =========================

28-09-2022 23:00:02 Removed Bonjour
28-09-2022 23:01:27 Removed 7-Zip 19.00 (x64 edition)

==================== Faulty Device Manager Devices ============

Name: Realtek PCIe GbE Family Controller
Description: Realtek PCIe GbE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: rt640x64
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: ========================

Application errors:
==================
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (09/28/2022 01:39:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program explorer.exe version 10.0.22000.978 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1e84

Start Time: 01d8d36839d9a69c

Termination Time: 20

Application Path: C:\Windows\explorer.exe

Report Id: 9e6212d3-1134-4a4f-b69b-c2ec549a2dbf

Faulting package full name: 

Faulting package-relative application ID: 

Hang type: Unknown

Error: (09/28/2022 01:38:56 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 12007) (User: )
Description: Event-ID 12007

Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 0) (User: )
Description: Event-ID 0


System errors:
=============
Error: (09/28/2022 11:58:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 15420).

Error: (09/28/2022 11:28:54 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 11432).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 16948).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 16600).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 16476).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 15328).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 16400).

Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is LogiLuUpdater (PID: 16516).


Windows Defender:
================
Date: 2022-09-26 10:30:42
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3

Date: 2022-09-26 10:30:30
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3

Date: 2022-09-26 02:23:28
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\gngn1\Desktop\FRST64.exe
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3

Date: 2022-09-26 01:58:41
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3

Date: 2022-09-26 00:15:31
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1006.0, AS: 1.375.1006.0, NIS: 1.375.1006.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Event[0]

Date: 2022-09-28 22:41:33
Description: 
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2022-09-28 22:37:32
Description: 
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 
Previous security intelligence Version: 1.375.1177.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.19600.3
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 

Date: 2022-09-28 13:39:15
Description: 
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 
Previous security intelligence Version: 1.375.1134.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.19600.3
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 

CodeIntegrity:
===============
Date: 2022-09-28 23:19:07
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume8\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume8\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2022-09-28 22:32:20
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume8\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume8\Program Files\Bonjour\mdnsNSP.dll that did not meet the Windows signing level requirements.


==================== Memory info =========================== 

BIOS: Dell Inc. 1.5.0 02/11/2022
Motherboard: Dell Inc. 0YF8P5
Processor: Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
Percentage of memory in use: 41%
Total physical RAM: 12021.07 MB
Available physical RAM: 7019.64 MB
Total Virtual: 28838.92 MB
Available Virtual: 23710.69 MB

==================== Drives ================================

Drive a: (1TB-LT) (Fixed) (Total:917.04 GB) (Free:297.48 GB) (Model: TOSHIBA MQ01ABD100) NTFS
Drive c: (OS) (Fixed) (Total:460.75 GB) (Free:50.22 GB) (Model: NVMe BC711 NVMe SK hynix 512GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:13.24 GB) (Free:1.57 GB) (Model: TOSHIBA MQ01ABD100) NTFS ==>[system with boot components (obtained from drive)]

\\?\Volume{8a3cbc66-ab72-496a-8c28-f1c9d89e1ff4}\ (Windows RE tools) (Fixed) (Total:0.96 GB) (Free:0.36 GB) NTFS
\\?\Volume{e7899493-836e-40e2-a860-993bc8fe0b89}\ (WINRETOOLS) (Fixed) (Total:0.97 GB) (Free:0.48 GB) NTFS
\\?\Volume{25391c42-c24a-4412-a42b-0763395eec6d}\ (Image) (Fixed) (Total:13.58 GB) (Free:0.15 GB) NTFS
\\?\Volume{7aa07a21-543e-4687-bcaf-54e5b284a176}\ (DELLSUPPORT) (Fixed) (Total:1.36 GB) (Free:0.53 GB) NTFS
\\?\Volume{e3bd6638-6fd2-43f2-9f08-688f4c1389b4}\ () (Fixed) (Total:0.25 GB) (Free:0.14 GB) FAT32
\\?\Volume{d88befe7-be9f-42cc-886d-d916edbba0ff}\ (ESP) (Fixed) (Total:0.14 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: A50E1C7D)

Partition: GPT.

==========================================================
Disk: 1 (Size: 476.9 GB) (Disk ID: 416A8FEC)

Partition: GPT.

==================== End of Addition.txt =======================

 

 

Link to post
Share on other sites

  • Root Admin

Please ATTACH all logs unless otherwise requested, thank you @malwareismyfriend

 

Please run the following fix, once the fix has been completed, please attach the FIXLOG.TXT file to your next reply. I will check back on you again some time tomorrow.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please stop posting logs directly. We only want or need the attachments. Thank you @malwareismyfriend

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

That's a good thing.

Have you put it back on the network now? @malwareismyfriend

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

SecurityCheck.txt

'

I've had it on the network since I first msged you, but I block all outgoing and incoming requests with TinyWall when I'm not using it to run these security apps.

 

I've gone into process explorer and found a bunch of very odd looking processes, further investigation in the properties that a lot of these processes have in common. They all have administrator flagged for DENY.  The owner is NT AUTHORITY/LogonSessionID_0_1053163. Most run from "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\", and there is about 30-40 processes using svchost. and some operating system files are not signed.  Looking at the TCP connections, there is a lot of SYSTEM connections with "TIME WAIT" going to a random IP hosted by amazon or some other big provider.

 

 

Link to post
Share on other sites

  • Root Admin

You're running Torrent software on the system. @malwareismyfriend

 

Torrenting is the act of downloading and uploading files through the BitTorrent network

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it to improve security of your system and data.

Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007

 

We're not done yet, but most processes are normal and have some very strange names, but in most cases they're normal.

 

Please uninstall, update, or otherwise address the following as appropriate for your system

 

---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.4.11.149 v.4.4.11.149 Warning! Download Update


--------------------------- [ OtherUtilities ] ----------------------------
SumatraPDF v.3.3.3 Warning! Download Update

PuTTY release 0.76 (64-bit) v.0.76.0.0 Warning! Download Update

FileZilla Client 3.58.0 v.3.58.0 Warning! Download Update

TeamViewer v.15.24.5 Warning! Download Update

Wireshark 3.6.7 64-bit v.3.6.7 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.06 (x64) v.21.06 Warning! Download Update
Uninstall old version and install new one.

WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update

7-Zip 19.00 (x64 edition) v.19.00.00.0 Warning! Download Update
Uninstall old version and install new one.


------------------------------- [ Imaging ] -------------------------------
FastStone Image Viewer 7.5 v.7.5 Warning! Download Update

XnView 2.50.4 v.2.50.4 Warning! Download Update


-------------------------- [ IMAndCollaborate ] ---------------------------
Telegram Desktop version 4.1.1 v.4.1.1 Warning! Download Update

Zoom v.5.8.2048 Warning! Download Update

--------------------------------- [ P2P ] ---------------------------------

qBittorrent 4.3.9 v.4.3.9 Warning! Download Update


-------------------------------- [ Media ] --------------------------------
Audacity 3.1.2 v.3.1.2 Warning! Download Update

VLC media player v.3.0.16 Warning! Download Update

iTunes v.12.12.2.2 Warning! Download Update
^Please use Apple Software Update tool.^

Spotify v.1.1.94.870.gf994cb0b Warning! Download Update

 

------------------------------- [ Browser ] -------------------------------
Opera Stable 90.0.4480.84 v.90.0.4480.84 Warning! Download Update

 

---------------------------- [ UnwantedApps ] -----------------------------
VdhCoApp 1.6.3 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------

 

 

Then check for Windows Updates and install any found and restart the computer.

 

Once that has all been completed and the computer restarted, get me new, fresh logs from the Farbar program.

FRST.TXT
ADDITION.TXT

 

Thank you

 

 

 

Link to post
Share on other sites

  • Root Admin

You're right about not having P2P bit torrent network software. Not sure why the Security Scanner showed that.

You can delete the qbitorrent program download, not needed.

 

How is the computer running now?

Are you still having any alerts or issues? @malwareismyfriend

Link to post
Share on other sites

  • 2 weeks later...

yes still issues.

 

lots of TIME WAIT connections in my firewall with SYSTEM process 4 connecting to masked IP addresses like 

35.186.227.140

72.21.91.29

20.60.179.4

172.67.185.102

34.120.5.221

172.67.155.249

52.170.249.225

192.0.73.2

....and more, I can see usually see at least 10 or more more of them at a time using netstat or simply looking at my firewall status.These are all on port 443 or 80, all in TIME WAIT status with SYSTEM as the PID. Other strange activity as well.

Link to post
Share on other sites

  • Root Admin

I'm sorry but we don't support router issues. Routers can have thousands of IP listed and have nothing to do with what is going on with Windows.

We need to see alerts, blocks from onboard security software, event log entries, obvious issues in Windows. We've now run a few different antivirus scanners and Windows is looking clean at this point.

You can do a Factory Reset on your Router if you own it.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

These are connections that are made to PID 4 which is a process that runs in Windows 11.  This has nothing to do with my router.  The firewall is a software based firewall called Tinywall, which is how I am able to see where these connections are being made.

 

Is the PID 4 SYSTEM even supposed to have any external based TCP connections?

Link to post
Share on other sites

  • Root Admin

Absolutely, quite a few in fact.

Open an elevated admin command prompt and then copy and paste the following into the Window and press the Enter key.

You'll see a ton of programs that run under SVCHOST.EXE and most of them have access to the Internet

tasklist /svc /fi "IMAGENAME eq svchost.exe"

 

Link to post
Share on other sites

  • Root Admin

That is a kernel level part of the system

       4 0xffffd60f`ec068380      0xffffaf00`cec07a40 System


It's the Windows Kernel. A system virtual process
This virtual process contains all running kernel-mode drivers. This also includes Windows File Sharing, HTTP.SYS SMB to name a few.

Without writing your own driver to access this process I'm not aware of any means to monitor it's processes from User Mode level.

You can run the following from a command prompt, which should show what connections are made under PID 4

netstat -aon

 

image.png

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.