Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

I think I have a rootkit, how to detect and remove if any?

1 reading
7.7K views 44 replies 2 participants last post by  DR M  
#1 ·
Hello EveryOne! I am heavily interested in the field of Computer Security and Malware Analysing and Cyber-Awareness so I always search about all these topics in Internet and gain knowledge, and I also use cracked programs, activators(not many only 2 or 3) and my life was going very smooth no lag, no black screens, no BSOD nothing.... but few months ago I started witnessing system crashings, black wallpaper after logon and after few seconds it again comes back to normal, and the most frightening thing that make me think there's a rootkit attack is that I use Process Hacker and after logon, a parent process named sihost.exe which is a legit program, however, runs microsoft edge in a fully silent way and then when I am to terminate the process, it automatically terminates itself(now I dunno whether the process is getting hidden or really terminated because rootkit injects its malicious code to every process, maybe that time the process hacker was getting injected) Anyways, I used Kaspersky Total Security and nothing got found, I did all types of Scans like Full System Scan and Root-Kit Scan and right now I am using Avast Premium Security and it also detected nothing but as we all know that RootKit hides his presence and make itself fully fileless, thus, cheating all AVs scanners, so then I scanned my PC using G.M.E.R. but GMER suddenly crashed and terminated itself, now I really don't what is happening in my PC(whether it's infected or not, I really don't know what's going on....... -_-) So, please help me.......
I also use autoruns and turned on automatic virustotal detection highlighting but didn't found anything malicious but there are numerous .dll files, .sys files, and etc..... (.dll can also be malicious I know, but I don't know which one of them is malicious and that's why I came here to get help) Please help me please............
I use Process Hacker also and I go to service tab, I see lots of untrusted and unsigned .dlls(don't worry I will send all screenshots here(processes and services and disks) to let you all investigate the mystery....)

Thank You !
Best Regards !
Addy
 

Attachments

#2 ·
Hi, Addy, and welcome to TSG Forums.

and I also use cracked programs, activators(not many only 2 or 3)
Using pirated/cracked software is an easy way to infect your computer. Almost as easy as intentionally downloading malware. So, no wonder why you got infected and things didn't go as smooth as you expected.

In order to help you here, and at every other Malware Removal Forum, you have to remove all the cracked/pirated programs first.

After that, read here and provide the requested logs.
 
Save
#3 ·
Hello DR.M(Nice Profile Pic:love::love::):giggle:) , I have removed all the cracked softwares, now maybe some can stay hidden as I said that in my PC, it seems like presence of RootKit, now when I ran FRST64.exe, there was numerous ticks on their, so I do need to tick more or leave it and then just press scan? But as I said in my PC maybe is rootkit so the rootkit injects it malicious code and then it will also make it invisible, so I still scanning, but it will take time, so please wait while I send you the logs here :giggle::giggle:
 
#4 ·
Edit: As I already said, I have high thoughts that the infection is rootkit attack, so in FRST Tool in the whitelist section, the drivers, services, processes, registry, internet are all checked that means according to me are all whitelisted from the scan, so do I need to uncheck them all or few or leave them alone? Well, I've already left them all alone and started the scan as nothing specific is written here, so let the Scan finish and then I come back to you, Okay?:):D:D
 
#6 ·
Hi, Addy.

I have seen that error before.

Let's do something else before trying to run FRST again. The following actions are for checking the operating system's license and the pirated programs:

Please do the following:

1. Run Licensingdiag.exe
  • Press Windows icon on your keyboard, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter:
Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab

After running the command, two files will appear on your desktop, report.txt and repfiles.cab. Please open the report.txt file in Notepad and copy and paste the contents here. The repfiles.cab is only a backup file and can be ignored for the time being.

2. Run CKScanner

  • Download CKScanner from here and save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

In your next reply please post:
  1. The report.txt
  2. The CKFiles.txt
 
  • Like
Reactions: Addy2525
Save
#7 ·
Hi, Addy.

I have seen that error before.

Let's do something else before trying to run FRST again. The following actions are for checking the operating system's license and the pirated programs:

Please do the following:

1. Run Licensingdiag.exe
  • Press Windows icon on your keyboard, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter:
Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab

After running the command, two files will appear on your desktop, report.txt and repfiles.cab. Please open the report.txt file in Notepad and copy and paste the contents here. The repfiles.cab is only a backup file and can be ignored for the time being.

2. Run CKScanner
  • Download CKScanner from here and save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

In your next reply please post:
  1. The report.txt
  2. The CKFiles.txt
Log of Licensingdiag.exe
<DiagReport>
<LicensingData>
<ToolVersion>10.0.19041.789</ToolVersion>
<LicensingStatus>SL_LICENSING_STATUS_LICENSED</LicensingStatus>
<LicensingStatusReason>0x4004F401</LicensingStatusReason>
<LocalGenuineState>SL_GEN_STATE_IS_GENUINE</LocalGenuineState>
<LocalGenuineResultP>1</LocalGenuineResultP>
<LastOnlineGenuineResult></LastOnlineGenuineResult>
<GraceTimeMinutes>0</GraceTimeMinutes>
<TotalGraceDays>0</TotalGraceDays>
<ValidityExpiration></ValidityExpiration>
<ActivePartialProductKey>3V66T</ActivePartialProductKey>
<ActiveProductKeyPid2>00330-80000-00000-AA954</ActiveProductKeyPid2>
<OSVersion>10.0.19043.2.00010100.0.0.048</OSVersion>
<ProductName>Windows 10 Pro</ProductName>
<ProcessorArchitecture>x64</ProcessorArchitecture>
<EditionId>Professional</EditionId>
<BuildLab>19041.vb_release.191206-1406</BuildLab>
<TimeZone>India Standard Time(GMT+05:30)</TimeZone>
<ActiveSkuId>4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c</ActiveSkuId>
<ActiveSkuDescription>Windows(R) Operating System, RETAIL channel</ActiveSkuDescription>
<ProductUniquenessGroups>55c92734-d682-4d71-983e-d6ec3f16059f</ProductUniquenessGroups>
<ActiveProductKeyPKeyId>3c40a285-2469-ae8d-e740-6be881cd3eb6</ActiveProductKeyPKeyId>
<ActiveProductKeyPidEx>03612-03308-000-000000-00-16393-19043.0000-1452021</ActiveProductKeyPidEx>
<ActiveProductKeyChannel>Retail</ActiveProductKeyChannel>
<ActiveVolumeCustomerPid></ActiveVolumeCustomerPid>
<OfflineInstallationId>765947471549154520103959983491812726209854380552337960444228806</OfflineInstallationId>
<DomainJoined>false</DomainJoined>
<ComputerSid>S-1-5-21-4201120289-4146785065-3772099571</ComputerSid>
<ProductLCID>1033</ProductLCID>
<UserLCID>16393</UserLCID>
<SystemLCID>1033</SystemLCID>
<CodeSigning>SIGNED_INFO_PRS_SIGNED</CodeSigning>
<ServiceAvailable>true</ServiceAvailable>
<OemMarkerVersion></OemMarkerVersion>
<OemId></OemId>
<OemTableId></OemTableId>
<OA3ProductKey>0xC004F057</OA3ProductKey>
<ActivationScenarioCode></ActivationScenarioCode>
<ProductKeyCode></ProductKeyCode>
<Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer>
<Model>To be filled by O.E.M.</Model>
<InstallDate>20210525173116.000000+330</InstallDate>
</LicensingData>
<HealthCheck>
<Result>PASS</Result>
<TamperedItems></TamperedItems>
</HealthCheck>
<GenuineAuthz>
<ServerProps><?xml version="1.0" encoding="utf-8"?><genuineAuthorization xmlns="http://www.microsoft.com/DRM/SL/GenuineAuthorization/1.0"><version>1.0</version><genuineProperties origin="sppclient"><properties>OA3xOriginalProductId=;OA3xOriginalProductKey=;SessionId=LicensingDiag;TimeStampClient=2021-08-16T15:54:28Z</properties><signatures><signature name="clientLockboxKey" method="rsa-sha256">1VVRWWz0GPeuy+r4CuNMKtwJNRL5exaqiebMWZzRQiOO+6qN3p1zWVV8JHYmJoN1NWliSWUdkoUCwMQeNQQiAi/uIkAI+yj+vpIZ0rnuAcaynNaNl4DdVmUTNKl6NY4ks4v1sUR92wmJ5QCqUOwrWNThxDn+cDrG00qZsnqwswU=</signature></signatures></genuineProperties></genuineAuthorization></ServerProps>
</GenuineAuthz>
</DiagReport>
 
#8 ·
===>>>As for the CKScanner that you said to run it, you didn't gave me any link to download and run and I can't run from any other source except the link which you will give me from here in order to avoid any kinds of misconceptions............
 
#9 ·
I hope you or any other moderators will quickly reply to me and send me the link of CKScanner as I am in my desktop right now, otherwise when I have shutdown my desktop then I will not open in few hours, then I will open after long hours that's why I am asking the CKScanner link right now. Ok?
 
#14 ·
Well well.... Now it's completed and here is the logs of CKScanner 2.5 : -
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\cracked.py
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\crackle.py
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\__pycache__\cracked.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\__pycache__\crackle.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\cracked.py
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\crackle.py
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\__pycache__\cracked.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\__pycache__\crackle.cpython-38.pyc
c:\windows\servicing\lcu\package_for_rollupfix~31bf3856ad364e35~amd64~~19041.1110.1.15\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\ssh-keygen.exe
c:\windows\servicing\lcu\package_for_rollupfix~31bf3856ad364e35~amd64~~19041.1110.1.15\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-keygen.exe
c:\windows\servicing\lcu\package_for_rollupfix~31bf3856ad364e35~amd64~~19041.1165.1.8\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\ssh-keygen.exe
c:\windows\servicing\lcu\package_for_rollupfix~31bf3856ad364e35~amd64~~19041.1165.1.8\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-keygen.exe
c:\windows\winsxs\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\ssh-keygen.exe
c:\windows\winsxs\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\ssh-keygen.exe
c:\windows\winsxs\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-keygen.exe
scanner sequence 3.DK.11.JPAPXZ
----- EOF -----
 
#15 ·
Hi, Addy.

I don't like the following entries. In a fix at the next steps they are going to be removed. Please make sure that you remove any program related to them.

Code:
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\cracked.py
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\crackle.py
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\__pycache__\cracked.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\youtube_dl\extractor\__pycache__\crackle.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\cracked.py
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\crackle.py
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\__pycache__\cracked.cpython-38.pyc
c:\users\addy\desktop\firedm\lib\yt_dlp\extractor\__pycache__\crackle.cpython-38.pyc
After that, restart the computer, try to run FRST again and attach the 2 logs created. Let me know if you are getting the same error.
 
Save
#16 ·
I don't like the following entries. In a fix at the next steps they are going to be removed. Please make sure that you remove any program related to them.
Yes, those stuffs are not required by me, so you want me to delete the whole Fire Download Manager folder or you will be giving a fix that will remove them automatically. Anyways, I don't need them anymore. Ok? So please confirm what to do next....

Am waiting for your reply..
Best Regards,
Addy
 
#17 ·
Remove any remaining program that is not legally activated, restart and try to run FRST again, as I told you here:

After that, restart the computer, try to run FRST again and attach the 2 logs created. Let me know if you are getting the same error.
Something to ask you: Do not click on the Reply button to give me your reply. Just write your reply and press Post reply. No need to quote everything I say in your replies.
 
Save
#19 ·
I forgive you, no need to cry for that. :ROFLMAO:

OK, let's try to run FRST in Safe mode.

1. Restart with Safe mode
  • Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
  • Choose Update and Security.
  • From the menu at the left, choose Recovery.
  • Under the title Advanced startup at the right, choose Restart now.
  • From the window that will appear choose Troubleshoot and then Advanced options.
  • Choose Startup Settings and then Restart.
  • Press number 5, for choosing Safe mode with networking.
  • You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

2. Run FRST

Scan with FRST again, and attach the logs for me, please.
 
Save
#20 ·
Ok Mr. Doctor Cat, Thanks A Lot For Forgiving Me :LOL::ROFLMAO:!
Actually, right now, in our place the night has already approached and it's time for sleeping.
So, tomorrow if the God Wills, then I will perform all the tasks and update you. Ok?
Bye!
Good Night All Members, Staffs and Administrators of The Tech Guy Forum :love:(y):):D
See you all tomorrow ^_^ !!!
 
#22 ·
Hello DR.M, Now, here is Morning and I am sending you both the logs of FRST64.exe :D

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-08-2021
Ran by Addy (administrator) on ADDY-BABU (17-08-2021 10:34:41)
Running from C:\Users\Addy\Desktop
Loaded Profiles: Addy
Platform: Windows 10 Pro Version 21H1 19043.1165 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Windows -> Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Avast Software\Avast\AvLaunch.exe [123672 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [457872 2021-03-17] (Power Software Limited -> Power Software Ltd)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation -> Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [706288 2021-04-09] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\Run: [Process Hacker] => C:\Program Files\Process Hacker\ProcessHacker.exe [2537984 2021-08-11] (Process Hacker) [File not signed]
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\MountPoints2: D - "D:\setup.exe"
IFEO\taskmgr.exe: [Debugger] "C:\Program Files\Process Hacker\ProcessHacker.exe"
Startup: C:\Users\afird\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2021-05-27]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (No File)
Startup: C:\Users\afird\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk [2021-06-21]
ShortcutTarget: Telegram.lnk -> C:\Users\Addy\AppData\Roaming\Telegram Desktop\Telegram.exe (No File)
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1F16E5FA-BA46-40B1-B275-75CAB6FA375F} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [1790184 2021-08-04] (Avast Software s.r.o. -> Avast Software)
Task: {27A02D38-53A2-4C01-ACEA-CBD780E4623C} - System32\Tasks\Avast Emergency Update => C:\Program Files\Avast Software\Avast\AvEmUpdate.exe [4902680 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
Task: {4CE0BFEA-6D6A-4119-BC63-CCDCCDA66F06} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [880 2020-09-25] () [File not signed]
Task: {6F5D369F-7A5D-4C6F-A64B-EC1680172827} - System32\Tasks\ProcessHackerTaskAdmin => C:\Program Files\Process Hacker\ProcessHacker.exe [2537984 2021-08-11] (Process Hacker) [File not signed]
Task: {B88D964F-69AB-4E98-BA82-18520A3CC4C1} - System32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} => C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe [743488 2021-06-28] (Kaspersky Lab JSC -> AO Kaspersky Lab)
Task: {C213ACC7-0163-4CA7-9E58-A0C20BDFAC8A} - System32\Tasks\Microsoft\VisualStudio\Updates\BackgroundDownload => C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe [65448 2021-06-29] (Microsoft Corporation -> Microsoft)
Task: {F2471797-16E0-4734-BA14-2FB2F09B2F91} - System32\Tasks\Uninstaller_SkipUac_Addy => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [6712856 2021-06-15] (IObit CO., LTD -> IObit)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{20bc6725-43ff-4223-b1e9-dfd404e40cbc}: [DhcpNameServer] 192.168.0.1

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default [2021-08-17]
Edge Notifications: Default -> hxxps://drive.google.com; hxxps://forums.techguy.org
Edge Extension: (Universal Bypass) - C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ckiidekccfgninkobmmofopbbdgdclgg [2021-06-23]
Edge Extension: (ZenMate Free VPN-Best VPN for Chrome) - C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2021-07-24]
Edge Extension: (Tab Modifier) - C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hcbgadmbdkiilgpifjgcakjehmafcjai [2021-07-23]
Edge Extension: (Looper for YouTube) - C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\iggpfpnahkgpnindfkdncknoldgnccdg [2021-07-26]
Edge Extension: (SuperNova SWF Enabler) - C:\Users\Addy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mhmphnocemakkjdampibehejoaleebpo [2021-07-17]
Edge HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [llbjbkhnmlidjebalopleeepgdfgcpec] - C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx <not found>

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=11.291.2 -> C:\Program Files\Java\jre1.8.0_291\bin\dtplugin\npDeployJava1.dll [2021-07-18] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.291.2 -> C:\Program Files\Java\jre1.8.0_291\bin\plugin2\npjp2.dll [2021-07-18] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin HKU\S-1-5-21-4201120289-4146785065-3772099571-1002: @lightspark.github.com/Lightspark;version=1 -> C:\Program Files\Lightspark\nplightsparkplugin.dll [2021-07-03] () [File not signed]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aswbIDSAgent; C:\Program Files\Avast Software\Avast\aswidsagent.exe [8262736 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 avast! Antivirus; C:\Program Files\Avast Software\Avast\AvastSvc.exe [627480 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 avast! Firewall; C:\Program Files\Avast Software\Avast\afwServ.exe [1616664 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 avast! Tools; C:\Program Files\Avast Software\Avast\aswToolsSvc.exe [374552 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 AvastWscReporter; C:\Program Files\Avast Software\Avast\wsc_proxy.exe [56912 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [158992 2021-06-15] (IObit Information Technology -> IObit)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5394872 2021-08-14] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 VBoxSDS; C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe [746728 2021-07-28] (Oracle Corporation -> Oracle Corporation)
S3 VSStandardCollectorService150; C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe [147392 2019-04-30] (Microsoft Corporation -> Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2105.5-0\NisSrv.exe [2644776 2021-06-16] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2105.5-0\MsMpEng.exe [136656 2021-06-16] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 FvSvc; "C:\Program Files\NVIDIA Corporation\FrameViewSDK\nvfvsdksvc_x64.exe" -service [X]
S2 KSDE5.3; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.3\ksde.exe" -r [X]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [218976 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdriver.sys [367640 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S0 aswbidsh; C:\Windows\System32\drivers\aswbidsh.sys [250392 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S0 aswbuniv; C:\Windows\System32\drivers\aswbuniv.sys [99352 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S0 aswElam; C:\Windows\System32\drivers\aswElam.sys [17344 2021-08-04] (Microsoft Windows Early Launch Anti-malware Publisher -> AVAST Software)
R1 aswKbd; C:\Windows\System32\drivers\aswKbd.sys [41352 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S1 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [184648 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswNetHub; C:\Windows\System32\drivers\aswNetHub.sys [559816 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [108408 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [82904 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [851704 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S1 aswSP; C:\Windows\System32\drivers\aswSP.sys [471920 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S2 aswStm; C:\Windows\System32\drivers\aswStm.sys [215392 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [328568 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
S3 IUFileFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IUFileFilter.sys [43896 2020-07-31] (IObit Information Technology -> IObit)
S3 IUProcessFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IUProcessFilter.sys [37112 2020-07-31] (IObit Information Technology -> IObit)
S3 IURegistryFilter; C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IURegistryFilter.sys [51128 2020-07-31] (IObit Information Technology -> IObit)
R3 kltap; C:\Windows\System32\drivers\kltap.sys [55592 2021-02-19] (AnchorFree Inc -> The OpenVPN Project)
R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [74616 2020-09-25] (Insecure.Com LLC -> Insecure.Com LLC.)
S4 npcap_wifi; C:\Windows\system32\DRIVERS\npcap.sys [74616 2020-09-25] (Insecure.Com LLC -> Insecure.Com LLC.)
R3 VBoxNetAdp; C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys [239664 2021-07-28] (Oracle Corporation -> Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\system32\DRIVERS\VBoxNetLwf.sys [249568 2021-07-28] (Oracle Corporation -> Oracle Corporation)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [174744 2021-07-28] (Oracle Corporation -> Oracle Corporation)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [49568 2021-06-16] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [425184 2021-06-16] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [76000 2021-06-16] (Microsoft Windows -> Microsoft Corporation)
U1 aswbdisk; no ImagePath
U0 Partizan; system32\drivers\Partizan.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-17 10:34 - 2021-08-17 10:35 - 000012793 _____ C:\Users\Addy\Desktop\FRST.txt
2021-08-17 10:33 - 2021-08-17 10:33 - 000073148 _____ C:\Windows\ntbtlog.txt
2021-08-17 10:33 - 2021-08-17 10:33 - 000000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2021-08-17 10:30 - 2021-08-17 10:30 - 002300416 _____ (Farbar) C:\Users\Addy\Desktop\FRST64.exe
2021-08-16 21:56 - 2021-08-16 21:57 - 000001917 _____ C:\Users\Addy\Desktop\ckfiles.txt
2021-08-16 21:42 - 2021-08-16 21:42 - 000468480 _____ () C:\Users\Addy\Desktop\CKScanner.exe
2021-08-16 21:33 - 2021-08-16 21:33 - 002270936 _____ (Cermak Technologies, Inc.) C:\Users\Addy\Downloads\tsginfo.exe
2021-08-16 21:24 - 2021-08-16 21:24 - 002999173 _____ C:\Users\Addy\Desktop\repfiles.cab
2021-08-16 21:24 - 2021-08-16 21:24 - 000003244 _____ C:\Users\Addy\Desktop\report.txt
2021-08-16 16:47 - 2021-08-17 10:35 - 000000000 ____D C:\FRST
2021-08-15 10:52 - 2021-08-15 10:53 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Zoom
2021-08-15 10:52 - 2021-08-15 10:52 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zoom
2021-08-14 13:29 - 2009-08-13 11:14 - 000472064 _____ ( ) C:\Users\Addy\Desktop\RootRepeal.exe
2021-08-14 13:28 - 2007-08-27 19:47 - 000169655 _____ C:\Users\Addy\Desktop\RkU3.7.300.505.exe
2021-08-14 13:09 - 2021-08-14 13:09 - 002755584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2021-08-14 13:09 - 2021-08-14 13:09 - 002755584 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2021-08-14 13:08 - 2021-08-14 13:08 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll
2021-08-14 13:08 - 2021-08-14 13:08 - 000011347 _____ C:\Windows\system32\DrtmAuthTxt.wim
2021-08-14 13:07 - 2021-08-14 13:07 - 001823280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2021-08-14 13:07 - 2021-08-14 13:07 - 001393480 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2021-08-14 13:06 - 2021-08-14 13:06 - 000288768 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll
2021-08-14 12:35 - 2021-08-14 12:35 - 000000000 ___HD C:\$WinREAgent
2021-08-12 11:35 - 2021-08-12 11:35 - 000380928 _____ C:\Users\Addy\Desktop\7z7w65ry.exe
2021-08-11 13:27 - 2021-08-11 13:27 - 000000000 _____ C:\Windows\Minidump\081121-31562-01.dmp
2021-08-07 19:37 - 2021-08-07 19:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
2021-08-07 19:37 - 2021-08-07 19:37 - 000000000 ____D C:\Program Files\Oracle
2021-08-07 19:37 - 2021-07-28 13:11 - 001038112 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2021-08-07 19:37 - 2021-07-28 13:11 - 000187680 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2021-08-06 14:59 - 2021-08-06 14:59 - 000000000 ____D C:\Windows\system32\gf2engine
2021-08-04 19:46 - 2021-08-16 21:22 - 000003182 _____ C:\Windows\system32\Tasks\ProcessHackerTaskAdmin
2021-08-04 18:58 - 2021-08-04 18:58 - 000000000 ___HD C:\$AV_ASW
2021-08-04 18:57 - 2021-08-04 18:58 - 000000000 ____D C:\Users\Addy\Desktop\FireDM
2021-08-04 18:57 - 2021-08-04 18:57 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2021-08-04 18:03 - 2021-08-04 18:03 - 000000000 ____D C:\Users\Addy\AppData\Local\Avast Software
2021-08-04 18:01 - 2021-08-08 16:19 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Avast Software
2021-08-04 18:01 - 2021-08-04 18:01 - 000002164 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Premium Security.lnk
2021-08-04 18:01 - 2021-08-04 18:01 - 000002152 _____ C:\Users\Public\Desktop\Avast Premium Security.lnk
2021-08-04 17:58 - 2021-08-16 16:38 - 000000000 ____D C:\Windows\system32\Tasks\Avast Software
2021-08-04 17:57 - 2021-08-17 10:28 - 000004264 _____ C:\Windows\system32\Tasks\Avast Emergency Update
2021-08-04 17:57 - 2021-08-08 16:37 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2021-08-04 17:57 - 2021-08-04 17:57 - 000851704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000559816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetHub.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000471920 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000367640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdriver.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000339736 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2021-08-04 17:57 - 2021-08-04 17:57 - 000328568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000250392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsh.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000218976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000215392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000184648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000108408 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000099352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniv.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000082904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000041352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2021-08-04 17:57 - 2021-08-04 17:57 - 000017344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswElam.sys
2021-08-04 17:56 - 2021-08-17 10:32 - 000000000 ____D C:\ProgramData\Avast Software
2021-08-04 17:56 - 2021-08-08 16:21 - 000000000 ____D C:\Program Files\Avast Software
2021-07-28 13:11 - 2021-07-28 13:11 - 000249568 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxNetLwf.sys
2021-07-28 13:11 - 2021-07-28 13:11 - 000239664 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxNetAdp6.sys
2021-07-28 13:11 - 2021-07-28 13:11 - 000174744 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSB.sys
2021-07-23 22:18 - 2021-07-23 22:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightspark
2021-07-23 22:18 - 2021-07-23 22:18 - 000000000 ____D C:\Program Files\Lightspark
2021-07-20 10:49 - 2021-07-20 11:05 - 000000000 ____D C:\ProgramData\sfantibot
2021-07-20 10:48 - 2021-07-20 10:49 - 000000000 ____D C:\Program Files\SfabAntiBot1.1.0.105-en
2021-07-20 09:40 - 2021-07-20 10:14 - 000000000 ____D C:\Users\Addy\Downloads\Telegram Desktop
2021-07-19 11:07 - 2021-07-19 11:36 - 000000000 ____D C:\Users\Addy\AppData\LocalLow\Mozilla
2021-07-19 11:07 - 2021-07-19 11:07 - 000000000 ____D C:\Users\Addy\Desktop\Tor Browser
2021-07-18 13:51 - 2021-07-18 13:51 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Sun

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-17 10:33 - 2021-05-25 17:24 - 000008192 ___SH C:\DumpStack.log.tmp
2021-08-17 10:33 - 2019-12-07 14:33 - 000524288 _____ C:\Windows\system32\config\BBI
2021-08-17 10:32 - 2021-05-25 17:24 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-08-17 10:27 - 2021-06-24 16:25 - 000000000 __SHD C:\Users\Addy\IntelGraphicsProfiles
2021-08-16 22:44 - 2021-05-25 17:35 - 000840878 _____ C:\Windows\system32\PerfStringBackup.INI
2021-08-16 22:44 - 2019-12-07 14:43 - 000000000 ____D C:\Windows\INF
2021-08-16 22:40 - 2019-12-07 14:44 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-08-16 22:20 - 2021-05-25 17:24 - 000000000 ____D C:\Windows\system32\SleepStudy
2021-08-16 21:59 - 2021-07-02 22:38 - 000002162 _____ C:\Windows\system32\Tasks\npcapwatchdog
2021-08-16 21:59 - 2021-06-28 13:17 - 000002638 _____ C:\Windows\system32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901}
2021-08-16 21:59 - 2021-06-22 19:40 - 000002398 _____ C:\Windows\system32\Tasks\Uninstaller_SkipUac_Addy
2021-08-16 21:59 - 2021-05-25 17:25 - 000003408 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-08-16 21:59 - 2021-05-25 17:25 - 000003184 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2021-08-16 16:48 - 2021-06-29 10:36 - 000000000 ____D C:\Users\Addy\AppData\Local\CrashDumps
2021-08-16 16:44 - 2021-06-28 13:06 - 000000000 ____D C:\Windows\Minidump
2021-08-16 16:44 - 2021-06-22 19:00 - 000000000 ____D C:\Users\Addy\AppData\Local\D3DSCache
2021-08-16 16:42 - 2021-05-31 18:47 - 000000000 ____D C:\Program Files (x86)\IObit
2021-08-16 16:40 - 2021-06-22 19:00 - 000000000 ____D C:\Users\Addy\AppData\Roaming\IObit
2021-08-15 19:36 - 2021-06-22 19:27 - 000000000 ____D C:\Users\Addy\.VirtualBox
2021-08-15 19:13 - 2021-06-19 14:50 - 000000000 ____D C:\ProgramData\VirtualBox
2021-08-15 19:12 - 2021-05-31 18:47 - 000000000 ____D C:\ProgramData\ProductData
2021-08-15 11:00 - 2019-12-07 14:44 - 000000000 ___HD C:\Program Files\WindowsApps
2021-08-15 11:00 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\AppReadiness
2021-08-15 10:59 - 2021-05-25 17:26 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-08-15 00:01 - 2021-06-22 18:59 - 000000000 ____D C:\Users\Addy
2021-08-14 19:53 - 2021-05-25 17:24 - 000451120 _____ C:\Windows\system32\FNTCACHE.DAT
2021-08-14 19:50 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\SysWOW64\Dism
2021-08-14 19:49 - 2019-12-07 14:44 - 000000000 ___SD C:\Windows\system32\UNP
2021-08-14 19:49 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\SystemResources
2021-08-14 19:49 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\system32\oobe
2021-08-14 19:49 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\system32\Dism
2021-08-14 19:48 - 2019-12-07 15:24 - 000000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2021-08-14 19:48 - 2019-12-07 14:44 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2021-08-14 19:48 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\ShellComponents
2021-08-14 19:48 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\PolicyDefinitions
2021-08-14 19:48 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\bcastdvr
2021-08-14 19:48 - 2019-12-07 14:33 - 000000000 ____D C:\Windows\servicing
2021-08-14 13:20 - 2019-12-07 14:33 - 000000000 ____D C:\Windows\CbsTemp
2021-08-14 12:40 - 2021-05-25 18:17 - 000000000 ____D C:\Users\Addy\Downloads\Compressed
2021-08-11 21:43 - 2021-05-26 17:59 - 000000000 ____D C:\Program Files\Process Hacker
2021-08-10 14:20 - 2021-06-22 18:59 - 000002276 _____ C:\Users\Addy\Desktop\Microsoft Edge.lnk
2021-08-08 16:37 - 2021-05-25 18:17 - 000000000 ____D C:\Program Files (x86)\Internet Download Manager
2021-08-08 16:36 - 2021-06-22 18:38 - 000000000 ____D C:\Users\Administrator
2021-08-08 16:25 - 2021-07-07 08:53 - 000000000 ____D C:\Users\Addy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2021-08-08 16:25 - 2021-07-07 08:53 - 000000000 ____D C:\Users\Addy\AppData\Roaming\discord
2021-08-08 16:24 - 2021-06-19 11:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NoVirusThanks
2021-08-08 16:22 - 2021-07-17 21:47 - 000000000 ____D C:\Users\Addy\AppData\Local\TacticsTechnology
2021-08-08 16:22 - 2021-07-16 15:35 - 000000000 ____D C:\Users\Addy\AppData\Roaming\.tlauncher
2021-08-08 16:00 - 2021-06-27 10:42 - 000000000 ____D C:\Users\Addy\PC
2021-08-04 19:00 - 2021-05-26 18:25 - 000000000 ____D C:\Program Files\WinRAR
2021-08-04 18:57 - 2021-05-26 18:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2021-08-04 17:57 - 2019-12-07 14:44 - 000000000 ___HD C:\Windows\ELAMBKUP
2021-08-04 17:51 - 2021-06-28 13:15 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2021-08-04 17:51 - 2021-06-22 15:09 - 000000000 ____D C:\Users\TEMP.DESKTOP-JN6QGAA
2021-08-04 17:51 - 2021-06-22 15:04 - 000000000 ____D C:\Users\TEMP
2021-08-04 17:51 - 2019-12-07 14:33 - 000032768 _____ C:\Windows\system32\config\ELAM
2021-08-04 17:50 - 2021-06-28 13:17 - 000000000 ____D C:\Program Files\Common Files\AV
2021-07-26 21:47 - 2021-05-25 18:17 - 000000000 ____D C:\Users\Addy\Downloads\Video
2021-07-23 17:13 - 2021-07-02 10:41 - 000000000 ____D C:\Users\Addy\AppData\Roaming\surviv-cheat
2021-07-23 15:58 - 2019-12-07 14:44 - 000000000 ____D C:\Windows\system32\WinBioPlugIns
2021-07-23 15:58 - 2019-12-07 14:44 - 000000000 ____D C:\Program Files\Common Files\System
2021-07-18 14:00 - 2021-07-16 15:36 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2021-07-18 14:00 - 2021-05-26 19:47 - 000000000 ____D C:\Program Files\Java
2021-07-18 13:50 - 2021-05-26 19:47 - 000191776 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2021-07-18 13:50 - 2021-05-26 19:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit

==================== Files in the root of some directories ========

2021-07-02 22:38 - 2021-07-02 22:38 - 000000000 _____ () C:\Users\Addy\AppData\Local\zenmap.exe.log

==================== FCheck ================================

(If an entry is included in the fixlist, the file/folder will be moved.)

FCheck: C:\Windows\SysWOW64\version_IObitDel.dll [2021-05-31] <==== ATTENTION (zero byte File/Folder)

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================
 
#24 ·
And here is the log of Addition.txt, I couldn't provide the logs because the website was not allowing me to post any more, it was saying that " You have reached the maximum number of new posts allowed to be created in a 24 hour period. " (I've also attached the error photo that the site was giving me, ok?) ...-____-... :'( (Please make sure to disable this option in my account {when the malware issue is being in progress} to avoid more delay of the progress..) :cry::p:(:unsure::sick::(:cry::cry::cautious:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-08-2021
Ran by Addy (17-08-2021 10:36:48)
Running from C:\Users\Addy\Desktop
Windows 10 Pro Version 21H1 19043.1165 (X64) (2021-05-25 12:01:16)
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

Addy (S-1-5-21-4201120289-4146785065-3772099571-1002 - Administrator - Enabled) => C:\Users\Addy
Administrator (S-1-5-21-4201120289-4146785065-3772099571-500 - Administrator - Enabled) => C:\Users\Administrator
afird (S-1-5-21-4201120289-4146785065-3772099571-1001 - Limited - Enabled)
DefaultAccount (S-1-5-21-4201120289-4146785065-3772099571-503 - Limited - Disabled)
Guest (S-1-5-21-4201120289-4146785065-3772099571-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-4201120289-4146785065-3772099571-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Kaspersky Total Security (Disabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
AV: Avast Antivirus (Enabled - Up to date) {EB19B86E-3998-C706-90EF-92B41EB091AF}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
FW: Kaspersky Total Security (Disabled) {774D7037-0984-41B0-3A87-5E88E680AD58}
FW: Avast Antivirus (Enabled) {D322394B-73F7-C65E-BBB0-3B81E063D6D4}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Active Directory Authentication Library for SQL Server (HKLM\...\{6BF11ECE-3CE8-4FBA-991A-1F55AA6BE5BF}) (Version: 15.0.1300.359 - Microsoft Corporation) Hidden
Apowersoft Photo Viewer V1.1.9 (HKLM-x32\...\{AA88C325-55DB-463A-801E-ED6929D0260E}_is1) (Version: 1.1.9 - APOWERSOFT LIMITED)
Avast Premium Security (HKLM\...\Avast Antivirus) (Version: 21.6.2474 - Avast Software)
BlueJ (HKLM\...\{39F0200A-540D-43C5-A845-6D51BA794175}) (Version: 5.0.1 - BlueJ Team)
ClickOnce Bootstrapper Package for Microsoft .NET Framework (HKLM-x32\...\{0243F145-076D-423A-8F77-218DC8840261}) (Version: 4.8.04119 - Microsoft Corporation) Hidden
DiagnosticsHub_CollectionService (HKLM\...\{1F3C3AAC-9F7A-47DA-A082-0ACE770041BE}) (Version: 16.1.28901 - Microsoft Corporation) Hidden
Entity Framework 6.2.0 Tools for Visual Studio 2019 (HKLM-x32\...\{F878746A-C5F7-420A-A672-4DFEF74ADC3A}) (Version: 6.2.0.0 - Microsoft Corporation) Hidden
icecap_collection_neutral (HKLM-x32\...\{1036893D-9917-4E70-B96C-8D72A2B224BC}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
icecap_collection_x64 (HKLM\...\{289873DF-80D0-4D7D-8068-D25D342A26FA}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
icecap_collectionresources (HKLM-x32\...\{D2B4539C-173B-4B8D-A021-E22E9566BC24}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
icecap_collectionresourcesx64 (HKLM-x32\...\{38CE202D-7880-4101-9739-83619300EC58}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
IIS 10.0 Express (HKLM\...\{0307C98E-AE82-4A4F-A950-A72FBD805338}) (Version: 10.0.04403 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{08274920-8908-45c2-9258-8ad67ff77b09}.sdb) (Version: - ) Hidden
IIS Express Application Compatibility Database for x86 (HKLM\...\{ad846bae-d44b-4722-abad-f7420e08bcd9}.sdb) (Version: - ) Hidden
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4358 - Intel Corporation)
IntelliTraceProfilerProxy (HKLM-x32\...\{7D94CF67-6666-4111-B027-D7AB7F189F70}) (Version: 15.0.18198.01 - Microsoft Corporation) Hidden
IObit Uninstaller 10 (HKLM-x32\...\IObitUninstall) (Version: 10.6.0.4 - IObit)
Java 8 Update 291 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180291F0}) (Version: 8.0.2910.10 - Oracle Corporation)
Java(TM) SE Development Kit 16.0.1 (64-bit) (HKLM\...\{75CDB88B-F917-5456-AB2D-5504DE7F43DE}) (Version: 16.0.1.0 - Oracle Corporation)
Lightspark (HKLM\...\Lightspark) (Version: 0.8.5-git - The Lightspark Developers)
Microsoft .NET Core SDK 3.1.411 (x64) (HKLM-x32\...\{d9facd1b-6861-4705-bf9d-fbb720c1b228}) (Version: 3.1.411.15760 - Microsoft Corporation)
Microsoft .NET SDK 5.0.301 (x64) from Visual Studio (HKLM\...\{869D316B-33AD-4466-974C-95820FF40F99}) (Version: 5.3.121.27113 - Microsoft Corporation)
Microsoft .NET SDK 5.0.302 (x64) (HKLM-x32\...\{5cb2152c-6073-4a34-99a0-cbf98ab1c0c6}) (Version: 5.3.221.31823 - Microsoft Corporation)
Microsoft ASP.NET Core 3.1.17 - Shared Framework (x86) (HKLM-x32\...\{7c2ec55d-b700-4b00-b0db-1211acdcfd72}) (Version: 3.1.17.21318 - Microsoft Corporation)
Microsoft ASP.NET Core 5.0.8 - Shared Framework (x86) (HKLM-x32\...\{b8d8202a-e260-4dfd-adfc-0070c0d47f54}) (Version: 5.0.8.21318 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 92.0.902.73 - Microsoft Corporation)
Microsoft ODBC Driver 17 for SQL Server (HKLM\...\{8D98AC2C-FC5C-440D-A2D3-6C9655F957D8}) (Version: 17.2.0.1 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4201120289-4146785065-3772099571-500\...\OneDriveSetup.exe) (Version: 21.099.0516.0003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50918.0 - Microsoft Corporation)
Microsoft SQL Server 2016 LocalDB (HKLM\...\{9097BF1A-13A0-4A4A-A1F8-473E2A669863}) (Version: 13.1.4001.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2019 CTP2.2 (HKLM\...\{8D7CE3B0-5379-46FE-9F4B-A65D9F4CC1F1}) (Version: 15.0.1200.24 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2019 CTP2.2 (HKLM-x32\...\{725CC962-98BD-42C7-87D8-51C680FB1779}) (Version: 15.0.1200.24 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{E5A95BC5-81DF-4F0C-B910-B59DD012F037}) (Version: 2.81.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30038 (HKLM-x32\...\{7f336035-fa39-4d06-bd17-fbf472a381e8}) (Version: 14.29.30038.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30038 (HKLM-x32\...\{9120a466-433b-4dd9-a5e0-3092abd2cc1d}) (Version: 14.29.30038.0 - Microsoft Corporation)
Microsoft Visual Studio Installer (HKLM\...\{6F320B93-EE3C-4826-85E0-ADF79F8D4C61}) (Version: 2.10.2174.31177 - Microsoft Corporation)
Microsoft Windows Desktop Runtime - 3.1.17 (x86) (HKLM-x32\...\{1d2d2e19-bb77-464c-8c75-d33f0ba38aaa}) (Version: 3.1.17.30215 - Microsoft Corporation)
Microsoft Windows Desktop Runtime - 5.0.8 (x86) (HKLM-x32\...\{3ef73a2e-063c-4143-96d3-decce7fece14}) (Version: 5.0.8.30215 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.00 - Nmap Project)
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
Oracle VM VirtualBox 6.1.26 (HKLM\...\{71822DCA-AF02-40D5-9BB8-2C1F75356115}) (Version: 6.1.26 - Oracle Corporation)
PowerISO (HKLM-x32\...\PowerISO) (Version: 7.9 - Power Software Ltd)
Process Hacker (HKLM\...\ProcessHacker) (Version: 3.x - Process Hacker)
Python 3.10.0b1 Add to Path (64-bit) (HKLM\...\{5F5DAC57-6C9D-49A7-8E74-508EEF613437}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Core Interpreter (64-bit debug) (HKLM\...\{CF17AEE9-2A25-4E36-A7B5-08620E5B92CA}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Core Interpreter (64-bit symbols) (HKLM\...\{1E7EA21E-D242-4881-A7C4-91E3609C718F}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Core Interpreter (64-bit) (HKLM\...\{D50DD6DF-3E49-4AD0-88A7-4123BB73FA54}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Development Libraries (64-bit debug) (HKLM\...\{87DDEE4C-F2D3-4343-879F-4A1D8762DCD1}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Development Libraries (64-bit) (HKLM\...\{BA6BFE92-6389-4EBE-9EBD-B3CE21CA46BC}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Documentation (64-bit) (HKLM\...\{F45C9C1E-DA34-473F-BD67-FCCF73ABB520}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Executables (64-bit debug) (HKLM\...\{C50584A0-8649-4E38-8A58-6B034573F8BA}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Executables (64-bit symbols) (HKLM\...\{FF8CEF7F-5B00-47B9-BDDD-598530B40336}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Executables (64-bit) (HKLM\...\{EA3350C1-7191-445B-8F20-44C986BBCC8B}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 pip Bootstrap (64-bit) (HKLM\...\{0281D1B5-7513-4294-ACD4-F1B2C06690A7}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Standard Library (64-bit debug) (HKLM\...\{B33D32BD-FB30-4C3E-BE73-CB5BEAA164D6}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Standard Library (64-bit symbols) (HKLM\...\{6D545F9B-BE92-46E4-B651-F81A46153B3F}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Standard Library (64-bit) (HKLM\...\{CFDEAD91-8644-4FA7-AEEB-EABBB98377BD}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Tcl/Tk Support (64-bit debug) (HKLM\...\{B0354E28-55C2-4369-8B5C-A5E26F023E63}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Tcl/Tk Support (64-bit symbols) (HKLM\...\{56F92971-282A-4393-8F71-278BA0011034}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Tcl/Tk Support (64-bit) (HKLM\...\{52C910D9-9D20-4678-B5CE-A1FDBA31EA5C}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Test Suite (64-bit debug) (HKLM\...\{8D91D388-D45E-4AE2-9EE3-803C3AA3B1D1}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Test Suite (64-bit symbols) (HKLM\...\{2DF69361-F005-41C2-A9B0-748E2233E07A}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Test Suite (64-bit) (HKLM\...\{893852B6-0A3D-4654-A0EC-F2243B2A8F7F}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python 3.10.0b1 Utility Scripts (64-bit) (HKLM\...\{1F0AB9AC-5F28-4642-AEF0-90EA2E86189C}) (Version: 3.10.111.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{D6389075-B367-4A12-9371-699F14CBC7AF}) (Version: 3.10.7427.0 - Python Software Foundation)
TypeScript SDK (HKLM-x32\...\{C34D7309-4E94-4B6A-ABE8-C1EE566E9C1F}) (Version: 4.2.4.0 - Microsoft Corporation) Hidden
Update for (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
vcpp_crt.redist.clickonce (HKLM-x32\...\{9BE18F4E-9100-4B29-9F08-61F21A2045DD}) (Version: 14.29.30038 - Microsoft Corporation) Hidden
Visual Studio Community 2019 (HKLM-x32\...\5dde10f0) (Version: 16.10.31410.357 - Microsoft Corporation)
VS Immersive Activate Helper (HKLM-x32\...\{A71406B5-E487-4B01-8E59-D466841350F5}) (Version: 16.0.102.0 - Microsoft Corporation) Hidden
VS JIT Debugger (HKLM\...\{C7E8A4F2-EF09-42A8-B892-69D5ED99D965}) (Version: 16.0.102.0 - Microsoft Corporation) Hidden
VS Script Debugging Common (HKLM\...\{A4272808-82F5-410F-A5F9-1BF6F63F6B9A}) (Version: 16.0.102.0 - Microsoft Corporation) Hidden
VS WCF Debugging (HKLM\...\{E90279BA-36B4-4477-A1B7-C81B571172F2}) (Version: 16.0.102.0 - Microsoft Corporation) Hidden
vs_BlendMsi (HKLM-x32\...\{B5E3A3E1-1529-4D5A-9E95-34971FA07825}) (Version: 16.0.28329 - Microsoft Corporation) Hidden
vs_clickoncebootstrappermsi (HKLM-x32\...\{6F7948F9-8EED-4FA5-A1D9-7DD512A2CA26}) (Version: 16.10.31206 - Microsoft Corporation) Hidden
vs_clickoncebootstrappermsires (HKLM-x32\...\{271F1F42-B547-4498-825F-590DBB1774F7}) (Version: 16.0.28329 - Microsoft Corporation) Hidden
vs_clickoncesigntoolmsi (HKLM-x32\...\{30D97A69-3C0F-4552-9A72-60E591B210C7}) (Version: 16.0.28329 - Microsoft Corporation) Hidden
vs_communitymsi (HKLM-x32\...\{F2362422-8A5F-473B-B793-E9592B1EA9FA}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
vs_communitymsires (HKLM-x32\...\{3751D1CF-9A44-43D2-B4BB-80FA6E7925A8}) (Version: 16.10.31213 - Microsoft Corporation) Hidden
vs_devenvmsi (HKLM-x32\...\{AD0C92A4-1514-4BC1-A723-A272A8343924}) (Version: 16.0.28329 - Microsoft Corporation) Hidden
vs_filehandler_amd64 (HKLM-x32\...\{8B6AE4FB-1E51-4BB4-B52C-CAC8A0340310}) (Version: 16.10.31206 - Microsoft Corporation) Hidden
vs_filehandler_x86 (HKLM-x32\...\{B0AA3BF6-3C13-4C9A-A043-4CEFBBE0A2D3}) (Version: 16.10.31206 - Microsoft Corporation) Hidden
vs_FileTracker_Singleton (HKLM-x32\...\{05CA3463-0B45-425D-9AF2-E1964AB85CBB}) (Version: 16.10.31303 - Microsoft Corporation) Hidden
vs_minshellinteropmsi (HKLM-x32\...\{883D29E5-9A41-4C45-A192-C10B8078BF0C}) (Version: 16.10.31306 - Microsoft Corporation) Hidden
vs_minshellmsi (HKLM-x32\...\{E6B8D127-6C17-4E21-BA5C-B1D0C322BBA2}) (Version: 16.10.31320 - Microsoft Corporation) Hidden
vs_minshellmsires (HKLM-x32\...\{0916C6E1-6A0A-4887-9E00-D96FD44AFACE}) (Version: 16.10.31303 - Microsoft Corporation) Hidden
vs_SQLClickOnceBootstrappermsi (HKLM-x32\...\{9A9E968E-1C75-4B85-BCBF-D1E26D6F7A6B}) (Version: 16.10.31205 - Microsoft Corporation) Hidden
vs_tipsmsi (HKLM-x32\...\{E208E682-50EE-4F2F-9860-C91B906B8A03}) (Version: 16.0.28329 - Microsoft Corporation) Hidden
vs_vswebprotocolselectormsi (HKLM-x32\...\{634F7BE2-E181-4544-946F-B8BA774B9059}) (Version: 16.10.31206 - Microsoft Corporation) Hidden
WinRAR 6.02 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.02.0 - win.rar GmbH)
Zoom (HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\ZoomUMX) (Version: 5.7.5 (939) - Zoom Video Communications, Inc.)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\localserver32 -> "C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\Microsoft.Nucleus.exe" => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel(R) pGFX -> Intel Corporation)
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\localserver32 -> "C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\Microsoft.Nucleus.exe" => No File
ShellExecuteHooks-x32: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2217832 2009-02-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ShellIconOverlayIdentifiers-x32: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers1: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll [2020-07-31] (IObit Information Technology -> IObit)
ContextMenuHandlers1: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2021-03-17] (Power Software Limited -> Power Software Ltd)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers4: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll [2020-07-31] (IObit Information Technology -> IObit)
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2021-03-17] (Power Software Limited -> Power Software Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2016-05-03] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers6: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll [2020-07-31] (IObit Information Technology -> IObit)
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2021-03-17] (Power Software Limited -> Power Software Ltd)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [vidc.i420] => c:\windows\system32\lvcod64.dll [175392 2021-05-31] (Logitech, Inc. -> Logitech Inc.)
HKLM\...\Drivers32: [vidc.i420] => C:\Windows\SysWOW64\lvcodec2.dll [305000 2021-05-31] (Logitech, Inc. -> Logitech Inc.)

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aswSP.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\aswSP.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2020-01-31] (IObit Information Technology -> IObit)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_291\bin\ssv.dll [2021-07-18] (Oracle America, Inc. -> Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_291\bin\jp2ssv.dll [2021-07-18] (Oracle America, Inc. -> Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation -> Microsoft Corporation)

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 14:44 - 2021-07-03 09:46 - 000000822 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\ProgramData\Oracle\Java\javapath;c:\program files\common files\oracle\java\javapath;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;c:\program files\python310\scripts\;c:\program files\python310\;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\program files\nvidia corporation\nvidia nvdlisr;C:\Program Files\dotnet\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files (x86)\dotnet\
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Addy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-4201120289-4146785065-3772099571-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

Network Binding:
=============
Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Ethernet: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled)
Ethernet: VirtualBox NDIS6 Bridged Networking Driver -> oracle_VBoxNetLwf (enabled)
VirtualBox Host-Only Network: VirtualBox NDIS6 Bridged Networking Driver -> oracle_VBoxNetLwf (enabled)
VirtualBox Host-Only Network: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled)
VirtualBox Host-Only Network: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Ethernet 2: VirtualBox NDIS6 Bridged Networking Driver -> oracle_VBoxNetLwf (enabled)
Ethernet 2: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Ethernet 2: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled)

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run32: => "GrooveMonitor"
HKLM\...\StartupApproved\Run32: => "PWRISOVM.EXE"
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\StartupApproved\Run: => "IDMan"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{5EACE3A2-5415-4261-9216-AF6F9DFC17E6}] => (Allow) C:\Users\afird\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{1D8671BE-4CD8-43E5-9DB1-AED9AA803288}] => (Allow) C:\Users\afird\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{EBF5E04C-5E58-4932-B464-CEAAA84E4168}] => (Allow) C:\Users\afird\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{1EE41DE8-6041-4EC0-A0B1-300416A17F2B}] => (Allow) C:\Program Files (x86)\Apowersoft\Apowersoft Photo Viewer\Apowersoft Photo Viewer.exe (Apowersoft Ltd -> Apowersoft)
FirewallRules: [{6873E2C3-704D-4A1C-9A1A-DCA55DC180DC}] => (Allow) C:\Program Files (x86)\Apowersoft\Apowersoft Photo Viewer\Apowersoft Photo Viewer.exe (Apowersoft Ltd -> Apowersoft)
FirewallRules: [TCP Query User{11246563-FF25-4655-A187-CAAA1DFCFD1A}C:\users\addy\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe
FirewallRules: [UDP Query User{CC7F3693-D61F-45E4-AF08-42A0FB493777}C:\users\addy\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe
FirewallRules: [TCP Query User{34B91CCB-3869-461E-AACF-1F79F3F881E7}C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe => No File
FirewallRules: [UDP Query User{3FC346A6-9045-47F0-9C9C-681639DBB21B}C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe => No File
FirewallRules: [{AD793C42-C034-4836-95A4-D103AEA7FDDD}] => (Allow) C:\Users\Addy\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{5144181A-8891-4338-B450-CA9E594663FB}] => (Allow) C:\Users\Addy\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{5374BA7A-3FDA-4E89-AEA2-AE61B2F9BDBD}] => (Allow) C:\Users\Addy\AppData\Roaming\Zoom\bin\airhost.exe => No File

==================== Restore Points =========================

==================== Faulty Device Manager Devices ============

Name: Microsoft Hyper-V Virtualization Infrastructure Driver
Description: Microsoft Hyper-V Virtualization Infrastructure Driver
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: Vid
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: HD Webcam C510
Description: HD Webcam C510
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Logitech
Service: usbaudio
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

==================== Event log errors: ========================

Application errors:
==================
Error: (08/16/2021 04:48:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 10.0.19041.1151, time stamp: 0x2885d2b8
Faulting module name: tiptsf.dll, version: 10.0.19041.746, time stamp: 0xe3a65137
Exception code: 0xc0000005
Fault offset: 0x000000000000b0a6
Faulting process id: 0x220c
Faulting application start time: 0x01d7928e56bbb1fa
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
Report Id: 0404aaea-c9cc-472a-9c41-551ec2e81a1b
Faulting package full name:
Faulting package-relative application ID:

Error: (08/15/2021 08:17:34 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on \\?\Volume{1b738edc-0000-0000-0000-100000000000}\ because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/15/2021 08:12:44 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on \\?\Volume{1b738edc-0000-0000-0000-100000000000}\ because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/14/2021 11:54:41 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on \\?\Volume{1b738edc-0000-0000-0000-100000000000}\ because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/14/2021 11:14:08 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on \\?\Volume{1b738edc-0000-0000-0000-100000000000}\ because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/14/2021 08:37:24 PM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete retrim on \\?\Volume{1b738edc-0000-0000-0000-100000000000}\ because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)

Error: (08/14/2021 07:41:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 10.0.19041.1110, time stamp: 0xe86d289e
Faulting module name: ucrtbase.dll, version: 10.0.19041.789, time stamp: 0x2bd748bf
Exception code: 0xc0000409
Fault offset: 0x000000000007286e
Faulting process id: 0x75c
Faulting application start time: 0x01d79116562b914c
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: b9109660-7457-45b5-96f1-de9db28916de
Faulting package full name:
Faulting package-relative application ID:

Error: (08/14/2021 07:41:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 10.0.19041.1110, time stamp: 0xe86d289e
Faulting module name: ucrtbase.dll, version: 10.0.19041.789, time stamp: 0x2bd748bf
Exception code: 0xc0000409
Fault offset: 0x000000000007286e
Faulting process id: 0x1264
Faulting application start time: 0x01d7911654dcaa5d
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: 17f85963-0daf-40fa-9e46-b51bdb749eca
Faulting package full name:
Faulting package-relative application ID:

System errors:
=============
Error: (08/17/2021 10:38:12 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/17/2021 10:36:48 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/17/2021 10:36:37 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B68-F52A-11D8-B9A5-505054503030}

Error: (08/17/2021 10:35:38 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/17/2021 10:35:04 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (08/17/2021 10:35:04 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service VSS with arguments "Unavailable" in order to run the server:
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Error: (08/17/2021 10:35:04 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service VSS with arguments "Unavailable" in order to run the server:
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Error: (08/17/2021 10:35:04 AM) (Source: DCOM) (EventID: 10005) (User: ADDY-BABU)
Description: DCOM got error "1084" attempting to start the service VSS with arguments "Unavailable" in order to run the server:
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Windows Defender:
================
Date: 2021-06-24 18:24:16
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-06-24 18:12:11
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-06-23 20:16:35
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...linkid=37020&name=Backdoor:MSIL/Bladabindi!rfn&threatid=2147692010&enterprise=0
Name: Backdoor:MSIL/Bladabindi!rfn
Severity: Severe
Category: Backdoor
Path: file:_C:\Users\Addy\AppData\Local\Temp\Rar$DRa4704.42112\NjRat 0.7D Danger Edition 2018\NjRat 0.7D Danger Edition-cleaned-cleaned.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.341.1231.0, AS: 1.341.1231.0, NIS: 1.341.1231.0
Engine Version: AM: 1.1.18200.4, NIS: 1.1.18200.4

Date: 2021-06-22 19:44:32
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...wlink/?linkid=37020&name=HackTool:Win32/Keygen&threatid=2147593794&enterprise=0
Name: HackTool:Win32/Keygen
Severity: High
Category: Tool
Path: containerfile:_C:\Program Files (x86)\IObit\Driver Booster\8.4.0\Loader-IDB.exe; file:_C:\Program Files (x86)\IObit\Driver Booster\8.4.0\Loader-IDB.exe; file:_C:\Program Files (x86)\IObit\Driver Booster\8.4.0\Loader-IDB.exe->(UPX)->(VFS:patch.exe)
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.341.1224.0, AS: 1.341.1224.0, NIS: 1.341.1224.0
Engine Version: AM: 1.1.18200.4, NIS: 1.1.18200.4

Date: 2021-06-30 15:35:20
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.341.1586.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18200.4
Error code: 0x80070643
Error description: Fatal error during installation.

Date: 2021-06-30 15:35:13
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 1.343.108.0
Previous security intelligence Version: 1.341.1586.0
Update Source: User
Security intelligence Type: AntiSpyware
Update Type: Delta
Current Engine Version: 1.1.18300.4
Previous Engine Version: 1.1.18200.4
Error code: 0x80070666
Error description: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel.

Date: 2021-06-30 15:35:13
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 1.343.108.0
Previous security intelligence Version: 1.341.1586.0
Update Source: User
Security intelligence Type: AntiVirus
Update Type: Delta
Current Engine Version: 1.1.18300.4
Previous Engine Version: 1.1.18200.4
Error code: 0x80070666
Error description: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel.

Date: 2021-06-30 15:35:13
Description:
Microsoft Defender Antivirus has encountered an error trying to update the engine.
New Engine Version: 1.1.18300.4
Previous Engine Version: 1.1.18200.4
Error Code: 0x80070666
Error description: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel.

Date: 2021-06-27 10:50:51
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.341.1532.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18200.4
Error code: 0x8050a003
Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.

CodeIntegrity:
===============
Date: 2021-08-17 10:34:29
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume2\Program Files\Avast Software\Avast\aswAMSI.dll that did not meet the Windows signing level requirements.

Date: 2021-08-16 23:02:56
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Avast Software\Avast\AvastSvc.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2021-08-16 22:42:17
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Avast Software\Avast\aswAMSI.dll that did not meet the Windows signing level requirements.

==================== Memory info ===========================

BIOS: American Megatrends Inc. F3 09/23/2016
Motherboard: Gigabyte Technology Co., Ltd. H61MS
Processor: Intel(R) Pentium(R) CPU G2010 @ 2.80GHz
Percentage of memory in use: 50%
Total physical RAM: 3991.55 MB
Available physical RAM: 1967.5 MB
Total Virtual: 12183.55 MB
Available Virtual: 10403.66 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.26 GB) (Free:27.02 GB) NTFS
Drive e: () (Fixed) (Total:175.78 GB) (Free:100.26 GB) NTFS
Drive f: () (Fixed) (Total:192.23 GB) (Free:71.69 GB) NTFS

\\?\Volume{1b738edc-0000-0000-0000-100000000000}\ () (Fixed) (Total:0.49 GB) (Free:0.45 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 1B738EDC)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=175.8 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=192.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt =======================
 
#25 ·
Hi, Addy.

Yes, new members cannot make more than 15 posts or start 2 new threads in a 24-hour period. After the person has been a member for 5 days (and has made at least 5 posts) this restriction gets removed.

Give me some time to review your logs. (No need to reply now, so you keep your posts! )
 
Save
#26 ·
Hi, Addy.

I don't see rootkit signs at the moment.

The black wallpaper you describe at the first post is probably due to a temporary account which was created in your computer earlier this month.

Since we are getting into a long process, please adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

========================================

Let's begin.

These are my first comments/instructions:

1. Avast Premium Security

You are using the premium version. Is it legally activated? If not, please uninstall it. Having a pirated antivirus on one hand and trying to clean the computer on the other is really a not wise thing.

2. Microsoft Office Enterprise 2007

Enterprise edition is for big companies and not for individuals. Therefore, the license used here is not legal, unless the computer belongs to a company. If this is not the case, please uninstall it.

3. Java

There are very few reasons these days to continue having Java installed on your computer. Since the versions you have installed are outdated, please uninstall them:

Java 8 Update 291
Java(TM) SE Development Kit 16.0.1

If you do elect to keep Java, it needs to be updated to the latest version which you can find here: Java SE Runtime Environment 8 - Downloads.

Do not install it now. Wait the cleaning procedure to finish first.

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

4. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\localserver32 -> "C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\Microsoft.Nucleus.exe" => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-4201120289-4146785065-3772099571-1002_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\localserver32 -> "C:\Users\Addy\AppData\Local\Microsoft\OneDrive\21.099.0516.0003\Microsoft.Nucleus.exe" => No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\StartupApproved\Run: => "IDMan"
FirewallRules: [{1D8671BE-4CD8-43E5-9DB1-AED9AA803288}] => (Allow) C:\Users\afird\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{EBF5E04C-5E58-4932-B464-CEAAA84E4168}] => (Allow) C:\Users\afird\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [TCP Query User{34B91CCB-3869-461E-AACF-1F79F3F881E7}C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe => No File
FirewallRules: [UDP Query User{3FC346A6-9045-47F0-9C9C-681639DBB21B}C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\users\addy\appdata\roaming\.minecraft\runtime\java-runtime-alpha\windows\java-runtime-alpha\bin\javaw.exe => No File
FirewallRules: [{5144181A-8891-4338-B450-CA9E594663FB}] => (Allow) C:\Users\Addy\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{5374BA7A-3FDA-4E89-AEA2-AE61B2F9BDBD}] => (Allow) C:\Users\Addy\AppData\Roaming\Zoom\bin\airhost.exe => No File
HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\...\MountPoints2: D - "D:\setup.exe"
IFEO\taskmgr.exe: [Debugger] "C:\Program Files\Process Hacker\ProcessHacker.exe"
Startup: C:\Users\afird\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2021-05-27]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (No File)
Startup: C:\Users\afird\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk [2021-06-21]
ShortcutTarget: Telegram.lnk -> C:\Users\Addy\AppData\Roaming\Telegram Desktop\Telegram.exe (No File)
Task: {B88D964F-69AB-4E98-BA82-18520A3CC4C1} - System32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} => C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe [743488 2021-06-28] (Kaspersky Lab JSC -> AO Kaspersky Lab)
Edge HKU\S-1-5-21-4201120289-4146785065-3772099571-1002\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [llbjbkhnmlidjebalopleeepgdfgcpec] - C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx <not found>
S3 FvSvc; "C:\Program Files\NVIDIA Corporation\FrameViewSDK\nvfvsdksvc_x64.exe" -service [X]
S2 KSDE5.3; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.3\ksde.exe" -r [X]
U1 aswbdisk; no ImagePath
U0 Partizan; system32\drivers\Partizan.sys [X]
C:\Users\Addy\Desktop\RootRepeal.exe
C:\Users\Addy\Desktop\RkU3.7.300.505.exe
C:\ProgramData\Kaspersky Lab
C:\Users\TEMP.DESKTOP-JN6QGAA
C:\Users\TEMP
C:\Users\Addy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
C:\Users\Addy\AppData\Roaming\discord
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NoVirusThanks
C:\Program Files\Common Files\AV\Kaspersky Lab
C:\Program Files (x86)\Internet Download Manager
C:\Program Files (x86)\IObit\Driver Booster
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

5. Run AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

6. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. Which programs did you uninstall, regarding Steps 1-3 above.
  2. The fixlog.txt
  3. The AdwCleaner[S0*].txt
  4. The Malwarebytes report
NOTE: If you have a question, please ask before going to a next step.
 
Save
#28 ·
Hello and Good Morning, Mr. DR.M & All Other Staff Members & Admins. 😁💜
Sorry for the late response because I was busy yesterday a lot studying and after that was also out from my home so I didn't have the opportunity to open the PC and check and reply back on the forum. But, as long as I know according to my studies in this field of Computer Security and Pen-Testing that it is really difficult to detect any kind of RootKits (whether it's Ring3, Ring0 or any) because according to my knowledge, A rootkit is a type of malware that is stored on an infected computer in a way that it loads before the operating system does. Because it underlies the operating system, it can intercept any and every command issued within the operating system and alter any operations taken and modify any data being written to or read from the computer's harddrives in such a manner as to both hide its very existence and to prevent it from being removed and installs it's own(RootKit) service that starts before the first user is logged on. This background process injects all currently running processes, as well as processes that spawn later. Two processes are needed to inject both 32-bit and 64-bit processes. Both processes are hidden by ID using the configuration system. So, I don't think that doing all these things will definitely detect the Rootkits as modern Ring3 RootKits use high and sophisticated techniques like Several AV and EDR evasion techniques like A.M.S.I. Bypass & D.L.L. UnHooking to prevent detection from all kinds of AVs and Monitoring and Scanning programs(except maybe if the scanner uses Ring0 Kernal-Mode Rootkit Driver like G.M.E.R.{ G.M.E.R can detect some remnants/fragments of the RootKit but not all because the process can also be injected but since it use kernel-mode driver so it can detect and locate some of the Rootkits registry files, keys and even the files that are hidden in the disk but does not have the power to kill or to delete it :'( }). Anyways, I will do whatever you wish to try and detect any other malware that may be have been crept besides the rootkit or downloaded/uploaded malwares by the rootkit or the one who is controlling the rootkit. Since, right now here is very early morning. So, When I will open my PC, I will do the things that you told me to do.
But here are some problems which I am facing : -

I cannot Uninstall Java as I am learning Java, C, C++, PHP, and Python Programming Languages and use IDEs like BlueJ, Eclipse, Visual Studio Code and Microsoft Visual Studio. If I uninstall Java, it will definitely lead all it's programs and IDEs related to it to stop working.

Microsoft Office 2007 I and my Family(not only my family, in my whole place, everyone uses this edition for working purpose) both use for Office Work as it comes with Word, Excel, Access, PowerPoint, etc and these things are required for Office Work. So, I cannot also uninstall Microsoft Office.

• IMPORTANT!!! Please Note : - When Scanning With FRST64.exe and CKScanner, also when posting replies in this forum from my PC, I left the PC open to scan and create the logs and was doing something else and it was this moment that I experienced sudden movement of my cursor going straight to the X button of my browser and when I saw, I suddenly moved my pointer from there to somewhere else in order to prevent the browser from getting closed, and also prevent the scan from getting terminated, I think this also happened when scanning my PC using FRST64.exe and CKScanner.exe . {{ What you guyz think of this strange and crept behaviour????!!!!!! }}

• Secondly, I want to personally have a conversation with the malware specialist who is assisting me. How can I personally message my malware assistant because there's no option I can find to start a conversation with him. If I can really message the Malware Specialist that is assisting me here privately(besides posting replies here) I will be very grateful because there are lots of more information that I can't disclose all of them here because we also have other users and "guests" who view all these threads and we never know which "guest" is viewing our posts.....


Thank You For Your Understanding 😃!
Looking forward for your reply ☺....
Best Regards ❤💜❤,
Addy.
 
#29 ·
Hi, Addy.

1. Java: I made it clear that if you elect to keep it, you must have the latest version installed and not an outdated version. I asked you to download the latest version at the end of the cleaning procedure, but if it is necessary to do that now, you can do it.

2. Microsoft Office Enterprise: You are an ordinary user, meaning that the computer doesn't belong to a company. Enterprise version is for companies and if you have this version installed that means that you are using a Volume license and not a Retail or an OEM one. I can't know where you found that license, if you bought it from a questionable site, if you are using KMS service or anything else. I already told you that using not legally activated programs is the easiest way to install malware. I really don't have anything else to add here.

3. Help in this kind of sites is given only in public. It's in the Forum's Rules. Therefore, I can't give you instructions through personal conversations.

4. If you don't feel comfortable with the procedures we use here, or you believe that we are not able to provide the assistance you need, then you are free to ask for help from a computer store or just reinstall your operating system. Otherwise, please follow the instructions step by step from the beginning through the end.

Thanks.
 
Save
#30 ·
Hello, DR.M.
I am sorry I didn't made you understand of what I am requesting, I am not saying to post any malware removal instructions on PM but I am requesting that you can obviously hear my full speech regarding how I came under attack and why I think I have infected with the rootkit only, after hearing my full story, you are free to reply it here and give me the solution here, so that anyone can benefit from here and Microsoft Office 2007 is not cracked, this license I got from technician and also from various computer training schools, and most companies and schools uses pirated version of Windows, Microsoft Office, and etc...... If this is a cracked software then the antivirus should warn me, but it didn't and also I didn't used any KMSPico nor KMSAutoNet.
I will uninstall Avast and then provide you all the logs. But If you still wish me to uninstall Microsoft Office Enterprise Edition, I will uninstall it but at the other hand I won't be able to open any Word, Excel, PPT, Access etc.......

Thanks,
Best Regards,
Addy
 
#31 ·
Here I am :) and with all the reports that you wanted :D ;)

1. I have uninstalled Avast Premium Security.
2. I didn't uninstalled Java because I decided to keep it nor I update it during the cleanup process.
3. I also didn't uninstalled MS Office Enterprise Edition as I waited for your confirmation but I also know that all of you are not free, have other works to do and are busy but even still if you want me to uninstall it, I can uninstall it but just please remember to suggest me a better alternative than it :)

Thanks.
 

Attachments

Status
Not open for further replies.
You have insufficient privileges to reply here.