Jump to content

Need help with removing Trojan Virus"Virtool32"


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hey guys!

 

I seriously need help with this one. I am currently trying to get RID of this Trojan that has been in my pc for several hours now currently. I have run the FRSTEnglish.exe as well as MSERT.exe (which I will attach below) and I need help from someone to read and fix this issue.

 

 Now I have tried running normal scans from these applications but I think the Trojan has gotten severe to the point where I CANNOT RUN / INSTALL ANY AV APPLICATIONS AS IT KEEPS CLOSING THE APP IMMEDIATELY.  With great effort, I got these logs after getting my timing right to click on the option to scan before it closes. 

 

I couldn't find a solution anywhere if someone could help me with this issue IMMEDIATELY  it would be appreciated!

FRST.txt msert.log

Link to post
Share on other sites

Just to add more context: 

I ran a scan from windows defender and it showed me "Virtool:Win32/DefendertamperingRestore as well as " Trojan:Win32/Tnega!MSR".

 

I tried removing this from the defender itself but apparently it keeps appearing back. 

Link to post
Share on other sites

Hello @Sam_01 :welcome: My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

I would like a report set for review. This is a report only. This is the first beginning step so I can see what is what on this particular machine.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

@Sam_01 At the next opportunity, run all the steps that are listed below.

(   1   )

This is only a first step. Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11/

and once the browser has finished the download, can you RUN that from there.

That Iexplore is another name for the tool known as RKILL by Bleepingcomputer. 

(   2   )

 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply but later.   At this point do the next steps # 3.

(   3  )

 

I suggest you run AV block remover (AVbr)

Just pick one of your permanent or unique Folder to save it to EXCEPT not the Downloads, NOT the Desktop. Any other Folder. Download and SAVE the file from this link

This tool will have a name AVbr.zip

To use the utility, you need:
1. Download the utility and unzip it to any place convenient for you.  
2. After unpacking (Extracting all content of the zip file)
3. Run the EXE file
4. If the utility does not start or gives an error, then Stop and let me know

During the operation of the utility, a folder ..\AV_block_remover will be created next to this file, containing, among other things:
file named "AV_block_remove_date-time.log" inside this folder. Please attach that log to your next post.

Edited by Maurice Naggar
Link to post
Share on other sites

Hey @Maurice Naggar. Thanks for taking the time to help out!

14 minutes ago, Maurice Naggar said:

The hidden-show folders are switch on to show any hidden files.

Disabled fast startup as well according to the instructions.

 

I have run the MBST support tool only to have another file called "FRSTEnglish.exe" added into my downloads folder. If for some reason you cannot open the above logs I have posted i can post the text form here.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-10-2023
Ran by shres (administrator) on LAPTOP-ROVNLLEA (ASUSTeK COMPUTER INC. ASUS TUF Gaming A15 FA507RE_FA507RE) (08-10-2023 00:07:41)
Running from C:\Users\shres\Downloads\FRSTEnglish.exe
Loaded Profiles: shres
Platform: Microsoft Windows 11 Home Single Language Version 22H2 22621.2283 (X64) Language: English (United States)
Default browser: Opera
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20073.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSServ.exe
(ASUSACCI\ArmouryCrateControlInterface.exe ->) (ASUSTEK COMPUTER INCORPORATION -> ASUSTeK COMPUTER INC.) C:\Windows\System32\ASUSACCI\ACCIMonitor.exe
(Blizzard Entertainment, Inc. -> Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.8445\Agent.exe
(C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmourySocketServer.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmouryHtmlDebugServer.exe
(C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe
(C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20073.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSServ.exe ->) (0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20073.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSSrcExt.exe
(C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.55\msedgewebview2.exe <6>
(C:\ProgramData\ReaItekHD\taskhost.exe ->) (Microsoft Corporation) [File not signed] C:\ProgramData\WindowsTask\audiodg.exe
(C:\ProgramData\ReaItekHD\taskhost.exe ->) (Microsoft Corporation) [File not signed] C:\ProgramData\WindowsTask\MicrosoftHost.exe
(C:\ProgramData\ReaItekHD\taskhostw.exe ->) (Microsoft Corporation) [File not signed] C:\ProgramData\ReaItekHD\taskhost.exe
(DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusOptimization.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusOptimizationStartupTask.exe
(DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSoftwareManager\AsusSoftwareManager.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSoftwareManager\AsusSoftwareManagerAgent.exe
(DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_91e825316dd5b8b9\DAX3API.exe ->) (Dolby Laboratories, Inc. -> Dolby Laboratories) C:\Windows\System32\DriverStore\FileRepository\DAX3_S~4.INF\DAX3API.exe
(DriverStore\FileRepository\u0383113.inf_amd64_9242eb4af0e982f6\B383140\atiesrxx.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0383113.inf_amd64_9242eb4af0e982f6\B383140\atieclxx.exe
(explorer.exe ->) (Blizzard Entertainment, Inc. -> Blizzard Entertainment) C:\Program Files (x86)\Battle.net\temp_55378fa22eff4403dae46bf6f2453db5.exe <4>
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <17>
(explorer.exe ->) (Realtek Semiconductor) [File not signed] C:\ProgramData\ReaItekHD\taskhostw.exe
(explorer.exe ->) (Riot Games, Inc. -> Riot Games, Inc.) C:\Program Files\Riot Vanguard\vgtray.exe
(explorer.exe ->) (Softdeluxe) [File not signed] C:\Users\shres\AppData\Local\Softdeluxe\Free Download Manager\fdm.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
(Nvidia Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(services.exe ->) (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.) C:\Windows\System32\amdfendrsr.exe
(services.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0383113.inf_amd64_9242eb4af0e982f6\B383140\atiesrxx.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUS Inc.) C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSLinkRemote\AsusLinkRemote.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.) C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.) C:\Program Files (x86)\LightingService\LightingService.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.) C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\ASUSACCI\ArmouryCrateControlInterface.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\AsusAppService\AsusAppService.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSLinkNear\AsusLinkNear.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusOptimization.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSoftwareManager\AsusSoftwareManager.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSwitch\AsusSwitch.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemAnalysis\AsusSystemAnalysis.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe
(services.exe ->) (C-MEDIA ELECTRONICS INC. -> C-Media Electronics, Inc.) C:\Windows\System32\DriverStore\FileRepository\cm6549_hsa.inf_amd64_00c2de2d1069d9a1\C-MediaAudioService.exe
(services.exe ->) (Dolby Laboratories, Inc. -> Dolby Laboratories) C:\Windows\System32\DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_91e825316dd5b8b9\DAX3API.exe
(services.exe ->) (Flexera Software LLC -> Flexera) C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe <2>
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe
(services.exe ->) (Nvidia Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <3>
(services.exe ->) (NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_357c899e52491771\Display.NvContainer\NVDisplay.Container.exe <2>
(services.exe ->) (Sophos Ltd -> Sophos Limited) C:\Users\shres\OneDrive\Desktop\resources\stage_3_disinfect\sophos_virus_remover\SVRTservice.exe
(sihost.exe ->) (5BD5593D-A41B-4F89-884E-B4F3E0FBAA75 -> Apple Inc.) C:\Program Files\WindowsApps\AppleInc.iTunes_12129.10001.1009.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AcPowerNotification\AcPowerNotification.exe
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmourySocketServer.exe
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ArmouryDevice\asus_framework.exe <3>
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Display Control\ASUSSmartDisplayControl.exe
(svchost.exe ->) (ASUSTEK COMPUTER INCORPORATION -> ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS Hotplug Controller\AsHotplugCtrl.exe
(svchost.exe ->) (Microsoft Windows -> ) C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\Dashboard\WidgetService.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LocationNotificationWindows.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Riot Vanguard] => C:\Program Files\Riot Vanguard\vgtray.exe [3022640 2023-08-10] (Riot Games, Inc. -> Riot Games, Inc.)
HKLM\...\Run: [Realtek HD Audio] => C:\ProgramData\ReaItekHD\taskhostw.exe [27378192 2023-09-24] (Realtek Semiconductor) [File not signed] <==== ATTENTION
HKLM-x32\...\Run: [ASUS Smart Display Control] => C:\Program Files (x86)\ASUS\ASUS Smart Display Control\ASUSSmartDisplayControl.exe [178864 2021-12-31] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [MicrosoftEdgeAutoLaunch_9CCA457D28335B1F206EA0AB6C4AE520] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [4210216 2023-09-29] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [btweb] => "C:\Users\shres\AppData\Roaming\BitTorrent Web\btweb.exe" /MINIMIZED (No File)
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [Free Download Manager] => C:\Users\shres\AppData\Local\Softdeluxe\Free Download Manager\fdm.exe [6179840 2023-03-13] (Softdeluxe) [File not signed]
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [Battle.net] => C:\Program Files (x86)\Battle.net\Battle.net.exe [978560 2023-10-07] (Blizzard Entertainment, Inc. -> Blizzard Entertainment)
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [RiotClient] => C:\Riot Games\Riot Client\RiotClientServices.exe [70911416 2023-09-08] (Riot Games, Inc. -> Riot Games, Inc.)
HKU\S-1-5-21-1623705211-507293843-3645546312-1001\...\Run: [Opera Browser Assistant] => C:\Users\shres\AppData\Local\Programs\Opera\assistant\browser_assistant.exe (No File)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> "C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {3E5C7093-1B21-4B11-AF8C-3972CD493336} - System32\Tasks\ArcGIS Pro Indexing (MicrosoftAccount_shresam11@gmail.com) => C:\Program Files\ArcGIS\Pro\bin\ArcGISIndexingServer.exe [680288 2023-01-31] (Environmental Systems Research Institute, Inc. -> Esri)
Task: {7EC56346-1C9C-4ED6-965F-AFBCC812B24C} - System32\Tasks\ASUS Hotplug Controller => C:\Program Files\ASUS\ASUS Hotplug Controller\AsHotplugCtrl.exe [285416 2021-12-08] (ASUSTEK COMPUTER INCORPORATION -> ASUSTeK Computer Inc.)
Task: {94B9B2DC-F661-4BD9-B5FF-0F1EF001558A} - System32\Tasks\ASUS Optimization 36D18D69AFC3 => C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusHotkey.exe [294528 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
Task: {2F521CCD-3774-4F52-AD1B-CE2A41279AE7} - System32\Tasks\ASUS Update Checker 2.0 => C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSoftwareManager\AsusUpdateChecker.exe [797928 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
Task: {CA8CA7AD-DE86-4908-8F6F-10987C5C4C53} - System32\Tasks\ASUS\AcPowerNotification => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AcPowerNotification\AcPowerNotification.exe [313192 2023-07-25] (ASUSTeK COMPUTER INC. -> ASUS)
Task: {32B673B6-ED02-44DA-8326-A6D1C50894A0} - System32\Tasks\ASUS\ArmourySocketServer => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmourySocketServer.exe [1898344 2023-07-25] (ASUSTeK COMPUTER INC. -> ASUS)
Task: {62E58C42-8F34-4D79-9716-ABC7FFDC05C7} - System32\Tasks\ASUS\ASUSUpdateTaskMachineCore => C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe [165224 2023-10-07] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
Task: {B123BFD0-4AD7-4422-B08A-19A9572F37D6} - System32\Tasks\ASUS\ASUSUpdateTaskMachineUA => C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe [165224 2023-10-07] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
Task: {CE1EFC3E-D2C3-4F6B-B5B1-C6BF9CE44203} - System32\Tasks\ASUS\Aura Wallpaper Service => C:\Program Files\ASUS\Aura Wallpaper Service\Aura Wallpaper Service.exe  (No File)
Task: {2D20BB04-1DD1-4489-9E1E-1598DBD636EA} - System32\Tasks\ASUS\Framework Service => C:\Program Files (x86)\ASUS\ArmouryDevice\asus_framework.exe [139091304 2023-07-19] (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.)
Task: {19943395-2D2E-4CF5-8CE4-E0D35458C31D} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe  (No File)
Task: {5D384B63-50F2-4CE1-A8C0-9FDC3E7E519B} - System32\Tasks\ASUSSmartDisplayControl => C:\Program Files (x86)\ASUS\ASUS Smart Display Control\ASUSSmartDisplayControl.exe [178864 2021-12-31] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
Task: {4008598B-B8E0-4570-BBCF-04E8ECD7011E} - System32\Tasks\AsusSystemAnalysis_754F3273-0563-4F20-B12F-826510B07474 => C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemAnalysis\AsusSystemAnalysis.exe [4092136 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
Task: {79B992DB-1E94-4BB8-9D96-24386A471AC4} - System32\Tasks\CCleanerSkipUAC - shres => C:\Users\shres\OneDrive\Desktop\resources\stage_1_tempclean\ccleaner\CCleaner.exe [31990800 2022-08-12] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {49ABCA5F-CD6E-4B12-B157-2398ED1DC866} - System32\Tasks\GoogleUpdateTaskMachineCore{77754C54-6EDB-4F1A-B80E-62D0CE614001} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [171480 2023-03-13] (Google LLC -> Google LLC)
Task: {95692B39-F480-4750-AB2E-E52A47DFB2D5} - System32\Tasks\GoogleUpdateTaskMachineUA{5617F452-B4E6-4D48-B54B-A98708F13CF9} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [171480 2023-03-13] (Google LLC -> Google LLC)
Task: {4C19737F-2727-4042-A89F-5466EA81374A} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26974216 2023-09-27] (Microsoft Corporation -> Microsoft Corporation)
Task: {1500D993-63B7-4DC4-8CFA-FF032959FE27} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26974216 2023-09-27] (Microsoft Corporation -> Microsoft Corporation)
Task: {B5E4BC70-154B-46C1-9B40-8F234A268865} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [160920 2023-10-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {7D1F0DC7-350B-4587-B342-B1546799D149} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [160920 2023-10-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {7737F499-2A82-4114-AFE3-2616B5935B42} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [169136 2023-10-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {84E13991-3CA6-49AD-ADED-8E19ECA2F374} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\UCPD velocity => C:\WINDOWS\system32\UCPDMgr.exe [58880 2023-09-15] (Microsoft Windows -> Microsoft Corporation)
Task: {7D32FB45-5CBC-489E-8E69-A35941167155} - System32\Tasks\Microsoft\Windows\MapInfoW\RecoveryHosts => C:\ProgramData\Microsoft\DRM\v565QSEO\MapInfoW.bat [2754 2023-10-07] () [File not signed] <==== ATTENTION
Task: {366A6387-CD84-483F-9D22-AD2CEC008627} - System32\Tasks\Microsoft\Windows\MapInfoW\RecoveryTask => C:\Programdata\ReaItekHD\taskhostw.exe [27378192 2023-09-24] (Realtek Semiconductor) [File not signed] <==== ATTENTION
Task: {D16B0CAB-98E3-48BC-8F80-D40CCE112280} - System32\Tasks\Microsoft\Windows\MapInfoW\v565QSEO => C:\Programdata\ReaItekHD\taskhost.exe [21065744 2023-09-24] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Task: {68037743-F265-4C23-9DBC-C32E9E624FAA} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe [1596304 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {F61F788B-C921-4ABE-B561-F310214E982A} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe [1596304 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {00C01855-B384-4EB0-A650-502522BF60C0} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe [1596304 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {3844CE60-6A63-4D8E-95E4-24ABA1ABD112} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe [1596304 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {71EC933E-0339-47FE-B8D4-2B180A303EE2} - System32\Tasks\Microsoft\Windows\WindowsBackup\OnlogonCheck => C:\Programdata\ReaItekHD\taskhostw.exe [27378192 2023-09-24] (Realtek Semiconductor) [File not signed] <==== ATTENTION
Task: {90603060-0871-4871-AC2E-3A3A80AC5A22} - System32\Tasks\Microsoft\Windows\WindowsBackup\ServiceControl => C:\Programdata\ReaItekHD\taskhostw.exe [27378192 2023-09-24] (Realtek Semiconductor) [File not signed] <==== ATTENTION
Task: {A2A43B50-0DD9-4EF5-9DDB-5F5B92E8918E} - System32\Tasks\Microsoft\Windows\WindowsBackup\ServiceManager => C:\Programdata\ReaItekHD\taskhost.exe [21065744 2023-09-24] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {54DF0ED7-DCC9-429C-830F-E4C6462B3C07} - System32\Tasks\Microsoft\Windows\WindowsBackup\WinlogonCheck => C:\Programdata\ReaItekHD\taskhost.exe [21065744 2023-09-24] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {27F97418-B3A9-4EC2-A1CA-F62F41C1D706} - System32\Tasks\Microsoft\Windows\Wininet\winser => C:\ProgramData\Windows Tasks Service\winserv.exe [10675712 2021-05-28] (tox) [File not signed] -> Task Service\winserv.exe <==== ATTENTION
Task: {7505ACB5-E561-4F28-8437-115CCD3A1BF6} - System32\Tasks\Microsoft\Windows\Wininet\winsers => C:\ProgramData\Windows Tasks Service\winserv.exe [10675712 2021-05-28] (tox) [File not signed] -> Task Service\winserv.exe <==== ATTENTION
Task: {E7C09497-E8DA-4ABF-882A-70F1D186C6D1} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [1003128 2022-03-15] (Nvidia Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvDriverUpdateCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerDriverUpdateCheck.log
Task: {ED69B604-6F1E-44A7-8D18-9C54058EC426} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [3342376 2023-01-27] (Nvidia Corporation -> NVIDIA Corporation)
Task: {FCC213D9-466E-45F8-97B1-DF1B3ACD6568} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [649784 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {DF929F4A-F25E-4168-8467-2D1B4CA2E6A2} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [910888 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {B2504CFD-4F97-4753-929F-8DD4F91763DB} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [910888 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {5DE9BC26-AA28-411C-8C36-F3F3F5E4423E} - System32\Tasks\NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1665064 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {26080E5B-2367-423B-9D11-1027B0BC9854} - System32\Tasks\NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1665064 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {FD5A1C73-B696-46A0-9BD5-B2611277F061} - System32\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1665064 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {13EE18CF-69B3-41BD-A96A-A83F87BB09E5} - System32\Tasks\NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvBackend\NvTmRep.exe [1665064 2023-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {3BA47864-B974-4BFA-A98C-60FAFF8ED2F7} - System32\Tasks\Opera scheduled assistant Autoupdate 1696680600 => C:\Users\shres\AppData\Local\Programs\Opera\launcher.exe  -> --scheduledautoupdate --component-name=assistant --component-path="C:\Users\shres\AppData\Local\Programs\Opera\assistant" $(Arg0)
Task: {3A1350FF-044A-40DA-BB06-7CE1CA2B9107} - System32\Tasks\Opera scheduled Autoupdate 1696680589 => C:\Users\shres\AppData\Local\Programs\Opera\launcher.exe  --scheduledautoupdate $(Arg0) (No File)
Task: {C665375D-3A88-4AE3-A72E-9D9E81063D6C} - System32\Tasks\VBIOS_Installer => C:\ProgramData\ASUS\VBIOS\VBIOS_Installer.exe  (No File)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{710ac34a-3540-47b0-bf95-abd153ac9351}: [DhcpNameServer] 40.53.1.11
Tcpip\..\Interfaces\{c1538dc9-61e9-433e-91d2-677d7da3e629}: [DhcpNameServer] 192.168.0.1

Edge: 
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default [2023-10-08]
Edge HomePage: Default -> hxxp://siuexam.siu.edu.in/forms/resultview.html
Edge StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3321459&octid=EB_ORIGINAL_CTID&ISID=MC83FC3B0-39A8-434F-9EFF-DDB84426CB78&SearchSource=55&CUI=&UM=8&UP=SPA53C98A1-5600-4E6C-8553-1FD678E7D4A3&SSPV=&SSPV=&SSPV=&SSPV=&SSPV=","hxxp://www.youtube.com/","hxxps://mail.google.com/mail/u/0/?ui=2#inbox","hxxps://www.facebook.com/login.php?skip_api_login=1&api_key=2415071772&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv1.0%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Fs-static.ak.facebook.com%252Fconnect%252Fxd_arbiter%252F7r8gQb8MIqE.js%253Fversion%253D41%2523cb%253Df20a77e74a96886%2526domain%253Dwww.goodreads.com%2526origin%253Dhttps%25253A%25252F%25252Fwww.goodreads.com%25252Ff385ade1b72b97%2526relation%253Dopener%2526frame%253Dfa02d0560da434%26display%3Dpopup%26scope%3Demail%252C%2Buser_likes%252C%2Bfriends_likes%252Cpublish_actions%26response_type%3Dtoken%252Csigned_request%26domain%3Dwww.goodreads.com%26client_id%3D2415071772%26ret%3Dlogin%26sdk%3Djoey&cancel_uri=https%3A%2F%2Fs-static.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F7r8gQb8MIqE.js%3Fversion%3D41%23cb%3Df20a77e74a96886%26domain%3Dwww.goodreads.com%26origin%3Dhttps%253A%252F%252Fwww.goodreads.com%252Ff385ade1b72b97%26relation%3Dopener%26frame%3Dfa02d0560da434%26error%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%26e2e%3D%257B%257D&display=popup","hxxp://search.gboxapp.com/","hxxp://www.delta-homes.com/?type=hp&ts=1431001899&from=wpm05073&uid=ST500LT012-1DG142_S3P72B52XXXXS3P72B52","hxxps://www.seha.ae/ahs/English/pages/default.aspx/en-us/pages/default.aspx","hxxp://www.google.com/"
Edge Extension: (Free Download Manager) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp [2023-05-06]
Edge Extension: (FrankerFaceZ) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fadndhdgpmmaapbmfcknlfgcflmmmieb [2023-05-06]
Edge Extension: (Word Counter Plus) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fpjegfbcdijjfkceenlfoehpcakfgldj [2023-05-06]
Edge Extension: (Google Docs Offline) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2023-08-29]
Edge Extension: (Adblocker for Youtube™) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hdocmehchiccjnceipkfflndgcognhmf [2023-04-19]
Edge Extension: (Tampermonkey) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\iikmkjmpaadaobahmlepeloendndfphd [2023-06-29]
Edge Extension: (Edge relevant text changes) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2023-09-14]
Edge Extension: (ZenMate Free VPN – Best VPN for Edge) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kepdippgcikacmcdaijnponnfgljfbea [2023-05-24]
Edge Extension: (Scener) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\lkhjgdkpibcepflmlgahofcmeagjmecc [2023-09-02]
Edge Extension: (Screencastify - Screen Video Recorder) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mmeijimgabbpbgpdklnllpncmdofkcpn [2023-10-03]
Edge Extension: (uBlock Origin) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\odfafepnkmbhccpbejgmiehpchacaeak [2023-09-22]
Edge Profile: C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Guest Profile [2023-07-08]
Edge Profile: C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1 [2023-07-14]
Edge HomePage: Profile 1 -> hxxp://siuexam.siu.edu.in/forms/resultview.html
Edge StartupUrls: Profile 1 -> "hxxp://www.trovi.com/?gd=&ctid=CT3321459&octid=EB_ORIGINAL_CTID&ISID=MC83FC3B0-39A8-434F-9EFF-DDB84426CB78&SearchSource=55&CUI=&UM=8&UP=SPA53C98A1-5600-4E6C-8553-1FD678E7D4A3&SSPV=&SSPV=&SSPV=&SSPV=&SSPV=","hxxp://www.youtube.com/","hxxps://mail.google.com/mail/u/0/?ui=2#inbox","hxxps://www.facebook.com/login.php?skip_api_login=1&api_key=2415071772&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv1.0%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Fs-static.ak.facebook.com%252Fconnect%252Fxd_arbiter%252F7r8gQb8MIqE.js%253Fversion%253D41%2523cb%253Df20a77e74a96886%2526domain%253Dwww.goodreads.com%2526origin%253Dhttps%25253A%25252F%25252Fwww.goodreads.com%25252Ff385ade1b72b97%2526relation%253Dopener%2526frame%253Dfa02d0560da434%26display%3Dpopup%26scope%3Demail%252C%2Buser_likes%252C%2Bfriends_likes%252Cpublish_actions%26response_type%3Dtoken%252Csigned_request%26domain%3Dwww.goodreads.com%26client_id%3D2415071772%26ret%3Dlogin%26sdk%3Djoey&cancel_uri=https%3A%2F%2Fs-static.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F7r8gQb8MIqE.js%3Fversion%3D41%23cb%3Df20a77e74a96886%26domain%3Dwww.goodreads.com%26origin%3Dhttps%253A%252F%252Fwww.goodreads.com%252Ff385ade1b72b97%26relation%3Dopener%26frame%3Dfa02d0560da434%26error%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%26e2e%3D%257B%257D&display=popup","hxxp://search.gboxapp.com/","hxxp://www.delta-homes.com/?type=hp&ts=1431001899&from=wpm05073&uid=ST500LT012-1DG142_S3P72B52XXXXS3P72B52","hxxps://www.seha.ae/ahs/English/pages/default.aspx/en-us/pages/default.aspx","hxxp://www.google.com/"
Edge Extension: (Free Download Manager) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp [2023-06-30]
Edge Extension: (FrankerFaceZ) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\fadndhdgpmmaapbmfcknlfgcflmmmieb [2023-06-30]
Edge Extension: (Word Counter Plus) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\fpjegfbcdijjfkceenlfoehpcakfgldj [2023-06-30]
Edge Extension: (Adblocker for Youtube™) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\hdocmehchiccjnceipkfflndgcognhmf [2023-06-30]
Edge Extension: (Tampermonkey) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\iikmkjmpaadaobahmlepeloendndfphd [2023-06-30]
Edge Extension: (Edge relevant text changes) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2023-05-16]
Edge Extension: (ZenMate Free VPN – Best VPN for Edge) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\kepdippgcikacmcdaijnponnfgljfbea [2023-05-26]
Edge Extension: (Scener) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\lkhjgdkpibcepflmlgahofcmeagjmecc [2023-06-30]
Edge Extension: (Screencastify - Screen Video Recorder) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\mmeijimgabbpbgpdklnllpncmdofkcpn [2023-06-30]
Edge Extension: (uBlock Origin) - C:\Users\shres\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\odfafepnkmbhccpbejgmiehpchacaeak [2023-06-30]

FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2023-08-01] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.18 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2022-11-09] (VideoLAN -> VideoLAN)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2023-10-04] (Microsoft Corporation -> Microsoft Corporation)

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]

Opera: 
=======
OPR DefaultProfile: Opera Stable
OPR Profile: C:\Users\shres\AppData\Roaming\Opera Software\Opera Stable [2023-10-07]
OPR DefaultSearchURL: Opera Stable -> hxxps://www.google.com/search?client=opera&q={searchTerms}&sourceid=opera&ie={inputEncoding}&oe={outputEncoding}
OPR DefaultSearchKeyword: Opera Stable -> g
OPR Extension: (Rich Hints Agent) - C:\Users\shres\AppData\Roaming\Opera Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2023-10-07]
OPR Extension: (Opera Wallet) - C:\Users\shres\AppData\Roaming\Opera Software\Opera Stable\Extensions\gojhcdgcpbpfigcaejpfhfegekdgiblk [2023-10-07]
OPR Extension: (Aria) - C:\Users\shres\AppData\Roaming\Opera Software\Opera Stable\Extensions\igpdmclhhlcpoindmhkhillbfhdgoegm [2023-10-07]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ArmouryCrateControlInterface; C:\WINDOWS\System32\ASUSACCI\ArmouryCrateControlInterface.exe [1181232 2023-06-07] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R2 ArmouryCrateService; C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe [399992 2023-08-11] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
S2 asus; C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe [165224 2023-10-07] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
R2 AsusAppService; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\AsusAppService\AsusAppService.exe [1177320 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R2 AsusCertService; C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe [558104 2022-05-19] (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.)
R2 ASUSLinkNear; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSLinkNear\AsusLinkNear.exe [1631976 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.)
R2 ASUSLinkRemote; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSLinkRemote\AsusLinkRemote.exe [772840 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
S3 asusm; C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe [165224 2023-10-07] (ASUSTeK COMPUTER INC. -> ASUSTeK Computer Inc.)
R2 ASUSOptimization; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusOptimization.exe [483968 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
S2 AsusROGLSLService; C:\Program Files (x86)\ASUS\AsusROGLSLService\AsusROGLSLService.exe [681832 2023-10-07] (ASUSTeK COMPUTER INC. -> ASUS)
R2 ASUSSoftwareManager; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSoftwareManager\AsusSoftwareManager.exe [1111272 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R2 ASUSSwitch; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSwitch\AsusSwitch.exe [641256 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R2 ASUSSystemAnalysis; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemAnalysis\AsusSystemAnalysis.exe [4092136 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R2 ASUSSystemDiagnosis; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe [832744 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [15044872 2023-03-17] (BattlEye Innovations e.K. -> )
R2 C-MediaAudioService; C:\WINDOWS\System32\DriverStore\FileRepository\cm6549_hsa.inf_amd64_00c2de2d1069d9a1\C-MediaAudioService.exe [296904 2022-11-06] (C-MEDIA ELECTRONICS INC. -> C-Media Electronics, Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [12859472 2023-09-27] (Microsoft Corporation -> Microsoft Corporation)
R2 DolbyDAXAPI; C:\WINDOWS\System32\DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_91e825316dd5b8b9\DAX3API.exe [2356792 2022-11-29] (Dolby Laboratories, Inc. -> Dolby Laboratories)
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [813032 2023-03-17] (EasyAntiCheat Oy -> Epic Games, Inc)
S3 EasyAntiCheat_EOS; C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe [943528 2023-05-17] (EasyAntiCheat Oy -> Epic Games, Inc.)
S3 EpicOnlineServices; C:\Program Files (x86)\Epic Games\Epic Online Services\service\EpicOnlineServicesHost.exe [934352 2023-02-10] (Epic Games Inc. -> Epic Games, Inc.)
R2 GameSDK Service; C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe [397544 2022-05-31] (ASUSTeK COMPUTER INC. -> ASUS Inc.)
R2 LightingService; C:\Program Files (x86)\LightingService\LightingService.exe [4283240 2023-05-31] (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.)
S3 ProtonVPN Service; C:\Program Files\Proton\VPN\v3.2.2\ProtonVPNService.exe [472168 2023-09-26] (Proton Technologies AG -> ProtonVPN)
S3 ProtonVPN WireGuard; C:\Program Files\Proton\VPN\v3.2.2\ProtonVPN.WireGuardService.exe [471656 2023-09-26] (Proton Technologies AG -> ProtonVPN)
R2 ROG Live Service; C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe [1665648 2023-07-25] (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.)
R3 SophosVirusRemovalTool; C:\Users\shres\OneDrive\Desktop\resources\stage_3_disinfect\sophos_virus_remover\SVRTservice.exe [155720 2021-03-17] (Sophos Ltd -> Sophos Limited)
R2 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2023-10-07] (Stas'M Corp.) [File not signed] <==== ATTENTION (no ServiceDLL)
S3 vgc; C:\Program Files\Riot Vanguard\vgc.exe [9437496 2023-08-10] (Riot Games, Inc. -> Riot Games, Inc.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe [3116904 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe [133584 2023-09-28] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 GoogleChromeElevationService; C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe <==== ATTENTION (Access Denied)
S2 MBAMInstallerService; "C:\Temp\\MBAMTemp_b4545ef6-d7b6-45b0-8d3a-4d746165fc67\MBAMInstallerService.exe" [X]
R2 NVDisplay.ContainerLocalSystem; C:\WINDOWS\System32\DriverStore\FileRepository\nvami.inf_amd64_357c899e52491771\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nvami.inf_amd64_357c899e52491771\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 amdfendrmgr; C:\WINDOWS\System32\drivers\amdfendrmgr.sys [35360 2022-06-01] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)
R3 amdpmf; C:\WINDOWS\System32\drivers\amdpmf.sys [144320 2022-07-13] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)
R3 amdwddmg; C:\WINDOWS\System32\DriverStore\FileRepository\u0383113.inf_amd64_9242eb4af0e982f6\B383140\amdkmdag.sys [94459248 2022-09-13] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)
R1 Asusgio3; C:\Windows\system32\drivers\AsIO3.sys [49256 2022-08-16] (ASUSTeK COMPUTER INC. -> )
R3 AsusPTPDrv; C:\WINDOWS\System32\DriverStore\FileRepository\asusptpfilter.inf_amd64_2be525c42dff92ab\AsusPTPFilter.sys [123456 2022-06-07] (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.)
R3 AsusSAIO; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSSystemAnalysis\AsusSAIO.sys [49312 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R1 ATKWMIACPIIO; C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_0599a970f71746fa\ASUSOptimization\AsusWmiAcpi.sys [48912 2023-08-17] (ASUSTeK COMPUTER INC. -> ASUSTeK COMPUTER INC.)
R3 IGO_VSD; C:\WINDOWS\system32\drivers\igovsd.sys [42344 2021-07-05] (British Cayman Islands Intelligo Technology Inc. Taiwan Branch -> Intelligo Technology Inc.)
R3 MTKBTFilterX64; C:\WINDOWS\system32\DRIVERS\mtkbtfilterx.sys [321064 2023-04-13] (Microsoft Windows Hardware Compatibility Publisher -> MediaTek Inc.)
R3 mtkwlex; C:\WINDOWS\System32\drivers\mtkwl6ex.sys [1419768 2023-04-10] (Microsoft Windows Hardware Compatibility Publisher -> MediaTek Inc.)
R3 NvModuleTracker; C:\WINDOWS\System32\DriverStore\FileRepository\nvmoduletracker.inf_amd64_0c1cc60a4b422185\NvModuleTracker.sys [45656 2022-07-14] (Nvidia Corporation -> NVIDIA Corporation)
R3 nvpcf; C:\WINDOWS\System32\drivers\nvpcf.sys [237592 2023-08-15] (NVIDIA Corporation -> NVIDIA Corporation)
S3 ProtonVPNCallout; C:\Program Files\Proton\VPN\v3.2.2\Resources\ProtonVPN.CalloutDriver.sys [34176 2023-08-02] (Microsoft Windows Hardware Compatibility Publisher -> Proton Technologies AG)
R3 rt68cx21; C:\WINDOWS\System32\DriverStore\FileRepository\rt68cx21x64.inf_amd64_72550ea126b8df03\rt68cx21x64.sys [510344 2021-09-14] (Realtek Semiconductor Corp. -> Realtek)
S3 SIVDriver; C:\WINDOWS\system32\Drivers\SIVX64.sys [205552 2021-02-12] (RH Software Ltd -> Ray Hinchliffe)
R3 tapprotonvpn; C:\WINDOWS\System32\drivers\tapprotonvpn.sys [49024 2023-04-17] (Microsoft Windows Hardware Compatibility Publisher -> The OpenVPN Project)
S4 UCPD; C:\WINDOWS\System32\drivers\UCPD.sys [29184 2023-09-15] (Microsoft Windows -> Microsoft Corporation)
R1 vgk; C:\Program Files\Riot Vanguard\vgk.sys [26953656 2023-08-10] (Riot Games, Inc. -> Riot Games, Inc.)
R3 ViGEmBus; C:\WINDOWS\System32\drivers\ViGEmBus.sys [69168 2019-04-04] (Microsoft Windows Hardware Compatibility Publisher -> Benjamin Höglinger-Stelzer)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [55856 2023-09-28] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
U5 WdDevFlt; C:\Windows\System32\Drivers\WdDevFlt.sys [169232 2022-05-07] (Microsoft Windows -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [572712 2023-09-28] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [105872 2023-09-28] (Microsoft Windows -> Microsoft Corporation)
S3 WinRing0_1_2_0; C:\ProgramData\WindowsTask\WinRing0x64.sys [14544 2023-07-03] (Noriyuki MIYAZAKI -> OpenLibSys.org)
S3 wintun; C:\WINDOWS\System32\drivers\wintun.sys [29592 2023-05-30] (Microsoft Windows Hardware Compatibility Publisher -> WireGuard LLC)
S3 WireGuard; C:\WINDOWS\System32\drivers\wireguard.sys [489368 2023-05-26] (Microsoft Windows Hardware Compatibility Publisher -> WireGuard LLC)
S3 GSDriver; \SystemRoot\System32\drivers\GSDriver64.sys [X]
S1 qldcfqzv; \??\C:\WINDOWS\system32\drivers\qldcfqzv.sys [X]
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-08 07:10 - 2023-10-08 07:10 - 000000000 ____D C:\WINDOWS\Microsoft Antimalware
2023-10-08 00:08 - 2023-10-08 00:08 - 014301088 _____ C:\Users\shres\Downloads\mb-support-1.9.2.982 (1).exe
2023-10-07 23:51 - 2023-10-07 23:51 - 000001010 _____ C:\rdpwrap.txt
2023-10-07 23:51 - 2023-10-07 23:51 - 000000000 ____D C:\WINDOWS\Panther
2023-10-07 23:51 - 2023-10-07 23:51 - 000000000 ____D C:\Users\shres\AppData\Roaming\asus_framework
2023-10-07 23:47 - 2023-10-07 23:47 - 000000000 ____D C:\Program Files (x86)\LightingService
2023-10-07 22:53 - 2023-10-07 22:53 - 000000000 ____D C:\ProgramData\Sophos
2023-10-07 22:53 - 2023-10-07 22:53 - 000000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2023-10-07 22:33 - 2023-10-08 00:08 - 000000000 ____D C:\Temp
2023-10-07 22:33 - 2023-10-07 22:33 - 000002990 _____ C:\WINDOWS\system32\Tasks\CCleanerSkipUAC - shres
2023-10-07 22:29 - 2021-02-12 21:24 - 000205552 _____ (Ray Hinchliffe) C:\WINDOWS\system32\Drivers\SIVX64.sys
2023-10-07 21:52 - 2023-10-07 22:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
2023-10-07 21:52 - 2023-10-07 21:52 - 000000000 ____D C:\ProgramData\GridinSoft
2023-10-07 21:51 - 2023-10-07 22:23 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware
2023-10-07 21:20 - 2023-10-07 21:20 - 000000000 ____D C:\Quarantine
2023-10-07 21:13 - 2023-10-07 22:07 - 000000114 ___RH C:\Users\shres\Downloads\Stinger.opt
2023-10-07 21:13 - 2023-10-07 21:19 - 000000820 _____ C:\Users\shres\Downloads\Stinger_07102023_211323.html
2023-10-07 21:12 - 2023-10-07 21:12 - 019686680 _____ (McAfee LLC) C:\Users\shres\Downloads\stnger.exe
2023-10-07 20:46 - 2023-10-07 20:46 - 000001427 _____ C:\Users\shres\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2023-10-07 20:34 - 2023-10-08 00:08 - 000044854 _____ C:\Users\shres\Downloads\FRST.txt
2023-10-07 20:09 - 2023-10-07 20:09 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2023-10-07 19:56 - 2023-10-07 20:39 - 000063336 _____ C:\Users\shres\Downloads\Addition.txt
2023-10-07 19:50 - 2023-10-08 00:07 - 002383360 _____ (Farbar) C:\Users\shres\Downloads\FRSTEnglish.exe
2023-10-07 19:37 - 2023-10-07 19:37 - 002606880 _____ (Malwarebytes) C:\Users\shres\Downloads\explorer.exe.exe
2023-10-07 16:43 - 2023-10-07 16:43 - 001373744 _____ (Google LLC) C:\WINDOWS\ChromeSetup.exe
2023-10-07 16:10 - 2023-10-07 16:10 - 000004460 _____ C:\WINDOWS\system32\Tasks\Opera scheduled assistant Autoupdate 1696680600
2023-10-07 16:10 - 2023-10-07 16:10 - 000004206 _____ C:\WINDOWS\system32\Tasks\Opera scheduled Autoupdate 1696680589
2023-10-07 15:53 - 2023-10-07 15:53 - 000000000 ____D C:\Users\shres\AppData\Roaming\Opera Software
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Users\shres\AppData\Roaming\Sysfiles
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\WavePad
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\RobotDemo
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\PuzzleMedia
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\princeton-produce
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\FingerPrint
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\Evernote
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\ESET
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\BookManager
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\Transmission
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\SUPERAntiSpyware
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\RogueKiller
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\Ravantivirus
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\QuickCPU
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\Process Lasso
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\Process Hacker 2
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\NETGATE
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\ESET
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files\EnigmaSoft
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\Transmission
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\SpeedFan
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\Panda Security
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\Moo0
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\IObit
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\GRIZZLY Antivirus
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 __SHD C:\Program Files (x86)\GPU Temp
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 ____D C:\Program Files\CPUID
2023-10-07 13:51 - 2023-10-07 13:51 - 000000000 ____D C:\Program Files (x86)\MSI
2023-10-07 13:50 - 2023-10-08 00:08 - 000000000 ____D C:\FRST
2023-10-07 13:50 - 2023-10-07 22:53 - 000000000 __SHD C:\ProgramData\Malwarebytes
2023-10-07 13:50 - 2023-10-07 22:23 - 000000000 __SHD C:\Program Files\Malwarebytes
2023-10-07 13:50 - 2023-10-07 13:50 - 000037376 _____ (Microsoft Corporation) C:\WINDOWS\system32\rfxvmt.dll
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Users\shres\Downloads\AV_block_remover
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Users\shres\Downloads\AutoLogger
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\Windows Tasks Service
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\Norton
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\MB3Install
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\Kaspersky Lab Setup Files
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\Kaspersky Lab
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\grizzly
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\Doctor Web
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\AVAST Software
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\ProgramData\360safe
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\SpyHunter
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Rainmeter
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Loaris Trojan Remover
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Kaspersky Lab
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\HitmanPro
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Enigma Software Group
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\DrWeb
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\COMODO
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Common Files\McAfee
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Common Files\Doctor Web
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Common Files\AV
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Cezurity
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\ByteFence
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\Bitdefender Agent
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\AVG
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\AVAST Software
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files\7-Zip
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\SpyHunter
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\Microsoft JDX
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\Kaspersky Lab
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\Cezurity
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\AVG
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\AVAST Software
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\Program Files (x86)\360
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\KVRT2020_Data
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\KVRT_Data
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 __SHD C:\AdwCleaner
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 ___HD C:\Program Files\RDP Wrapper
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 ____D C:\WINDOWS\speechstracing
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 ____D C:\Users\shres\AppData\Roaming\RMS_settings
2023-10-07 13:50 - 2023-10-07 13:50 - 000000000 ____D C:\ProgramData\Avira
2023-10-07 13:49 - 2023-10-07 15:41 - 000000000 __SHD C:\ProgramData\WindowsTask
2023-10-07 13:49 - 2023-10-07 15:41 - 000000000 __SHD C:\ProgramData\Setup
2023-10-07 13:49 - 2023-10-07 15:40 - 000000000 __SHD C:\ProgramData\ReaItekHD
2023-10-07 13:49 - 2023-10-07 13:51 - 000000000 __SHD C:\ProgramData\Install
2023-10-07 13:49 - 2023-10-07 13:49 - 000000000 __SHD C:\ProgramData\RunDLL
2023-10-07 13:49 - 2023-10-07 13:49 - 000000000 ____D C:\ProgramData\System32
2023-10-06 23:58 - 2023-10-06 23:58 - 000000000 ____D C:\Program Files\ViGEm ViGEmBus
2023-10-06 23:51 - 2023-10-07 12:26 - 000000000 ____D C:\Users\shres\OneDrive\Documents\x360ce
2023-10-06 23:51 - 2023-10-06 23:51 - 000000000 ____D C:\ProgramData\X360CE
2023-09-30 23:25 - 2023-09-30 23:25 - 000000000 ____D C:\Users\shres\OneDrive\Documents\Sound Recordings
2023-09-29 19:27 - 2023-09-29 19:27 - 000000000 ____D C:\Users\shres\AppData\Roaming\WR3D
2023-09-16 11:51 - 2023-09-16 11:53 - 740746955 _____ C:\Users\shres\Downloads\microsoft.zip
2023-09-15 23:21 - 2023-09-15 23:24 - 000000000 ___HD C:\$WinREAgent

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-08 00:05 - 2023-05-21 19:34 - 000000000 ____D C:\Program Files (x86)\Battle.net
2023-10-08 00:05 - 2023-03-19 18:12 - 000003752 _____ C:\WINDOWS\system32\Tasks\AsusSystemAnalysis_754F3273-0563-4F20-B12F-826510B07474
2023-10-08 00:01 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\SystemTemp
2023-10-07 23:58 - 2023-03-19 18:16 - 000981612 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2023-10-07 23:58 - 2022-05-07 09:22 - 000000000 ____D C:\WINDOWS\INF
2023-10-07 23:54 - 2023-03-13 23:21 - 000000001 _____ C:\WINDOWS\vgkbootstatus.dat
2023-10-07 23:53 - 2023-03-13 22:02 - 000000000 ____D C:\Program Files (x86)\Google
2023-10-07 23:51 - 2023-03-19 18:12 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2023-10-07 23:51 - 2023-03-19 18:06 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2023-10-07 23:51 - 2023-03-19 10:29 - 000000000 ____D C:\WINDOWS\system32\ASUSACCI
2023-10-07 23:51 - 2022-05-07 09:24 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2023-10-07 23:51 - 2022-05-07 09:17 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2023-10-07 23:51 - 2022-03-19 02:19 - 000000000 ____D C:\ProgramData\NVIDIA
2023-10-07 23:51 - 2021-07-27 04:08 - 000012288 ___SH C:\DumpStack.log.tmp
2023-10-07 23:50 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\AppReadiness
2023-10-07 23:49 - 2022-03-19 02:22 - 000000000 ____D C:\Program Files (x86)\ASUS
2023-10-07 23:49 - 2022-03-19 02:20 - 000000000 ____D C:\ProgramData\Package Cache
2023-10-07 23:48 - 2022-03-19 02:21 - 000000000 ____D C:\Program Files\ASUS
2023-10-07 23:47 - 2023-03-19 18:12 - 000000000 ____D C:\WINDOWS\system32\Tasks\ASUS
2023-10-07 23:46 - 2022-03-19 02:21 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2023-10-07 23:43 - 2022-03-19 02:15 - 000000000 ____D C:\ProgramData\ASUS
2023-10-07 23:40 - 2021-07-27 04:10 - 000000000 ____D C:\ProgramData\Packages
2023-10-07 23:38 - 2022-05-07 09:24 - 000000000 ___HD C:\Program Files\WindowsApps
2023-10-07 23:23 - 2022-03-19 02:19 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2023-10-07 22:53 - 2023-03-13 11:26 - 000000000 ___RD C:\Users\shres\OneDrive
2023-10-07 22:43 - 2022-05-07 09:24 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2023-10-07 22:43 - 2021-07-27 04:10 - 000000000 ____D C:\Program Files\Microsoft Office
2023-10-07 22:37 - 2023-05-19 23:00 - 000000000 ____D C:\WINDOWS\Minidump
2023-10-07 22:33 - 2022-03-19 02:27 - 000000000 ____D C:\Program Files\McAfee
2023-10-07 22:33 - 2022-03-19 02:19 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2023-10-07 22:23 - 2023-03-13 18:13 - 000000310 _____ C:\ProgramData\CMediaAudioControlPanelData.ini
2023-10-07 22:21 - 2023-03-13 12:18 - 000000000 ____D C:\Program Files (x86)\Steam
2023-10-07 22:05 - 2022-03-19 02:27 - 000000000 __SHD C:\ProgramData\McAfee
2023-10-07 19:32 - 2023-03-19 10:45 - 000000000 ____D C:\Users\shres\AppData\Roaming\Microsoft\Windows
2023-10-07 15:39 - 2023-08-15 12:58 - 000000309 _____ C:\Users\shres\AppData\Roaming\BattleBitConfig.ini
2023-10-07 15:39 - 2023-04-28 22:19 - 000000000 ____D C:\Users\shres\AppData\Roaming\bittorrent
2023-10-07 13:50 - 2022-05-07 09:24 - 000000000 ____D C:\Program Files\Common Files\System
2023-10-07 12:37 - 2023-03-18 01:38 - 000000000 ____D C:\Games
2023-10-06 22:34 - 2023-03-13 11:42 - 000001474 _____ C:\Users\shres\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA GeForce NOW.lnk
2023-10-06 22:22 - 2023-04-23 22:17 - 000000000 ____D C:\WINDOWS\SysWOW64\directx
2023-10-06 22:21 - 2023-03-16 21:21 - 000000000 ___HD C:\WINDOWS\msdownld.tmp
2023-10-05 18:03 - 2023-04-02 09:32 - 002709096 _____ (Microsoft Corporation) C:\WINDOWS\system32\xgameruntime.dll
2023-10-05 18:03 - 2023-04-02 09:32 - 000503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\gameplatformservices.dll
2023-10-05 18:03 - 2023-04-02 09:32 - 000210536 _____ (Microsoft Corporation) C:\WINDOWS\system32\gameconfighelper.dll
2023-10-05 18:03 - 2023-04-02 09:32 - 000181864 _____ (Microsoft Corporation) C:\WINDOWS\system32\gamelaunchhelper.dll
2023-10-05 18:03 - 2023-04-02 09:32 - 000145000 _____ (Microsoft Corporation) C:\WINDOWS\system32\gamingtcuihelpers.dll
2023-10-05 18:03 - 2023-04-02 09:32 - 000095736 _____ (Microsoft Corporation) C:\WINDOWS\system32\xgamehelper.exe
2023-10-05 18:03 - 2023-04-02 09:32 - 000075360 _____ (Microsoft Corporation) C:\WINDOWS\system32\xgamecontrol.exe
2023-10-04 19:56 - 2023-05-26 18:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Proton
2023-10-01 22:20 - 2021-07-27 04:08 - 000002442 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2023-09-29 19:07 - 2023-03-19 18:12 - 000003588 _____ C:\WINDOWS\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1623705211-507293843-3645546312-1001
2023-09-29 19:07 - 2023-03-19 18:12 - 000003378 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1623705211-507293843-3645546312-1001
2023-09-29 19:07 - 2023-03-13 11:26 - 000002381 _____ C:\Users\shres\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2023-09-28 17:49 - 2021-07-27 04:08 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2023-09-24 13:45 - 2023-03-13 14:01 - 000000000 ___RD C:\Users\shres\Downloads\B9ECED6F.ASUSPCAssistant_qmba6cd70vzyy!App
2023-09-19 18:17 - 2023-03-19 18:12 - 000003790 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA{5617F452-B4E6-4D48-B54B-A98708F13CF9}
2023-09-19 18:17 - 2023-03-19 18:12 - 000003666 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore{77754C54-6EDB-4F1A-B80E-62D0CE614001}
2023-09-17 00:24 - 2023-03-19 18:12 - 000004122 _____ C:\WINDOWS\system32\Tasks\ASUS Update Checker 2.0
2023-09-17 00:24 - 2023-03-19 18:12 - 000003756 _____ C:\WINDOWS\system32\Tasks\ASUS Optimization 36D18D69AFC3
2023-09-16 01:50 - 2023-03-19 18:06 - 000514240 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\UUS
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\SysWOW64\WinMetadata
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\SystemResources
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\system32\WinMetadata
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\system32\oobe
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\system32\Dism
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\system32\appraiser
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\ShellExperiences
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\ShellComponents
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\Provisioning
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2023-09-16 01:49 - 2022-05-07 09:24 - 000000000 ____D C:\WINDOWS\bcastdvr
2023-09-15 23:52 - 2023-03-12 23:22 - 000000000 ____D C:\WINDOWS\system32\MRT
2023-09-15 23:39 - 2023-03-12 23:22 - 177941912 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2023-09-15 23:39 - 2022-05-07 09:17 - 000000000 ____D C:\WINDOWS\CbsTemp
2023-09-15 23:34 - 2023-03-19 18:08 - 003210752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2023-09-13 21:35 - 2023-04-02 09:32 - 000000000 ____D C:\XboxGames
2023-09-09 09:09 - 2023-03-26 12:16 - 000000000 ____D C:\Program Files\Riot Vanguard
2023-09-08 22:18 - 2022-03-19 02:21 - 000000121 _____ C:\ProgramData\CMediaVolumeData.ini
2023-09-08 22:18 - 2021-07-27 04:11 - 000002453 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk
2023-09-08 22:18 - 2021-07-27 04:11 - 000002452 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk
2023-09-08 22:18 - 2021-07-27 04:11 - 000002403 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk
2023-09-08 22:18 - 2021-07-27 04:11 - 000002395 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk
2023-09-08 22:17 - 2023-03-13 21:58 - 000000000 ____D C:\ProgramData\Riot Games
2023-09-08 21:02 - 2023-03-13 10:12 - 000000000 ___SD C:\Users\shres\AppData\Roaming\Microsoft\Protect

==================== Files in the root of some directories ========

2023-08-15 12:58 - 2023-10-07 15:39 - 000000309 _____ () C:\Users\shres\AppData\Roaming\BattleBitConfig.ini
2023-08-18 23:30 - 2023-08-28 21:30 - 000000038 _____ () C:\Users\shres\AppData\Roaming\BattleBitMutedPlayers.ini

==================== FLock ==============================

2023-10-07 13:50 C:\Program Files\AVAST Software
2023-10-07 13:50 C:\Program Files\AVG
2023-10-07 13:50 C:\Program Files\Bitdefender Agent
2023-10-07 13:50 C:\Program Files\ByteFence
2023-10-07 13:50 C:\Program Files\Cezurity
2023-10-07 13:50 C:\Program Files\COMODO
2023-10-07 13:50 C:\Program Files\DrWeb
2023-10-07 13:50 C:\Program Files\Enigma Software Group
2023-10-07 13:51 C:\Program Files\EnigmaSoft
2023-10-07 13:51 C:\Program Files\ESET
2023-10-07 13:50 C:\Program Files\HitmanPro
2023-10-07 13:50 C:\Program Files\Kaspersky Lab
2023-10-07 13:50 C:\Program Files\Loaris Trojan Remover
2023-10-07 22:23 C:\Program Files\Malwarebytes
2023-10-07 13:51 C:\Program Files\NETGATE
2023-10-07 13:51 C:\Program Files\Process Hacker 2
2023-10-07 13:51 C:\Program Files\Process Lasso
2023-10-07 13:51 C:\Program Files\QuickCPU
2023-10-07 13:50 C:\Program Files\Rainmeter
2023-10-07 13:51 C:\Program Files\Ravantivirus
2023-10-07 13:51 C:\Program Files\RogueKiller
2023-10-07 13:50 C:\Program Files\SpyHunter
2023-10-07 13:51 C:\Program Files\SUPERAntiSpyware
2023-10-07 13:51 C:\Program Files\Transmission
2023-10-07 13:50 C:\Program Files (x86)\360
2023-10-07 13:50 C:\Program Files (x86)\AVAST Software
2023-10-07 13:50 C:\Program Files (x86)\AVG
2023-10-07 13:50 C:\Program Files (x86)\Cezurity
2023-10-07 13:51 C:\Program Files (x86)\GPU Temp
2023-10-07 13:51 C:\Program Files (x86)\GRIZZLY Antivirus
2023-10-07 13:50 C:\Program Files (x86)\Kaspersky Lab
2023-10-07 13:50 C:\Program Files (x86)\Microsoft JDX
2023-10-07 13:51 C:\Program Files (x86)\Moo0
2023-10-07 13:51 C:\Program Files (x86)\Panda Security
2023-10-07 13:51 C:\Program Files (x86)\SpeedFan
2023-10-07 13:50 C:\Program Files (x86)\SpyHunter
2023-10-07 13:51 C:\Program Files (x86)\Transmission
2023-10-07 13:50 C:\Program Files\Common Files\AV
2023-10-07 13:50 C:\Program Files\Common Files\Doctor Web
2023-10-07 13:50 C:\Program Files\Common Files\McAfee
2023-10-07 13:50 C:\ProgramData\360safe
2023-10-07 13:50 C:\ProgramData\AVAST Software
2023-10-07 13:50 C:\ProgramData\Avira
2023-10-07 13:51 C:\ProgramData\BookManager
2023-10-07 13:50 C:\ProgramData\Doctor Web
2023-10-07 13:51 C:\ProgramData\ESET
2023-10-07 13:51 C:\ProgramData\Evernote
2023-10-07 13:51 C:\ProgramData\FingerPrint
2023-10-07 13:50 C:\ProgramData\grizzly
2023-10-07 13:50 C:\ProgramData\Kaspersky Lab
2023-10-07 13:50 C:\ProgramData\Kaspersky Lab Setup Files
2023-10-07 22:05 C:\ProgramData\McAfee
2023-10-07 13:50 C:\ProgramData\Norton
2023-10-07 13:51 C:\ProgramData\princeton-produce
2023-10-07 13:51 C:\ProgramData\PuzzleMedia
2023-10-07 13:51 C:\ProgramData\RobotDemo
2023-10-07 13:51 C:\ProgramData\WavePad
2023-10-07 13:50 C:\Users\shres\Downloads\AutoLogger
2023-10-07 13:50 C:\Users\shres\Downloads\AV_block_remover
2023-10-07 13:51 C:\Users\shres\AppData\Roaming\Sysfiles

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Link to post
Share on other sites

7 minutes ago, Maurice Naggar said:

his is only a first step. Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11.

When I click this link, It shows up an Error 404 pop up (picture attached below)

 

Just to add that I already have the "rkill" folder on my desktop because I tried to use another software to fix this issue before I listed my issue here. Is there anything I should do/share within this folder?

Since the first step is not working for me, shall I move to the second step?

Screenshot 2023-10-08 001403.png

Link to post
Share on other sites

The FRSTENGLISH is another name for FRST. That file is safe and is included when the Support tool is run. Do not mess with FRSTENGLISH.

Further, if you have run the Support tool, I need you to ATTACH the ZIP file named mbst-grab-results.zip

Sorry, I do not mean to flood you with sequential replies. BUT if you are unable to download the AVBR tool, then I am attaching it inside a ZIP file here.

AVbr.zip

Edited by Maurice Naggar
Link to post
Share on other sites

Specifics please. 1. What file is blocked by EDGE !!

2. Try another, different web browser !! This machine also has Firefox, Opera, Chrome.

I am curious to know, just exactly what application or game was got off the internet from before this infection first showed up ??

also, you made no mention about the MBAR Malwarebytes anti-rootkit tool that I listed above in a earlier reply

I need you to do all of the suggestions I posted before  ( besides the RKILL). I needed you to run MBAR & also AVBR

The AVBR.zip file needs to be custom guided so that it is saved to its own unique folder   ( and NOT to the existing Downloads folder) 

One other tip: IF you have another clean working computer at home....use that one to do the downloads and put the tools) on a USB-flash-thumb drive and then take that USB to the problem computer. Press and hold the SHIFT-key on keyboard Before and during the USB insertion into the USB slot.  Then copy the tools to the problem computer.

Edited by Maurice Naggar
Link to post
Share on other sites

Hey Maurice! 

 

8 hours ago, Maurice Naggar said:

Specifics please. 1. What file is blocked by EDGE !!

2. Try another, different web browser !! This machine also has Firefox, Opera, Chrome.

The logs I've posted as my first message here. Those logs were from FRST.exe as well as MSERT support logs. When I clicked on it to view it edge blocked it. Although I am not sure whether you can open it or not.

 

8 hours ago, Maurice Naggar said:

I am curious to know, just exactly what application or game was got off the internet from before this infection first showed up ??

also, you made no mention about the MBAR Malwarebytes anti-rootkit tool that I listed above in a earlier reply

It was a setup file of a game I tried to download from a repack website. Never going to do that again.

 

I am conducting the Anti Rootkit scan as we speak. I did save all these applications in another folder and now it seems to be running the setup. I finally got to download Malware bytes but upon opening the app it says the below attachment message.  

malware bytes app error on opening.png

Link to post
Share on other sites

9 hours ago, Maurice Naggar said:

To use the utility, you need:
1. Download the utility and unzip it to any place convenient for you.  
2. After unpacking (Extracting all content of the zip file)
3. Run the EXE file
4. If the utility does not start or gives an error, then Stop and let me know

During the operation of the utility, a folder ..\AV_block_remover will be created next to this file, containing, among other things:
file named "AV_block_remove_date-time.log" inside this folder. Please attach that log to your next post.

Maurice, I have done as you requested. Kindly see the below attached log after running AVBR application.

AV_block_remove_2023.10.08-09.57.log

Link to post
Share on other sites

Just to follow up after AVBR was installed. Few popups opened after i ran the AVBR setup. It asked whether a user named "John" should be deleted or not and i clicked "Yes".

Another popup asked whether some crypto mining tool should be deleted or not and it classified it as "harmful" and i clicked Yes.

The system rebooted out of nowhere. Hope these things are part of the process. 

Link to post
Share on other sites

The MBAR anti-rootkit did some very fortunate cleanups on several trojans. AND the AVBR also did a very helpful run. You are very lucky. HOWEVER, there is still a bunch more work to be done.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It attempts to remove traces of malware. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH.exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

MORE scans and work will need to be done even after this.

  • Like 1
Link to post
Share on other sites

Here you go. The attached "Fixlog.txt" file after running the FRSTENGLISH application and reboot processes.

15 minutes ago, Maurice Naggar said:

The MBAR anti-rootkit did some very fortunate cleanups on several trojans. AND the AVBR also did a very helpful run. You are very lucky. HOWEVER, there is still a bunch more work to be done.

Oh, that's good to hear! Let's keep at it together to further eliminate the virus and its remnants fully.

 

Please update me further on the next step as soon as possible..

Fixlog.txt

Link to post
Share on other sites

The Custom run is very good. Before we address the Malwarebytes program, we will do some scans with other known scanners.

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Edited by Maurice Naggar
Link to post
Share on other sites

Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\shres\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\shres\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

Go slow & careful on this part.  In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and "Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20231009_203000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
  • Have lots of patience, as this will most likely run for many hours.
  • Also, be aware I am a volunteer here. I help here as personal time permits. I am not on all the time.
Edited by Maurice Naggar
Link to post
Share on other sites

@Maurice Naggar Just got done with running the Kaspersky AV program and below is the attached Log report.

 

18 hours ago, Maurice Naggar said:
  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  •  

There wasn't any option to choose anything for me. It showed the entries with lot of X's beside each text. It showed the same window as the "start scan" one but with headings and text saying "scan completed", number of files scanned etc. On top of the window there was two options, "Info" and "Quarantine". Lastly, there was an option on the bottom right-hand side of the window to "Close" and I did not see any of the options you mentioned above so I clicked on that and moved on to the next step. 

 

18 hours ago, Maurice Naggar said:

Usually, your system needs a reboot to finish the removal process.

The system did not prompt a reboot process, I had to manually restart it by myself to make sure the AV program does the removal procedure fully. 

 

Hope everything worked according to plan and the log shows positive results.

report_2023.10.09_18.06.33.txt

Link to post
Share on other sites

I just am curious as to how long The Kaspersky KVRT did run. If it was more than say, 6 hours.
According to the log, the end of the run was 2023.10.09 18:51
According to the log, no threats were detected.

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

Edited by Maurice Naggar
Link to post
Share on other sites

I would simply like to take a moment to let you ( as well as other potential readers ) know about the several infectious elements found and removed by the Malwarebytes MBAR tool.

Trojan.BitCoinMiner
Trojan.BitCoinMiner.Generic
RiskWare.RemoteAdmin
RiskWare.BitCoinMiner
Adware.SpecialSearchOffer
Trojan.Agent.D
Trojan.Dropper.BAT

ESET Onlinescanner found & removed several Win32/uTorrent_AGen.A potentially unwanted application  ( P U P )
 
I have had you run a few special scanners, plus a custom script, plus AVBR tool.
There is still more fixes to do, also including guiding you to install and setup and run the Malwarebytes program.

Given the number of trojans detected on this machine, you want to keep close monitoring on any bank or credit card accounts that you used thru this machine, as well as monitoring all online accounts. It is possible that one or another may have beem compromised.
At the end of the case, I will relay tips on how to change all your account passwords.

This malicious infection used multiple-prongs ( ways & means) to get itself burrowed onto the system. It has also obviously made ways to disable  the running of many different antivirus & security programs.
While this case is open, please do not do any loose web surfing. Nor do any unnecessary social media. No online shopping. No online banking.

Link to post
Share on other sites

1 hour ago, Maurice Naggar said:

This malicious infection used multiple-prongs ( ways & means) to get itself burrowed onto the system. It has also obviously made ways to disable

Oh gosh! When you say this I got to be extra careful. Is it fine that I am using the infected pc to log onto malwarebytes and reply to your messages? I hope that would be safe.

 

2 hours ago, Maurice Naggar said:

just am curious as to how long The Kaspersky KVRT did run. If it was more than say, 6 hours.
According to the log, the end of the run was 2023.10.09 18:51

I remember clearly it said the scan lasted for 31 minutes or so..

 

The advice is much appreciated. I am currently running the Housecall scan as we speak. Hopefully it does a proper and thorough checkup on my system and eliminates the remaining malware that is present at the moment.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.