forums.malwarebytes.com
Open in
urlscan Pro
13.225.78.37
Public Scan
URL:
https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/
Submission: On March 28 via manual from US — Scanned from DE
Submission: On March 28 via manual from US — Scanned from DE
Form analysis 10 forms found in the DOM
POST https://forums.malwarebytes.com/login/
<form accept-charset="utf-8" method="post" action="https://forums.malwarebytes.com/login/">
<input type="hidden" name="csrfKey" value="a6da0c542bb8c458b99f094026422455">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<div data-role="loginForm">
<div class="ipsPad ipsForm ipsForm_vertical">
<h4 class="ipsType_sectionHead">Sign In</h4>
<br><br>
<ul class="ipsList_reset">
<li class="ipsFieldRow ipsFieldRow_noLabel ipsFieldRow_fullWidth">
<input type="text" placeholder="Display Name" name="auth" autocomplete="username">
</li>
<li class="ipsFieldRow ipsFieldRow_noLabel ipsFieldRow_fullWidth">
<input type="password" placeholder="Password" name="password" autocomplete="current-password">
</li>
<li class="ipsFieldRow ipsFieldRow_checkbox ipsClearfix">
<span class="ipsCustomInput">
<input type="checkbox" name="remember_me" id="remember_me_checkbox" value="1" checked="" aria-checked="true">
<span></span>
</span>
<div class="ipsFieldRow_content">
<label class="ipsFieldRow_label" for="remember_me_checkbox">Remember me</label>
<span class="ipsFieldRow_desc">Not recommended on shared computers</span>
</div>
</li>
<li class="ipsFieldRow ipsFieldRow_fullWidth">
<button type="submit" name="_processLogin" value="usernamepassword" class="ipsButton ipsButton_primary ipsButton_small" id="elSignIn_submit">Sign In</button>
<p class="ipsType_right ipsType_small">
<a href="https://forums.malwarebytes.com/lostpassword/" data-ipsdialog="" data-ipsdialog-title="Forgot your password?">
Forgot your password?</a>
</p>
</li>
</ul>
</div>
</div>
</form>POST //forums.malwarebytes.com/search/?do=quicksearch
<form accept-charset="utf-8" action="//forums.malwarebytes.com/search/?do=quicksearch" method="post">
<input type="search" id="elSearchField" placeholder="Search..." name="q" autocomplete="off" aria-label="Search">
<details class="cSearchFilter">
<summary class="cSearchFilter__text">This Topic</summary>
<ul class="cSearchFilter__menu">
<li><label><input type="radio" name="type" value="all"><span class="cSearchFilter__menuText">Everywhere</span></label></li>
<li><label><input type="radio" name="type" value="contextual_{"type":"forums_topic","nodes":81}" checked=""><span class="cSearchFilter__menuText">This Forum</span></label></li>
<li><label><input type="radio" name="type" value="contextual_{"type":"forums_topic","item":290671}" checked=""><span class="cSearchFilter__menuText">This Topic</span></label></li>
<li><label><input type="radio" name="type" value="calendar_event"><span class="cSearchFilter__menuText">Events</span></label></li>
<li><label><input type="radio" name="type" value="core_statuses_status"><span class="cSearchFilter__menuText">Status Updates</span></label></li>
<li><label><input type="radio" name="type" value="forums_topic"><span class="cSearchFilter__menuText">Topics</span></label></li>
<li><label><input type="radio" name="type" value="cms_pages_pageitem"><span class="cSearchFilter__menuText">Pages</span></label></li>
<li><label><input type="radio" name="type" value="core_members"><span class="cSearchFilter__menuText">Members</span></label></li>
</ul>
</details>
<button class="cSearchSubmit" type="submit" aria-label="Search"><i class="fa fa-search"></i></button>
</form>POST https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?csrfKey=a6da0c542bb8c458b99f094026422455&do=multimodComment
<form action="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?csrfKey=a6da0c542bb8c458b99f094026422455&do=multimodComment" method="post" data-ipspageaction="" data-role="moderationTools">
<a id="comment-1535831"></a>
<article id="elComment_1535831" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535831" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:02:18Z" title="09/29/2022 05:02 AM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535831_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535831"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664427738,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535831}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535831" title="Share Post 1535831" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535831_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535831" data-role="shareComment">ID:1535831</a>
<li>
<a href="#elControls_1535831_menu" class="ipsComment_ellipsis" id="elControls_1535831" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535831_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535831_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535831_menu" data-ipsdialog-title="Share this post" d="elSharePost_1535831" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535831" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:02:18Z" title="09/29/2022 05:02 AM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone"> (edited) </span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_4">
<p> put a USB drive in my computer a few days ago, computer started acting strangly. Adobe Illustrator not working properly, anti-virus programs not working properly, even FRST didn't load correctly until I re-downloaded it. I
notice a lot of entries in my process list using process explorer and dozens of outbound connections using svchost and system. I had to boot in safe mode and run an old copy of FRST because I couldn't downlaod a fresh
copy without networking. </p>
<p> </p>
<p>
<a class="ipsAttachLink ipsAttachLink_block" data-fileext="txt" data-fileid="354712" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354712&key=666f4a9998fd2ce81a13340e07bd4fff" rel="" data-loaded="true"> <span class="ipsAttachLink_title">Addition.txt</span><span class="ipsAttachLink_metaInfo">Unavailable</span> </a><a class="ipsAttachLink ipsAttachLink_block" data-fileext="txt" data-fileid="354713" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354713&key=c2a5c4960167e7768bc5f197047404cd" rel="" data-loaded="true"> <span class="ipsAttachLink_title">FRST.txt</span><span class="ipsAttachLink_metaInfo">Unavailable</span> </a>
</p>
<span class="ipsType_reset ipsType_medium ipsType_light" data-excludequote="">
<strong>Edited <time datetime="2022-09-29T05:04:18Z" title="09/29/2022 05:04 AM" data-short="Sep 29">September 29, 2022</time> by AdvancedSetup</strong>
<br>Removed unwanted text </span>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535831_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535831" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535831" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535831&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535831" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535831&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="put a USB drive in my computer a few days ago, computer started acting strangly. Adobe Illustrator not working properly, anti-virus programs not working properly, even FRST didn't load correctly until I re-downloaded it. I notice a lot of entries in my process list using process explorer and dozens of outbound connections using svchost and system. I had to boot in safe mode and run an old copy of FRST because I couldn't downlaod a fresh copy without networking.
Addition.txtFRST.txt
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535831">More sharing options...</button>
</div>
</div>
</div>
</article>
<div class="ipsMmalware ipsSpacer_both ipsSpacer_half">
<ul class="ipsList_inline ipsType_center ipsList_reset ipsList_noSpacing">
<li class="ipsMmalware_large ipsResponsive_showDesktop ipsResponsive_inlineBlock ipsAreaBackground_light">
<a href="https://forums.malwarebytes.com/index.php?app=core&module=system&controller=redirect&do=advertisement&ad=2&key=b72dda90e5413c50532e83697da709813ccf47f19585bffb7b44e0a31caffea1" target="_blank" rel="nofollow noopener">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_08/MWB4_FreeDownload_728x90_v1.jpg.b80b620cce83ef5649ae4740e701210c.jpg" alt="Malwarebytes - Free Download" class="ipsImage ipsContained">
</a>
</li>
<li class="ipsMmalware_medium ipsResponsive_showTablet ipsResponsive_inlineBlock ipsAreaBackground_light">
<a href="https://forums.malwarebytes.com/index.php?app=core&module=system&controller=redirect&do=advertisement&ad=2&key=b72dda90e5413c50532e83697da709813ccf47f19585bffb7b44e0a31caffea1" target="_blank" rel="nofollow noopener">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_08/MWB4_FreeDownload_728x90_v1.jpg.b80b620cce83ef5649ae4740e701210c.jpg" alt="Malwarebytes - Free Download" class="ipsImage ipsContained">
</a>
</li>
<li class="ipsMmalware_small ipsResponsive_showPhone ipsResponsive_inlineBlock ipsAreaBackground_light">
<a href="https://forums.malwarebytes.com/index.php?app=core&module=system&controller=redirect&do=advertisement&ad=2&key=b72dda90e5413c50532e83697da709813ccf47f19585bffb7b44e0a31caffea1" target="_blank" rel="nofollow noopener">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_08/MWB4_FreeDownload_728x90_v1.jpg.b80b620cce83ef5649ae4740e701210c.jpg" alt="Malwarebytes - Free Download" class="ipsImage ipsContained">
</a>
</li>
</ul>
</div>
<a id="comment-1535834"></a>
<article data-membergroup="4" id="elComment_1535834" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:06:37Z" title="09/29/2022 05:06 AM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535834_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535834"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664427997,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535834}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834" title="Share Post 1535834" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535834_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535834" data-role="shareComment">ID:1535834</a>
<li>
<a href="#elControls_1535834_menu" class="ipsComment_ellipsis" id="elControls_1535834" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535834_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535834_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535834_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535834" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:06:37Z" title="09/29/2022 05:06 AM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> Hello
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="">@malwareismyfriend</a>
<img alt=":welcome:" data-emoticon="true" loading="lazy" src="//content.invisioncic.com/Mmalware/emoticons/default_post-32477-1261866970.gif" title=":welcome:"></p>
<p> You will need to have access to the Internet from another computer or some way to transfer files. (it seems you've already done so as you posted logs) </p>
<p> </p>
<p> Please download <a href="https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/" rel="external nofollow noopener" target="_blank">Farbar Recovery Scan Tool</a> and save it to your desktop. </p>
<p>
<strong>Note</strong>: You need to run the version compatible with your system.<br> You can check <a href="https://support.microsoft.com/kb/827218" rel="external nofollow noopener" target="_blank">here</a> if you're not sure if your
computer is 32-bit or 64-bit
</p>
<ul>
<li> Double-click to run it. When the tool opens click <strong>Yes</strong> to disclaimer. </li>
<li> Press the<strong> Scan</strong> button. </li>
<li> It will make a log (<strong>FRST.txt</strong>) in the same directory the tool is run. Please attach it to your reply. </li>
<li> The first time the tool is run, it also makes another log (<strong>Addition.txt</strong>). Please attach it to your reply as well. </li>
</ul>
<p> Thank you </p>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535834_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535834" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535834" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535834&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535834" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535834&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Hello @malwareismyfriend
You will need to have access to the Internet from another computer or some way to transfer files. (it seems you've already done so as you posted logs)
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit
Double-click to run it. When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Thank you
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535834">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535841"></a>
<article id="elComment_1535841" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:19:17Z" title="09/29/2022 05:19 AM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535841_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535841"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664428757,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535841}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841" title="Share Post 1535841" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535841_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535841" data-role="shareComment">ID:1535841</a>
<li>
<a href="#elControls_1535841_menu" class="ipsComment_ellipsis" id="elControls_1535841" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535841_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535841_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535841_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535841" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T05:19:17Z" title="09/29/2022 05:19 AM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> okay i got it running from my desktop. this log looks completely different from the one above, very odd. </p>
<p> </p>
<p> Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-08-2022<br> Ran by God (administrator) on FAST-DELL (Dell Inc. Inspiron 3891) (29-09-2022 00:16:11)<br> Running from C:\Users\gngn1\Desktop<br> Loaded Profiles: God<br>
Platform: Microsoft Windows 11 Home Version 21H2 22000.978 (X64) Language: English (United States)<br> Default browser: FF<br> Boot Mode: Normal </p>
<p> ==================== Processes (Whitelisted) ================= </p>
<p> (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) </p>
<p> (C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_appbroker.exe<br> (C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe
->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe<br> (C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe<br> (C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech, Inc.)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe<br> (C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe ->) (Logitech Inc -> Logitech, Inc.)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\laclient.exe<br> (C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation)
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCopyAccelerator.exe<br> (DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxEM.exe<br> (explorer.exe ->) (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenu.exe<br>
(explorer.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\Logitech\LogiOptions\LogiOptions.exe<br> (explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft
OneDrive\OneDrive.exe<br> (services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe<br> (services.exe ->) (Apple Inc. -> Apple Inc.)
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe<br> (services.exe ->) (Code Sector -> ) C:\Program Files\TeraCopy\TeraCopyService.exe<br> (services.exe ->) (Dell Inc -> Dell Inc.)
C:\Program Files\Dell\Fusion\FusionService.exe<br> (services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe<br> (services.exe
->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_f83b924791f3a52a\OneApp.IGCC.WinService.exe<br> (services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHDCPSvc.exe<br> (services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHeciSvc.exe<br> (services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\mewmiprov.inf_amd64_d4564390a9b1e980\WMIRegistrationService.exe<br> (services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_7aa6ca9dbb25bff8\jhi_service.exe<br> (services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_5d10f2aad7f84bec\LMS.exe<br> (services.exe ->) (Intel(R) Rapid Storage Technology -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iastorac.inf_amd64_68966115f2eef4e5\RstMwService.exe<br> (services.exe ->) (Károly Pados -> Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe <3><br> (services.exe
->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe<br> (services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft
shared\ClickToRun\OfficeClickToRun.exe<br> (services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe<br> (services.exe ->)
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe<br> (services.exe ->) (Microsoft Corporation -> Microsoft Corporation)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe<br> (services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe<br>
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe<br> (services.exe ->) (PhaseFive Systems LLC -> Phase Five Systems)
C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe<br> (services.exe ->) (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe<br>
(services.exe ->) (voidtools -> voidtools) C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe<br> (services.exe ->) (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.) C:\Program Files
(x86)\Common Files\Zoom\Support\CptService.exe<br> (sihost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe\PAD.Console.Host.exe<br> (svchost.exe ->)
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE<br> (svchost.exe ->) (Microsoft Corporation) C:\Program
Files\WindowsApps\Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe<br> (svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe<br> (svchost.exe
->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3><br> (svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe<br> (svchost.exe ->)
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe </p>
<p> ==================== Registry (Whitelisted) =================== </p>
<p> (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) </p>
<p> HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163640 2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]<br> HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files
(x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [509936 2018-04-11] (Adobe Systems Incorporated -> Adobe Systems Incorporated)<br> HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll
[3831808 2021-08-30] (Microsoft Windows Hardware Compatibility Publisher -> Logitech)<br> HKLM\...\Run: [LogiOptions] => C:\Program Files\Logitech\LogiOptions\LogiOptions.exe [1687616 2022-02-21] (Logitech Inc -> Logitech,
Inc.)<br> HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [1067528 2022-07-25] (Adobe Inc. -> Adobe Inc.)<br> HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1<br>
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION<br> HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run:
[OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [AdobeBridge] => [X]<br>
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
/prefetch:5 [3795376 2022-09-25] (Microsoft Corporation -> Microsoft Corporation)<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Policies\Explorer: [HideSCAMeetNow] 1<br>
HKU\S-1-5-21-1789883001-303321401-512692908-1003\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> Startup:
C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2021-12-30]<br> ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft
Corporation -> Microsoft Corporation)<br> AlternateShell: <br> HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Policies\Microsoft\Edge:
Restriction <==== ATTENTION </p>
<p> ==================== Scheduled Tasks (Whitelisted) ============ </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> Task: {02FEA731-D2DD-4A8E-A439-563F55D53DFC} - System32\Tasks\Opera scheduled Autoupdate 1638694259 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software)<br> Task:
{0335EFB7-AF7E-416D-9978-D34ABA156C86} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation
-> Microsoft Corporation)<br> Task: {05297C63-34A6-4FCA-A5F8-891900D5D30E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> Task: {0AA9AE9F-7BC1-4CF7-B0D0-942E8D8AB388} - System32\Tasks\Mozilla\Firefox Default Browser Agent
308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"<br> Task: {193C0CD3-8DE7-4B74-A2DD-718AAF02C2ED} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup
=> C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> Task: {1AEF3D55-5909-4E1E-8853-22E99F844F7C} -
System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)<br> Task:
{487D899D-40F2-476C-BEF0-2FF05589EC63} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [616832 2019-09-04] (Apple Inc. -> Apple Inc.)<br> Task:
{500823C9-7F32-4788-B34D-40329A313066} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1003 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)<br> Task: {5FD92CFE-F4D2-4D63-9C80-AC2D101820F1} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002 =>
C:\Users\gngn1\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)<br> Task: {6500E3AE-98EC-4892-B4CC-620672E1ECD0} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program
Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)<br> Task: {6D5E4CE5-B360-40C2-82EA-F9193CE82B45} - System32\Tasks\npcapwatchdog => C:\Program
Files\Npcap\CheckStatus.bat [815 2021-09-08] () [File not signed]<br> Task: {81645350-7A7E-4586-930D-AA1963354214} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance =>
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> Task: {87B48BF5-2794-481C-9766-B28425BE7E49} - System32\Tasks\EOSv3
Scheduler onTime => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)<br> Task: {940B0A62-EB07-406B-AF8C-69A42C245B77} - System32\Tasks\Opera scheduled
assistant Autoupdate 1638694264 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software) -> --scheduledautoupdate --component-name=assistant --component-path="C:\Program
Files\Opera\assistant" $(Arg0)<br> Task: {A7D8C990-6422-4667-87E3-FA40C47BB4B1} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol.
s r.o. -> ESET)<br> Task: {AC1FBF05-8B10-4509-AEF9-AB30ECDDC41C} - System32\Tasks\Microsoft\Windows\WaaSMedic\MaintenanceWork => {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}<br> Task: {B0DE073A-B771-46E8-8A43-62AAF41CD5E2} -
System32\Tasks\OneDrive Per-Machine Standalone Update Task => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> Task:
{C2820938-5262-4E5B-BA4C-08EE29C71694} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft
Corporation)<br> Task: {CFB3D3C2-5ED7-4025-973B-4173E78BFF79} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960
2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> Task: {D15035A4-388C-4B0C-B13E-2588A970C419} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft
Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [64408 2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Task: {D24345F4-A990-448B-97A8-778C14BE4C7C} - System32\Tasks\Mozilla\Firefox
Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate<br> Task: {E13FF481-BB09-4CA9-9478-463D38661FA9} - System32\Tasks\TinyWall Controller =>
C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26] (Károly Pados -> Károly Pados)<br> Task: {FA7BFA7D-63B4-4DE5-8D36-09A74B86FCA2} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001
=> C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation) </p>
<p> (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) </p>
<p> Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe </p>
<p> ==================== Internet (Whitelisted) ==================== </p>
<p> (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) </p>
<p> Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt<br> Tcpip\Parameters: [DhcpNameServer] 9.9.9.9 149.112.112.112<br> Tcpip\..\Interfaces\{666ad4d3-6ec5-4013-a092-a6d61e020286}: [DhcpNameServer] 9.9.9.9
149.112.112.112 </p>
<p> Edge: <br> =======<br> Edge Profile: C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default [2022-09-27]<br> Edge Extension: (Microsoft Power Automate) - C:\Users\gngn1\AppData\Local\Microsoft\Edge\User
Data\Default\Extensions\njjljiblognghfjfpcdpdbpbfcmhgafg [2022-08-08]<br> Edge HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [njjljiblognghfjfpcdpdbpbfcmhgafg] </p>
<p> FireFox:<br> ========<br> FF DefaultProfile: cb410ea4.default<br> FF ProfilePath: C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\cb410ea4.default [2021-12-15]<br> FF ProfilePath:
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release [2022-09-28]<br> FF Session Restore: Mozilla\Firefox\Profiles\za350ywr.default-release -> is enabled.<br> FF Notifications:
Mozilla\Firefox\Profiles\za350ywr.default-release -> hxxps://web.telegram.org; hxxps://www.kiiroo.com; hxxps://electrothreads.com<br> FF Extension: (Disconnect) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\2.0@disconnect.me.xpi [2022-01-11]<br> FF Extension: (Google Container) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\@contain-google.xpi [2022-01-11]<br> FF Extension: (Keepa - Amazon Price Tracker) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\amptra@keepa.com.xpi [2022-04-18]<br> FF Extension: (OneNote Web Clipper) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Clipper@OneNote.com.xpi [2022-04-14]<br> FF Extension: (Don't ***** With Paste) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Dont*****WithPaste@raim.ist.xpi [2022-01-11]<br> FF Extension: (Folx) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\folx5@eltima.com.xpi [2022-01-11]<br> FF Extension: (Disable WebRTC) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-5Fs7iTLscUaZBgwr@jetpack.xpi [2022-01-11]<br> FF Extension: (Honey) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-93CWPmRbVPjRQA@jetpack.xpi [2022-01-11]<br> FF Extension: (Decentraleyes) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-BoFifL9Vbdl2zQ@jetpack.xpi [2022-02-01]<br> FF Extension: (I don't care about cookies) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi [2022-09-15]<br> FF Extension: (Double-click Image Downloader) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xgtdawe3yyUeBQ@jetpack.xpi [2022-01-11]<br> FF Extension: (Reddit Enhancement Suite) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2022-02-02]<br> FF Extension: (Pinterest Save Button) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2022-03-02]<br> FF Extension: (JSONovich) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jsonovich@lackoftalent.org.xpi [2022-04-05]<br> FF Extension: (IDM Integration Module) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\mozilla_cc3@internetdownloadmanager.com.xpi [2022-05-27]<br> FF Extension: (Download Manager (S3)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\s3download@statusbar.xpi [2022-01-11]<br> FF Extension: (Save webP as PNG or JPEG) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\savewebpas@jeffersonscher.com.xpi [2022-09-23]<br> FF Extension: (LastPass: Free Password Manager) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\support@lastpass.com.xpi [2022-08-06]<br> FF Extension: (Google Translator for Firefox) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\translator@zoli.bod.xpi [2022-01-11]<br> FF Extension: (uBlock Origin) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\uBlock0@raymondhill.net.xpi [2022-09-20]<br> FF Extension: (Paste n' Go) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{000a756d-5efb-4897-b40c-57ef8c5caa59}.xpi [2022-01-11]<br> FF Extension: (Take Webpage Screenshots Entirely - FireShot) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}.xpi [2022-09-15]<br> FF Extension: (CSS Toggler) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{16898b73-edd0-419f-a0a9-e5afd2a4c904}.xpi [2022-05-02]<br> FF Extension: (Download All Images) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{32af1358-428a-446d-873e-5f8eb5f2a72e}.xpi [2022-08-22]<br> FF Extension: (Send to VLC (VideoLAN) media player) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{3e0ac434-26e0-4c03-b757-3078486800c3}.xpi [2022-01-11]<br> FF Extension: (Disable JavaScript) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{41f9e51d-35e4-4b29-af66-422ff81c8b41}.xpi [2022-01-11]<br> FF Extension: (Eno® from Capital One®) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d5b7a5e-5232-9e45-97f4-f8e1ca2626e5}.xpi [2022-07-20]<br> FF Extension: (Science Fiction Florest) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d6138be-7d98-4fed-8cb9-277c3a351183}.xpi [2022-01-11]<br> FF Extension: (Blue Carbon Fiber) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{5ab03bdd-3d91-4c73-801e-607ca27458d0}.xpi [2022-01-11]<br> FF Extension: (ColorZilla) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}.xpi [2022-01-11]<br> FF Extension: (Hot air balloons v5 by CP) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{790388bf-f135-4368-ab9b-36c8062a09c2}.xpi [2022-01-11]<br> FF Extension: (Plexus Crystals (Yellow)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{826d3ea1-5a85-4e6c-8749-aff3f72ccc5d}.xpi [2022-01-11]<br> FF Extension: (Clippings) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}.xpi [2022-09-19]<br> FF Extension: (Absolute Right Click) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{9350bc42-47fb-4598-ae0f-825e3dd9ceba}.xpi [2022-01-11]<br> FF Extension: (RESTClient) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ad0d925d-88f8-47f1-85ea-8463569e756e}.xpi [2022-04-05]<br> FF Extension: (Capital One Shopping: Online Coupon Tool) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{aff8af88-06a9-4eee-b383-3af08c47b8c8}.xpi [2022-09-26]<br> FF Extension: (The universe of ancient times.) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b6d370bd-f532-4049-9a82-f53b47f369b3}.xpi [2022-01-11]<br> FF Extension: (Video DownloadHelper) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2022-05-12]<br> FF Extension: (flashy pastel rainbow) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ced18bb2-3a5e-4d85-b0ad-5b99cb34fa73}.xpi [2022-01-11]<br> FF Extension: (Polynial design) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{d7dce9c0-165e-44ff-90b9-c5ce9f7a7721}.xpi [2022-01-11]<br> FF Extension: (Read Aloud: A Text to Speech Voice Reader) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ddc62400-f22d-4dd3-8b4a-05837de53c2e}.xpi [2022-09-01]<br> FF Extension: (Matte Black (Orange)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{e7c9fb23-17c0-4bb6-a8ba-ff52a7770b89}.xpi [2022-02-24]<br> FF Extension: (Plexus Crystals (Violet)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ff571d12-dfde-4e8f-be1d-38c145a98443}.xpi [2022-02-24]<br> FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft
Office\root\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)<br> FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)<br>
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2022-07-25] (Adobe Inc. -> Adobe Systems)<br> FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 ->
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)<br> FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files
(x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2022-07-25] (Adobe Inc. -> Adobe Systems) </p>
<p> Chrome: <br> =======<br> CHR HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [gjgfobnenmnljakmhboildkafdkicala] </p>
<p> Opera: <br> =======<br> OPR Profile: C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable [2022-09-26]<br> OPR Notifications: Opera Stable -> hxxps://web.telegram.org; hxxps://www.philadelphiaeagles.com<br> OPR
DefaultSuggestURL: Opera Stable -> hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}<br> OPR Extension: (Rich Hints Agent) - C:\Users\gngn1\AppData\Roaming\Opera
Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2022-07-28]<br> OPR Extension: (Opera Crypto Wallet) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\gojhcdgcpbpfigcaejpfhfegekdgiblk
[2022-07-28]<br> OPR Extension: (Amazon Assistant Promotion) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\kbmoiomgmchbpihhdpabemajcbjpcijk [2021-12-20] </p>
<p> ==================== Services (Whitelisted) =================== </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [923656 2022-07-25] (Adobe Inc. -> Adobe Inc.)<br> R2 Apple Mobile Device Service; C:\Program
Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [99104 2021-08-20] (Apple Inc. -> Apple Inc.)<br> R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [12131256
2022-09-18] (Microsoft Corporation -> Microsoft Corporation)<br> S3 dcsvc; C:\Windows\system32\dcsvc.dll [831488 2022-09-13] (Microsoft Windows -> Microsoft Corporation)<br> R2 Everything;
C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe [2266128 2022-09-22] (voidtools -> voidtools)<br> S3 FileSyncHelper; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncHelper.exe [3383688 2022-09-26]
(Microsoft Corporation -> Microsoft Corporation)<br> R2 FusionService; C:\Program Files\Dell\Fusion\FusionService.exe [19096 2021-10-13] (Dell Inc -> Dell Inc.)<br> R2 JumpConnect; C:\Program Files (x86)\Phase Five Systems\Jump
Desktop Connect\6.7.69.0\JumpConnect.exe [154080 2022-01-07] (PhaseFive Systems LLC -> Phase Five Systems)<br> S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7901368 2021-12-05] (Malwarebytes Inc ->
Malwarebytes)<br> S3 OneDrive Updater Service; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\OneDriveUpdaterService.exe [3804032 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> R2 OptionsPlusUpdaterService;
C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe [17029376 2022-09-12] (Logitech Inc -> Logitech, Inc.)<br> R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [12912936 2021-11-16] (TeamViewer Germany
GmbH -> TeamViewer Germany GmbH)<br> R2 TeraCopyService.exe; C:\Program Files\TeraCopy\TeraCopyService.exe [114384 2021-04-21] (Code Sector -> )<br> R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26]
(Károly Pados -> Károly Pados)<br> R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe [3125112 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> R2 WinDefend;
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe [133560 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)<br> S2 Wondershare InstallAssist;
C:\ProgramData\Wondershare\Service\InstallAssistService.exe [X]<br> R2 ZoomCptService; "C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\gngn1\AppData\Roaming\Zoom" </p>
<p> ===================== Drivers (Whitelisted) =================== </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> S3 AppleKmdfFilter; C:\Windows\System32\drivers\AppleKmdfFilter.sys [20032 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)<br> S3 AppleLowerFilter; C:\Windows\System32\drivers\AppleLowerFilter.sys [35976
2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)<br> S3 DDDriver; C:\Windows\System32\drivers\dddriver64Dcsa.sys [43400 2021-09-09] (Microsoft Windows Hardware Compatibility Publisher -> Dell Technologies)<br> R0
fse; C:\Windows\System32\drivers\fse.sys [193888 2022-05-11] (Microsoft Windows -> Microsoft Corporation)<br> S3 IntelGNA; C:\Windows\System32\DriverStore\FileRepository\gna.inf_amd64_c08af0e43cbc91c3\gna.sys [83856 2020-08-04]
(Gaussian Mixture Models and Neural Networks Accelerator -> Intel Corporation)<br> R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210352 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher ->
Malwarebytes)<br> S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-12-05] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)<br> S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys
[248992 2022-03-27] (Malwarebytes Inc -> Malwarebytes)<br> R3 MpKsl84bd6d14; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E54752FF-50C6-4067-A464-757ABA79C676}\MpKslDrv.sys [228600 2022-09-28] (Microsoft Windows
-> Microsoft Corporation)<br> S3 MYFAULT; C:\Windows\system32\drivers\myfault.sys [27848 2022-09-27] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals)<br> R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [72792
2021-11-30] (Insecure.Com LLC -> Insecure.Com LLC.)<br> U5 PROCMON24; C:\Windows\System32\Drivers\PROCMON24.sys [95632 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals - www.sysinternals.com)<br> R3
USBPcap; C:\Windows\system32\DRIVERS\USBPcap.sys [52872 2020-05-22] (Tomasz Moń -> USBPcap)<br> S3 vmbusproxy; C:\Windows\system32\drivers\vmbusproxy.sys [90112 2022-04-06] (Microsoft Windows -> )<br> S0 WdBoot;
C:\Windows\System32\drivers\wd\WdBoot.sys [49576 2022-09-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)<br> R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [453904 2022-09-07] (Microsoft
Windows -> Microsoft Corporation)<br> R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [94480 2022-09-07] (Microsoft Windows -> Microsoft Corporation)<br> R3 WiManH;
C:\Windows\System32\DriverStore\FileRepository\wiman.inf_amd64_f0ed422f0b4a6c99\WiManH\WiManH.sys [172896 2020-11-23] (Intel Wireless Driver -> )<br> U4 npcap_wifi; no ImagePath </p>
<p> ==================== NetSvcs (Whitelisted) =================== </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> NETSVC: DcSvc -> C:\Windows\system32\dcsvc.dll (Microsoft Corporation) </p>
<p> ==================== One month (created) (Whitelisted) ========= </p>
<p> (If an entry is included in the fixlist, the file/folder will be moved.) </p>
<p> 2022-09-29 00:16 - 2022-09-29 00:16 - 000031964 _____ C:\Users\gngn1\Desktop\FRST.txt<br> 2022-09-29 00:16 - 2022-09-29 00:16 - 000000000 ____D C:\FRST<br> 2022-09-29 00:14 - 2022-09-29 00:15 - 002371072 _____ (Farbar)
C:\Users\gngn1\Desktop\frst64.exe<br> 2022-09-28 22:41 - 2022-09-28 22:41 - 000000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job<br> 2022-09-28 13:35 - 2022-09-28 13:35 - 000000519 _____ C:\Users\gngn1\Desktop\OS (C) -
Shortcut.lnk<br> 2022-09-27 03:10 - 2022-09-27 03:10 - 000027848 _____ (Sysinternals) C:\Windows\system32\Drivers\myfault.sys<br> 2022-09-26 22:56 - 2022-09-26 22:56 - 000003194 _____ C:\Windows\system32\Tasks\OneDrive Per-Machine
Standalone Update Task<br> 2022-09-26 22:56 - 2022-09-26 22:56 - 000002104 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk<br> 2022-09-26 05:16 - 2022-09-26 05:16 - 000095632 ____H (Sysinternals -
www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON24.SYS<br> 2022-09-26 01:57 - 2022-09-26 01:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\ClassicShell<br> 2022-09-26 01:56 - 2022-09-26 01:56 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\ClassicShell<br> 2022-09-26 01:33 - 2022-09-26 01:33 - 000210352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys<br> 2022-09-26 00:31 - 2022-09-26 00:31 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Comms<br> 2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Mozilla<br> 2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Mozilla<br>
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Local\Mozilla<br> 2022-09-26 00:16 - 2022-09-26 22:56 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1003<br> 2022-09-26 00:16 - 2022-09-26 00:16 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Logishrd<br> 2022-09-26 00:15 - 2022-09-26 01:57 - 000000000 ____D
C:\Users\Sokka\AppData\Local\LogiOptionsPlus<br> 2022-09-26 00:15 - 2022-09-26 00:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\D3DSCache<br> 2022-09-26 00:15 - 2022-09-26 00:31 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Packages<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000002411 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000020
___SH C:\Users\Sokka\ntuser.ini<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 __SHD C:\Users\Sokka\IntelGraphicsProfiles<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\TinyWall<br>
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Adobe<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Intel<br> 2022-09-26 00:15 - 2022-09-26 00:15 -
000000000 ____D C:\Users\Sokka\AppData\Local\VirtualStore<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\Publishers<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Local\ConnectedDevicesPlatform<br> 2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka<br> 2022-09-26 00:15 - 2022-08-16 04:55 - 000000000 ___RD C:\Users\Sokka\OneDrive<br> 2022-09-26 00:15 -
2021-06-05 07:04 - 000001281 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk<br> 2022-09-26 00:15 - 2021-06-05 07:04 - 000000407 _____
C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk<br> 2022-09-26 00:12 - 2022-09-26 00:12 - 000000000 ____D C:\Users\Public\Documents\MDMDiagnostics<br> 2022-09-24 13:51 - 2022-09-25 22:10 -
000000000 ____D C:\TDSSKiller_Quarantine<br> 2022-09-24 13:45 - 2022-09-24 13:45 - 005054744 _____ (AO Kaspersky Lab) C:\Users\gngn1\Downloads\tdsskiller.exe<br> 2022-09-24 13:43 - 2022-09-24 13:44 - 000000000 ____D C:\AdwCleaner<br>
2022-09-24 13:43 - 2022-09-24 13:43 - 008551608 _____ (Malwarebytes) C:\Users\gngn1\Downloads\AdwCleaner.exe<br> 2022-09-23 11:32 - 2022-09-24 11:44 - 000000000 ____D C:\Program Files\Mozilla Firefox<br> 2022-09-23 01:44 - 2022-09-23
01:44 - 000000000 ____D C:\Users\gngn1\AppData\Local\falkon<br> 2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Falkon<br> 2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D
C:\Program Files\Falkon<br> 2022-09-23 01:42 - 2022-09-23 01:43 - 065878530 _____ C:\Users\gngn1\Downloads\Falkon.Installer.3.1.0.x64.exe<br> 2022-09-23 01:33 - 2022-09-23 01:33 - 000022555 _____
C:\Users\gngn1\Downloads\surf-2.1.tar.gz<br> 2022-09-23 00:58 - 2022-09-23 00:58 - 001418600 _____ (Thomas E Dickey ) C:\Users\gngn1\Downloads\lynx-newssl-setup.exe<br> 2022-09-22 22:51 - 2022-09-22 22:52 - 000000000 ___HD
C:\adobeTemp<br> 2022-09-22 13:36 - 2022-09-22 13:36 - 029933858 _____ C:\Users\gngn1\AppData\LocalLow\wbk28E7.tmp<br> 2022-09-22 12:12 - 2022-06-27 00:17 - 004946512 _____ (Intel Corporation)
C:\Windows\system32\Drivers\Netwtw10.sys<br> 2022-09-22 12:12 - 2022-06-27 00:17 - 001626200 _____ (Intel Corporation) C:\Windows\system32\IntelIHVRouter10.dll<br> 2022-09-22 12:12 - 2022-06-25 21:53 - 055467080 _____
C:\Windows\system32\Drivers\Netwfw10.dat<br> 2022-09-22 11:21 - 2022-09-26 00:14 - 000000000 ____D C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64<br> 2022-09-22 11:21 - 2022-09-22 11:21 - 001804512 _____
C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64.zip<br> 2022-09-21 22:30 - 2022-09-21 22:30 - 000003842 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onLogOn<br> 2022-09-21 22:30 - 2022-09-21 22:30 - 000003400 _____
C:\Windows\system32\Tasks\EOSv3 Scheduler onTime<br> 2022-09-21 16:58 - 2022-09-21 16:58 - 015274968 _____ (ESET) C:\Users\gngn1\Desktop\esetonlinescanner.exe<br> 2022-09-21 16:58 - 2022-09-21 16:58 - 000001290 _____
C:\Users\gngn1\Desktop\ESET Online Scanner.lnk<br> 2022-09-19 19:18 - 2022-09-19 19:18 - 000134259 _____ C:\Users\gngn1\Downloads\Beautiful identical blondes *****ing - XNXX.COM.mp4<br> 2022-09-19 08:17 - 2022-09-19 08:17 - 000131268
_____ C:\Users\gngn1\Downloads\Blonde Blows and Toes - XNXX.COM.mp4<br> 2022-09-19 02:21 - 2022-09-19 02:21 - 000132024 _____ C:\Users\gngn1\Downloads\Mad land owner put sexy brunette student in bondage and roug.mp4<br> 2022-09-19 02:09
- 2022-09-19 02:09 - 000133819 _____ C:\Users\gngn1\Downloads\Femdom Pegging With Big Strapon - XNXX.COM.mp4<br> 2022-09-17 02:23 - 2022-09-17 02:23 - 000000986 _____ C:\Users\Public\Desktop\PotPlayer 64 bit.lnk<br> 2022-09-15 15:14 -
2022-09-15 15:14 - 000004158 _____ C:\Windows\system32\Tasks\Opera scheduled assistant Autoupdate 1638694264<br> 2022-09-13 21:17 - 2022-09-13 21:17 - 000335872 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll<br>
2022-09-13 21:17 - 2022-09-13 21:17 - 000015030 _____ C:\Windows\system32\DrtmAuthTxt.wim<br> 2022-09-13 21:15 - 2022-09-13 21:15 - 000000000 ___HD C:\$WinREAgent<br> 2022-09-13 13:14 - 2022-09-13 13:14 - 000000000 ____D
C:\Users\gngn1\AppData\Local\FirmwareUpdateTool<br> 2022-09-12 23:57 - 2022-09-28 22:58 - 000000000 ____D C:\Users\gngn1\AppData\Local\LogiOptionsPlus<br> 2022-09-12 23:57 - 2022-09-22 14:29 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\logioptionsplus<br> 2022-09-12 23:57 - 2022-09-12 23:58 - 000000000 ____D C:\Program Files\LogiOptionsPlus<br> 2022-09-12 23:57 - 2022-09-12 23:57 - 000000931 _____ C:\Users\Public\Desktop\Logi
Options+.lnk<br> 2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi<br> 2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\LogiOptionsPlus<br> 2022-09-07
09:15 - 2022-09-07 09:15 - 000003946 _____ C:\Windows\system32\Tasks\Opera scheduled Autoupdate 1638694259<br> 2022-09-07 09:15 - 2022-09-07 09:15 - 000001075 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera
Browser.lnk<br> 2022-09-02 20:34 - 2022-09-02 20:41 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Wireshark<br> 2022-09-02 20:32 - 2022-09-02 20:32 - 000003460 _____ C:\Windows\system32\Tasks\npcapwatchdog<br> 2022-09-02 20:32 -
2022-09-02 20:32 - 000001789 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk<br> 2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\SysWOW64\Npcap<br> 2022-09-02 20:32 - 2022-09-02 20:32 -
000000000 ____D C:\Windows\system32\Npcap<br> 2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\USBPcap<br> 2022-09-02 20:31 - 2022-09-02 20:33 - 000000000 ____D C:\Program Files\Wireshark<br> 2022-09-02 20:31 -
2022-09-02 20:32 - 000000000 ____D C:\Program Files\Npcap<br> 2022-09-02 20:27 - 2022-09-02 20:28 - 077256616 _____ (Wireshark development team) C:\Users\gngn1\Downloads\Wireshark-win64-3.6.7.exe<br> 2022-09-01 10:21 - 2022-09-28 15:26
- 000000000 ____D C:\AITEMP<br> 2022-09-01 08:50 - 2022-09-21 16:58 - 000001396 _____ C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk<br> 2022-09-01 08:50 - 2022-09-21 16:58 - 000000000 ____D
C:\Users\gngn1\AppData\Local\ESET </p>
<p> ==================== One month (modified) ================== </p>
<p> (If an entry is included in the fixlist, the file/folder will be moved.) </p>
<p> 2022-09-29 00:15 - 2022-01-11 17:07 - 000000000 ____D C:\Users\gngn1\Documents\Outlook Files<br> 2022-09-29 00:12 - 2021-12-15 02:36 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TinyWall<br> 2022-09-28 23:59 - 2021-06-05 07:10 -
000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft<br> 2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ___HD C:\Program Files\WindowsApps<br> 2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\AppReadiness<br>
2022-09-28 23:11 - 2021-12-06 03:03 - 000000000 ____D C:\Users\gngn1\AppData\Local\ClassicShell<br> 2022-09-28 23:08 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemTemp<br> 2022-09-28 23:03 - 2021-12-15 02:36 - 000000000 ____D
C:\ProgramData\TinyWall<br> 2022-09-28 23:03 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files\Opera<br> 2022-09-28 23:03 - 2021-11-09 18:32 - 000980092 _____ C:\Windows\system32\PerfStringBackup.INI<br> 2022-09-28 23:03 -
2021-06-05 07:09 - 000000000 ____D C:\Windows\INF<br> 2022-09-28 22:58 - 2022-03-27 14:36 - 000000000 ____D C:\Intel<br> 2022-09-28 22:58 - 2021-12-05 03:54 - 000000000 ____D C:\Program Files (x86)\TeamViewer<br> 2022-09-28 22:58 -
2021-12-05 03:23 - 000000000 ___RD C:\Users\gngn1\OneDrive<br> 2022-09-28 22:58 - 2021-11-09 18:28 - 000012288 ___SH C:\DumpStack.log.tmp<br> 2022-09-28 22:58 - 2021-11-09 18:28 - 000000006 ____H C:\Windows\Tasks\SA.DAT<br> 2022-09-28
22:57 - 2022-03-27 11:47 - 000692370 _____ C:\Windows\ntbtlog.txt<br> 2022-09-28 22:57 - 2021-06-05 07:01 - 000786432 _____ C:\Windows\system32\config\BBI<br> 2022-09-28 22:38 - 2021-12-05 03:10 - 000000000 ____D C:\Users\gngn1<br>
2022-09-28 22:36 - 2021-12-15 02:18 - 000000000 ____D C:\Users\gngn1\AppData\LocalLow\Mozilla<br> 2022-09-28 22:34 - 2022-03-25 05:54 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TeraCopy<br> 2022-09-28 22:27 - 2021-11-09 18:28 -
000000000 ____D C:\Windows\system32\SleepStudy<br> 2022-09-28 13:46 - 2022-01-12 13:20 - 000000000 ___RD C:\Users\gngn1\Creative Cloud Files<br> 2022-09-28 13:35 - 2022-03-11 04:25 - 000036208 _____ (Sysinternals - www.sysinternals.com)
C:\Windows\system32\Drivers\PROCEXP152.SYS<br> 2022-09-27 22:25 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Local\D3DSCache<br> 2022-09-27 22:08 - 2021-12-05 03:22 - 000000000 ____D
C:\Users\gngn1\AppData\Local\Packages<br> 2022-09-27 22:08 - 2021-11-09 18:29 - 000000000 ____D C:\ProgramData\Packages<br> 2022-09-27 22:06 - 2022-08-17 08:58 - 000000000 ____D C:\Program Files\Microsoft OneDrive<br> 2022-09-27 21:15 -
2022-03-11 04:10 - 000000000 ____D C:\sysinternals<br> 2022-09-26 22:56 - 2021-12-15 00:05 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001<br> 2022-09-26 12:34 -
2022-04-06 22:49 - 000001623 _____ C:\Windows\system32\config\VSMIDK<br> 2022-09-26 09:15 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\LiveKernelReports<br> 2022-09-26 03:16 - 2022-02-07 01:19 - 000003118 _____
C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002<br> 2022-09-26 02:18 - 2022-02-12 00:36 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38<br> 2022-09-26 02:05 -
2022-01-08 17:39 - 000000000 ____D C:\Users\gngn1\AppData\Local\CrashDumps<br> 2022-09-26 00:31 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\PrintDialog<br> 2022-09-26 00:15 - 2021-11-09 18:52 - 000000000 __RHD
C:\Users\Public\AccountPictures<br> 2022-09-26 00:15 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\ImmersiveControlPanel<br> 2022-09-25 23:22 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Adobe<br> 2022-09-24
22:56 - 2021-06-05 07:01 - 000000000 ____D C:\Windows\CbsTemp<br> 2022-09-24 11:44 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service<br> 2022-09-24 11:44 - 2021-06-05 07:10 - 000000000 ____D
C:\Windows\ServiceState<br> 2022-09-23 13:32 - 2021-12-05 03:50 - 000001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk<br> 2022-09-23 13:32 - 2021-12-05 03:50 - 000000000 ____D
C:\Windows\system32\Tasks\Mozilla<br> 2022-09-23 12:35 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\SecurityHealth<br> 2022-09-22 21:52 - 2022-07-08 12:14 - 000000000 ____D C:\ProgramData\boost_interprocess<br> 2022-09-22
13:38 - 2022-01-11 17:45 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\vlc<br> 2022-09-22 11:18 - 2022-08-04 21:50 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\QtProject<br> 2022-09-21 12:09 - 2021-12-22 14:02 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\Telegram Desktop<br> 2022-09-21 12:02 - 2022-01-04 03:43 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Spotify<br> 2022-09-21 12:00 - 2022-01-15 00:13 - 000000000 ____D
C:\Users\gngn1\AppData\Local\Spotify<br> 2022-09-20 17:51 - 2022-05-25 03:10 - 000000000 ____D C:\Users\gngn1\dwhelper<br> 2022-09-18 02:58 - 2021-11-09 18:41 - 000000000 ____D C:\Program Files\Microsoft Office<br> 2022-09-16 09:26 -
2022-02-19 22:29 - 001285856 _____ C:\Windows\system32\FNTCACHE.DAT<br> 2022-09-16 09:26 - 2022-02-03 16:36 - 000000000 ____D C:\ProgramData\Logishrd<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SysWOW64\Dism<br>
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemResources<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\setup<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D
C:\Windows\system32\oobe<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\Dism<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\DDFs<br> 2022-09-16 09:25 - 2021-06-05 07:10 -
000000000 ____D C:\Windows\system32\appraiser<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\Provisioning<br> 2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\bcastdvr<br> 2022-09-13 21:21 -
2021-12-06 16:53 - 000000000 ____D C:\Windows\system32\MRT<br> 2022-09-13 21:19 - 2021-12-06 16:53 - 141646296 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe<br> 2022-09-13 21:17 - 2021-11-09 18:31 - 003103744 _____
(Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll<br> 2022-09-13 02:12 - 2022-01-12 13:12 - 000000000 ____D C:\Program Files\Common Files\Adobe<br> 2022-09-07 04:33 - 2021-11-09 18:28 - 000000000 ____D
C:\Windows\system32\Drivers\wd </p>
<p> ==================== Files in the root of some directories ======== </p>
<p> 2022-06-23 03:39 - 2022-06-23 03:39 - 000000036 _____ () C:\Users\gngn1\AppData\Local\.__explain_this_is_writeable_not_delete__<br> 2021-12-06 02:51 - 2022-08-25 23:21 - 000007686 _____ () C:\Users\gngn1\AppData\Local\Resmon.ResmonCfg
</p>
<p> ==================== SigCheck ============================ </p>
<p> (There is no automatic fix for files that do not pass verification.) </p>
<p> ==================== End of FRST.txt ======================== </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-08-2022<br> Ran by God (29-09-2022 00:16:53)<br> Running from C:\Users\gngn1\Desktop<br> Microsoft Windows 11 Home Version 21H2 22000.978 (X64) (2021-12-05
08:22:38)<br> Boot Mode: Normal<br> ========================================================== </p>
<p>
<br> ==================== Accounts: =============================
</p>
<p>
<br> (If an entry is included in the fixlist, it will be removed.)
</p>
<p> Administrator (S-1-5-21-1789883001-303321401-512692908-500 - Administrator - Disabled)<br> DefaultAccount (S-1-5-21-1789883001-303321401-512692908-503 - Limited - Disabled)<br> God (S-1-5-21-1789883001-303321401-512692908-1001 -
Administrator - Enabled) => C:\Users\gngn1<br> Guest (S-1-5-21-1789883001-303321401-512692908-501 - Limited - Disabled)<br> Sokka (S-1-5-21-1789883001-303321401-512692908-1003 - Limited - Enabled) => C:\Users\Sokka<br>
WDAGUtilityAccount (S-1-5-21-1789883001-303321401-512692908-504 - Limited - Disabled) </p>
<p> ==================== Security Center ======================== </p>
<p> (If an entry is included in the fixlist, it will be removed.) </p>
<p> AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} </p>
<p> ==================== Installed Programs ====================== </p>
<p> (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) </p>
<p> 7-Zip 19.00 (x64 edition) (HKLM\...\{23170F69-40C1-2702-1900-000001000000}) (Version: 19.00.00.0 - Igor Pavlov)<br> 7-Zip 21.06 (x64) (HKLM\...\7-Zip) (Version: 21.06 - Igor Pavlov)<br> Adobe Bridge 2022 (HKLM-x32\...\KBRG_12_0_1)
(Version: 12.0.1 - Adobe Inc.)<br> Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 5.8.0.592 - Adobe Inc.)<br> Adobe Illustrator 2022 (HKLM-x32\...\ILST_26_0_2) (Version: 26.0.2 - Adobe Inc.)<br> Adobe Premiere Rush
(HKLM-x32\...\RUSH_2_0) (Version: 2.0 - Adobe Inc.)<br> Apple Mobile Device Support (HKLM\...\{527DD209-8A66-482F-8779-C7B3BACCA8F1}) (Version: 15.0.0.16 - Apple Inc.)<br> Apple Software Update
(HKLM-x32\...\{A3985C05-7386-411F-A4BF-32A73F37EB44}) (Version: 2.6.3.1 - Apple Inc.)<br> Audacity 3.1.2 (HKLM\...\Audacity_is1) (Version: 3.1.2 - Audacity Team)<br> Autopsy (HKLM\...\{1633CA1B-52C0-47B5-9A31-5A7764F4BA83}) (Version:
4.19.3 - The Sleuth Kit)<br> Classic Shell (HKLM\...\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}) (Version: 4.3.1 - IvoSoft)<br> Dell SupportAssist OS Recovery Plugin for Dell Update (HKLM-x32\...\{ec40a028-983b-4213-af2c-77ed6f6fe1d5})
(Version: 5.4.1.14954 - Dell Inc.)<br> Dell SupportAssist Remediation (HKLM-x32\...\{0b3f567c-a2ee-437a-861f-bb6da9f2111b}) (Version: 5.5.0.16046 - Dell Inc.)<br> Dynamic Application Loader Host Interface Service
(HKLM\...\{A28339C8-E641-4CCE-A316-56F405D1C245}) (Version: 1.0.0.0 - Intel Corporation) Hidden<br> EaseUS MobiSaver 8.0.2 (HKLM-x32\...\EaseUS MobiSaver_is1) (Version: - EaseUS)<br> EaseUS MobiUnlock 3.0.1 (HKLM-x32\...\EaseUS
MobiUnlock_is1) (Version: - EaseUS)<br> Falkon 3.1.0 x64 (HKLM-x32\...\Falkon) (Version: 3.1.0 x64 - Falkon Team)<br> FastStone Image Viewer 7.5 (HKLM-x32\...\FastStone Image Viewer) (Version: 7.5 - FastStone Soft)<br> FileZilla
Client 3.58.0 (HKLM-x32\...\FileZilla Client) (Version: 3.58.0 - Tim Kosse)<br> Fusion Service (HKLM\...\{599709E7-DD10-4FF5-96D5-7C6F6B5F62C0}) (Version: 1.92.22.0 - Dell.Inc) Hidden<br> Fusion Service
(HKLM-x32\...\{81ce0187-37c1-4c23-8387-44454e1796ad}) (Version: 1.92.22.0 - Dell.Inc)<br> Google Earth Pro (HKLM\...\{C36E66A6-6EE5-47DB-945F-A6F03225D540}) (Version: 7.3.4.8573 - Google)<br> Intel(R) LMS
(HKLM\...\{A0983640-26D2-4CD8-A512-747BF3CF3F82}) (Version: 1.0.0.0 - Intel Corporation) Hidden<br> Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 2101.15.0.2080 - Intel
Corporation)<br> iTunes (HKLM\...\{0B3CC856-3A62-443A-B6CE-DED2D4495D56}) (Version: 12.12.2.2 - Apple Inc.)<br> Jump Desktop (HKLM\...\{388F7980-94E2-4BAD-9123-F07E05BD16A2}) (Version: 8.4.27.0 - Phase Five Systems)<br> Jump Desktop
Connect (HKLM-x32\...\{081CADBE-4FE4-4AA9-A187-221A03078C6A}) (Version: 6.7.69.0 - Phase Five Systems)<br> Logi Options+ (HKLM\...\{850cdc16-85df-4052-b06e-4e3e9e83c5c6}) (Version: 1.22.5550 - Logitech)<br> Logitech Options
(HKLM\...\LogiOptions) (Version: 9.60.87 - Logitech)<br> Malwarebytes version 4.4.11.149 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.11.149 - Malwarebytes)<br> Microsoft 365 - en-us (HKLM\...\O365HomePremRetail -
en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)<br> Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 105.0.1343.53 - Microsoft Corporation)<br> Microsoft OneDrive (HKLM\...\OneDriveSetup.exe) (Version: 22.191.0911.0001
- Microsoft Corporation)<br> Microsoft OneNote - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)<br> Microsoft Update Health Tools (HKLM\...\{6A2A8076-135F-4F55-BB02-DED67C8C6934})
(Version: 4.67.0.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)<br> Microsoft Visual C++
2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)<br> Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
(HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version:
11.0.61030.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2012
x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
(HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version:
11.0.61030 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 (HKLM-x32\...\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}) (Version: 12.0.40664.0 - Microsoft Corporation)<br> Microsoft Visual C++
2013 Redistributable (x86) - 12.0.40664 (HKLM-x32\...\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}) (Version: 12.0.40664.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664
(HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 (HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664
- Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 (HKLM-x32\...\{D401961D-3A20-3AC7-943B-6139D5BD490A}) (Version: 12.0.40664 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2013
x86 Minimum Runtime - 12.0.40664 (HKLM-x32\...\{8122DAB1-ED4D-3676-BB0A-CA368196543E}) (Version: 12.0.40664 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326
(HKLM-x32\...\{2d507699-404c-4c8b-a54a-38e352f32cdd}) (Version: 14.32.31326.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 (HKLM-x32\...\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a})
(Version: 14.32.31326.0 - Microsoft Corporation)<br> Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31326 (HKLM\...\{38624EB5-356D-4B08-8357-C33D89A5C0C5}) (Version: 14.32.31326 - Microsoft Corporation) Hidden<br> Microsoft
Visual C++ 2022 X64 Minimum Runtime - 14.32.31326 (HKLM\...\{C96241EA-9900-4FE8-85B3-1E238D509DF6}) (Version: 14.32.31326 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326
(HKLM-x32\...\{A250E750-DB3F-40C1-8460-8EF77C7582DA}) (Version: 14.32.31326 - Microsoft Corporation) Hidden<br> Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326 (HKLM-x32\...\{46E11E7F-01E1-44D0-BB86-C67342D253DD}) (Version:
14.32.31326 - Microsoft Corporation) Hidden<br> Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\{7C0242A3-8B66-35D1-9FE0-13B426ACB609}) (Version: 10.0.60729 - Microsoft Corporation) Hidden<br> Microsoft Visual
Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.60724 - Microsoft Corporation)<br> Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 105.0.1 (x64
en-US)) (Version: 105.0.1 - Mozilla)<br> Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 94.0.2 - Mozilla)<br> Npcap (HKLM-x32\...\NpcapInst) (Version: 1.60 - Nmap Project)<br> Office 16 Click-to-Run
Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20064 - Microsoft Corporation) Hidden<br> Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE})
(Version: 16.0.15601.20148 - Microsoft Corporation) Hidden<br> Opera Stable 90.0.4480.84 (HKLM-x32\...\Opera 90.0.4480.84) (Version: 90.0.4480.84 - Opera Software)<br> PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version: 220914 - Kakao
Corp.)<br> PuTTY release 0.76 (64-bit) (HKLM\...\{1E0D5689-40F1-4E46-ABBB-EAAC68B5CD89}) (Version: 0.76.0.0 - Simon Tatham)<br> qBittorrent 4.3.9 (HKLM-x32\...\qBittorrent) (Version: 4.3.9 - The qBittorrent project)<br> Revo Uninstaller
2.3.8 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.3.8 - VS Revo Group, Ltd.)<br> Spotify (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Spotify) (Version: 1.1.94.870.gf994cb0b - Spotify AB)<br> SumatraPDF
(HKLM\...\SumatraPDF) (Version: 3.3.3 - Krzysztof Kowalczyk)<br> TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.24.5 - TeamViewer)<br> Telegram Desktop version 4.1.1
(HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 4.1.1 - Telegram FZ-LLC)<br> TeraCopy (HKLM\...\{F8B0BB18-B1E6-4821-8C5B-883AA5DE3EEA}) (Version: 3.9.0 - Code Sector)<br>
TinyWall (HKLM-x32\...\{6A366BCB-2A38-4D2A-80FD-A5E0C32C97C8}) (Version: 3.2.3.0 - Károly Pados)<br> USBPcap 1.5.4.0 (HKLM\...\USBPcap) (Version: 1.5.4.0 - Tomasz Mon)<br> UXP WebView Support (HKLM-x32\...\UXPW_1_1_0) (Version: 1.1.0 -
Adobe Inc.)<br> VdhCoApp 1.6.3 (HKLM\...\weh-iss-net.downloadhelper.coapp_is1) (Version: - DownloadHelper)<br> VLC media player (HKLM\...\VLC media player) (Version: 3.0.16 - VideoLAN)<br> WinDirStat 1.1.2
(HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\WinDirStat) (Version: - )<br> WinMerge 2.16.16.0 x64 (HKLM\...\WinMerge_is1) (Version: 2.16.16.0 - Thingamahoochie Software)<br> WinRAR 6.02 (64-bit) (HKLM\...\WinRAR archiver)
(Version: 6.02.0 - win.rar GmbH)<br> Wireshark 3.6.7 64-bit (HKLM-x32\...\Wireshark) (Version: 3.6.7 - The Wireshark developer community, hxxps://www.wireshark.org)<br> XnView 2.50.4 (HKLM-x32\...\XnView_is1) (Version: 2.50.4 - Gougelet
Pierre-e)<br> Zoom (HKLM-x32\...\{1B8D4A17-201A-4113-A512-B7DEEF293AF1}) (Version: 5.8.2048 - Zoom) </p>
<p> Packages:<br> =========<br> Adobe Notification Client -> C:\Program Files\WindowsApps\AdobeNotificationClient_3.0.1.1_x86__enpm4xejd91yc [2022-04-28] (Adobe Systems Incorporated)<br> Dell Mobile Connect -> C:\Program
Files\WindowsApps\ScreenovateTechnologies.DellMobileConnectPlus_4.1.8330.0_x64__0vhbc3ng4wbp0 [2022-09-26] (Screenovate Technologies)<br> Intel® Optane™ Memory and Storage Management -> C:\Program
Files\WindowsApps\AppUp.IntelOptaneMemoryandStorageManagement_18.1.1032.0_x64__8j3eq9eme6ctt [2022-09-26] (INTEL CORP)<br> MPEG-2 Video Extension -> C:\Program
Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe [2022-09-26] (Microsoft Corporation)<br> Photos Media Engine Add-on -> C:\Program
Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2022-04-02] (Microsoft Corporation)<br> Power Automate -> C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe
[2022-09-26] (Microsoft Corporation) [Startup Task]<br> Unigram—Telegram for Windows -> C:\Program Files\WindowsApps\38833FF26BA1D.UnigramPreview_8.9.7687.0_x64__g9c9v27vpyspw [2022-09-05] (Unigram, Inc.) [Startup Task] </p>
<p> ==================== Custom CLSID (Whitelisted): ============== </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-231FB76D9980} -> [Creative Cloud Files] => C:\Users\gngn1\Creative Cloud Files [2022-01-12 13:20]<br> CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{23B3E3D8-C162-4A8B-AB0C-0905DCB1DF19}\InprocServer32 ->
C:\Users\gngn1\AppData\Local\Packages\Microsoft.PowerAutomateDesktop_8wekyb3d8bbwe\TempState\RDP\DVCPlugin\x64\Microsoft.Flow.RPA.Desktop.UIAutomation.RDP.DVC.Plugin.dll (Microsoft Corporation -> )<br> CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32 -> C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe (Adobe Inc. -> Adobe Inc.)<br> CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{375360E1-2D4B-4DEB-9C05-B3A3CA553923}\InprocServer32 -> C:\Program Files\Mozilla Firefox\notificationserver.dll (Mozilla Corporation -> Mozilla Foundation)<br>
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Inc. ->
Adobe Systems)<br> ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation
-> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26]
(Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll
[2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program
Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>
C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}
=> C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )<br> ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program
Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )<br> ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common
Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )<br> ShellIconOverlayIdentifiers: [ OptaneIconOverlay] -> {A3AF6F6C-8BED-3D93-8B5D-33427B5D38E9} =>
C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )<br> ShellIconOverlayIdentifiers-x32: [ OneDrive1] ->
{BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers-x32: [
OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br>
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft
Corporation)<br> ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation
-> Microsoft Corporation)<br> ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26]
(Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program
Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program
Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program
Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]<br> ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
[2022-09-07] (Adobe Inc. -> )<br> ContextMenuHandlers1: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)<br> ContextMenuHandlers1:
[WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)<br> ContextMenuHandlers1: [WinRAR] ->
{B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)<br> ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program
Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)<br> ContextMenuHandlers2: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector ->
Code Sector)<br> ContextMenuHandlers2: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)<br> ContextMenuHandlers3:
[MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)<br> ContextMenuHandlers3: [OptaneContextMenu] ->
{AD7EBB13-617D-3270-8FA8-46583499C4FB} => C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )<br> ContextMenuHandlers4: [
FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)<br> ContextMenuHandlers4: [7-Zip]
-> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]<br> ContextMenuHandlers4: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program
Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)<br> ContextMenuHandlers4: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi
Sawanaka -> hxxps://winmerge.org)<br> ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation
-> Microsoft Corporation)<br> ContextMenuHandlers5: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)<br>
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]<br> ContextMenuHandlers6: [AccExt] ->
{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )<br> ContextMenuHandlers6: [MBAMShlExt] ->
{57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)<br> ContextMenuHandlers6: [StartMenuExt] ->
{E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]<br> ContextMenuHandlers6: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88}
=> C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)<br> ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH
-> Alexander Roshal)<br> ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal) </p>
<p> ==================== Codecs (Whitelisted) ==================== </p>
<p> ==================== Shortcuts & WMI ======================== </p>
<p> ==================== Loaded Modules (Whitelisted) ============= </p>
<p> 2022-02-21 11:25 - 2022-02-21 11:25 - 000144896 _____ () [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\libssh2.dll<br> 2022-02-21 11:25 - 2022-02-21 11:25 - 000077824 _____ () [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\zlib.dll<br> 2021-12-05 03:51 - 2021-11-24 09:00 - 000093696 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll<br> 2017-08-13 09:49 - 2017-08-13 09:49 -
003664184 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll<br> 2017-08-13 09:49 - 2017-08-13 09:49 - 000291128 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed]
C:\Windows\system32\StartMenuHelper64.dll<br> 2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program
Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll<br> 2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll]
C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll<br> 2022-01-07 10:41 - 2022-01-07 10:41 - 013733888 _____ (Phase Five Systems) [File not signed] C:\Program Files (x86)\Phase Five Systems\Jump Desktop
Connect\6.7.69.0\JumpConnectCore.dll<br> 2022-02-21 11:25 - 2022-02-21 11:25 - 000355840 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBCURL.dll<br>
2022-02-21 11:25 - 2022-02-21 11:25 - 002286747 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBEAY32.dll<br> 2022-02-21 11:25 - 2022-02-21 11:25 -
000416627 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\SSLEAY32.dll </p>
<p> ==================== Alternate Data Streams (Whitelisted) ======== </p>
<p> ==================== Safe Mode (Whitelisted) ================== </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) </p>
<p> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""<br> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled => "AlternateShell"="cmd.exe"<br>
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65395606.sys => ""="Driver"<br> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"<br>
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\65395606.sys => ""="Driver"<br> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"<br>
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service" </p>
<p> ==================== Association (Whitelisted) ================= </p>
<p> ==================== Internet Explorer (Whitelisted) ========== </p>
<p> URLSearchHook: [S-1-5-21-1789883001-303321401-512692908-1001] ATTENTION => Default URLSearchHook is missing<br> BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File<br> BHO-x32: Skype for Business Browser Helper
-> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2022-08-16] (Microsoft Corporation -> Microsoft Corporation)<br> Handler:
mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler-x32: mso-minsb-roaming.16 -
{83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler: mso-minsb.16 -
{42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} -
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} -
C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft
Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft
Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)<br> Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation) </p>
<p> ==================== Hosts content: ========================= </p>
<p> (If needed Hosts: directive could be included in the fixlist to reset Hosts.) </p>
<p> 2021-06-05 07:08 - 2021-10-11 02:45 - 000334861 _____ C:\Windows\system32\drivers\etc\hosts<br> 127.0.0.1 localhost<br> 0.0.0.0 fr.a2dfp.net<br> 0.0.0.0 mfr.a2dfp.net<br> 0.0.0.0 ad.a8.net<br> 0.0.0.0 asy.a8ww.net<br> 0.0.0.0
static.a-ads.com<br> 0.0.0.0 abcstats.com<br> 0.0.0.0 track.acclaimnetwork.com<br> 0.0.0.0 csh.actiondesk.com<br> 0.0.0.0 ads.activepower.net<br> 0.0.0.0 app.activetrail.com<br> 0.0.0.0 ad2games.com<br> 0.0.0.0 adadvisor.net<br> 0.0.0.0
www.adchimp.com<br> 0.0.0.0 pixel.adcrowd.com<br> 0.0.0.0 ct1.addthis.com<br> 0.0.0.0 static.uk.addynamo.com<br> 0.0.0.0 adexc.net<br> 0.0.0.0 static.adfclick1.com<br> 0.0.0.0 server.adformdsp.net<br> 0.0.0.0 s.adframesrc.com<br>
0.0.0.0 media.adfrontiers.com<br> 0.0.0.0 www.adgitize.com<br> 0.0.0.0 www.ad-groups.com #[Ban Man Pro Banner Code]<br> 0.0.0.0 adgrx.com<br> 0.0.0.0 adhall.com<br> 0.0.0.0 adhitzads.com<br> 0.0.0.0 aj.adjungle.com<br> 0.0.0.0
adserver-e7.com<br> 0.0.0.0 n.admagnet.net </p>
<p> There are 8702 more lines. </p>
<p>
<br> 2022-01-20 10:16 - 2022-08-07 23:11 - 000000374 _____ C:\Windows\system32\drivers\etc\hosts.ics
</p>
<p> ==================== Other Areas =========================== </p>
<p> (Currently there is no automatic fix for this section.) </p>
<p> HKU\S-1-5-21-1789883001-303321401-512692908-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper<br> HKU\S-1-5-21-1789883001-303321401-512692908-1003\Control
Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg<br> DNS Servers: 9.9.9.9 - 149.112.112.112<br> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5)
(ConsentPromptBehaviorUser: 3) (EnableLUA: 1)<br> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )<br> Windows Firewall is enabled. </p>
<p> Network Binding:<br> =============<br> Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) <br> Bluetooth Network Connection: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) <br> Wi-Fi: Npcap
Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled) <br> Wi-Fi: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled) </p>
<p> ==================== MSCONFIG/TASK MANAGER disabled items == </p>
<p> (If an entry is included in the fixlist, it will be removed.) </p>
<p> HKLM\...\StartupApproved\Run: => "Everything"<br> HKLM\...\StartupApproved\Run: => "iTunesHelper"<br> HKLM\...\StartupApproved\Run: => "Opera Browser Assistant"<br> HKLM\...\StartupApproved\Run: =>
"AdobeAAMUpdater-1.0"<br> HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"<br> HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"<br> HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"<br>
HKLM\...\StartupApproved\Run32: => "Opera Browser Assistant"<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"<br>
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472"<br> HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Spotify"<br>
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Speech Recognition" </p>
<p> ==================== FirewallRules (Whitelisted) ================ </p>
<p> (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) </p>
<p> FirewallRules: [Microsoft-Windows-Unified-Telemetry-Client] => (Block) C:\Windows\system32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)<br> FirewallRules: [{C2A5E20E-1F04-4D7D-ADAA-9026D35A3B26}] =>
(Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)<br> FirewallRules: [{027E032D-A7ED-45B3-AB1D-5C808C685D7A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla
Corporation -> Mozilla Corporation)<br> FirewallRules: [{4665FCD0-7E10-41E1-90FE-309580DEF7CD}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)<br>
FirewallRules: [{1E860482-8990-4E25-9246-9A99F50B6E0E}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)<br> FirewallRules:
[{380E5FDE-93A1-4238-BE5C-FEF5E36946D7}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)<br> FirewallRules:
[{B5C81192-EC77-485C-99B4-B8AAB7195F28}] => (Allow) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE (Logitech Inc -> Logitech, Inc.)<br> FirewallRules: [{93AB2033-C6B3-4FC4-9928-E46BFC60D137}] => (Allow)
C:\Program Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)<br> FirewallRules: [{97046305-7548-4DED-B501-487DBADD4D15}] => (Allow) C:\Program
Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)<br> FirewallRules: [{EA21E87C-9F2A-4449-8408-C08AF06912CD}] => (Allow) C:\Program
Files\Bonjour\mDNSResponder.exe => No File<br> FirewallRules: [{EF0DC3B7-2A94-41EF-9F5A-7678A08AD664}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe => No File<br> FirewallRules: [{2AE5D8DA-0340-43A6-A8DB-4DC1A0D30C42}]
=> (Allow) C:\Program Files\Opera\90.0.4480.54\opera.exe (Opera Norway AS -> Opera Software)<br> FirewallRules: [{8FEE7E9A-04FF-4D4E-9C6E-0149217D6928}] => (Allow) C:\Program Files\Opera\90.0.4480.84\opera.exe (Opera Norway AS
-> Opera Software)<br> FirewallRules: [{BC39B814-683D-46EE-9ECB-9C7F751AA32E}] => (Allow) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe (Logitech Inc -> Logitech, Inc.) </p>
<p> ==================== Restore Points ========================= </p>
<p> 28-09-2022 23:00:02 Removed Bonjour<br> 28-09-2022 23:01:27 Removed 7-Zip 19.00 (x64 edition) </p>
<p> ==================== Faulty Device Manager Devices ============ </p>
<p> Name: Realtek PCIe GbE Family Controller<br> Description: Realtek PCIe GbE Family Controller<br> Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}<br> Manufacturer: Realtek<br> Service: rt640x64<br> Problem: : This device is
disabled. (Code 22)<br> Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. </p>
<p>
<br> ==================== Event log errors: ========================
</p>
<p> Application errors:<br> ==================<br> Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )<br> Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr =
0x8007045b, A system shutdown is in progress.<br> . </p>
<p> Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )<br> Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started.
[0x8007045b, A system shutdown is in progress.<br> ] </p>
<p> Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )<br> Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.<br>
. </p>
<p> Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )<br> Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started.
[0x8007045b, A system shutdown is in progress.<br> ] </p>
<p> Error: (09/28/2022 01:39:17 PM) (Source: Application Hang) (EventID: 1002) (User: )<br> Description: The program explorer.exe version 10.0.22000.978 stopped interacting with Windows and was closed. To see if more information about the
problem is available, check the problem history in the Security and Maintenance control panel. </p>
<p> Process ID: 1e84 </p>
<p> Start Time: 01d8d36839d9a69c </p>
<p> Termination Time: 20 </p>
<p> Application Path: C:\Windows\explorer.exe </p>
<p> Report Id: 9e6212d3-1134-4a4f-b69b-c2ec549a2dbf </p>
<p> Faulting package full name: </p>
<p> Faulting package-relative application ID: </p>
<p> Hang type: Unknown </p>
<p> Error: (09/28/2022 01:38:56 PM) (Source: Windows Backup) (EventID: 4103) (User: )<br> Description: The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found
or is not valid. Review your backup settings and check the backup location. (0x81000006). </p>
<p> Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 12007) (User: )<br> Description: Event-ID 12007 </p>
<p> Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 0) (User: )<br> Description: Event-ID 0 </p>
<p>
<br> System errors:<br> =============<br> Error: (09/28/2022 11:58:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code
is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 15420).
</p>
<p> Error: (09/28/2022 11:28:54 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 11432). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 16948). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 16600). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 16476). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 15328). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 16400). </p>
<p> Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)<br> Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection
request has failed. The attached data contains the server certificate.<br> The SSPI client process is LogiLuUpdater (PID: 16516). </p>
<p>
<br> Windows Defender:<br> ================<br> Date: 2022-09-26 10:30:42<br> Description: <br> Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br> For more information please see the
following:<br><a href="https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0" rel="external nofollow noopener" target="_blank">https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0</a><br>
Name: SettingsModifier:Win32/PossibleHostsFileHijack<br> Severity: Medium<br> Category: Settings Modifier<br> Path: file:_C:\Windows\System32\drivers\etc\hosts<br> Detection Origin: Local machine<br> Detection Type: Concrete<br>
Detection Source: System<br> Process Name: Unknown<br> Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0<br> Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
</p>
<p> Date: 2022-09-26 10:30:30<br> Description: <br> Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br> For more information please see the
following:<br><a href="https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0" rel="external nofollow noopener" target="_blank">https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0</a><br>
Name: SettingsModifier:Win32/PossibleHostsFileHijack<br> Severity: Medium<br> Category: Settings Modifier<br> Path: file:_C:\Windows\System32\drivers\etc\hosts<br> Detection Origin: Local machine<br> Detection Type: Concrete<br>
Detection Source: System<br> Process Name: Unknown<br> Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0<br> Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3 </p>
<p> Date: 2022-09-26 02:23:28<br> Description: <br> Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br> For more information please see the
following:<br><a href="https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0" rel="external nofollow noopener" target="_blank">https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0</a><br>
Name: SettingsModifier:Win32/PossibleHostsFileHijack<br> Severity: Medium<br> Category: Settings Modifier<br> Path: file:_C:\Windows\System32\drivers\etc\hosts<br> Detection Origin: Local machine<br> Detection Type: Concrete<br>
Detection Source: System<br> Process Name: C:\Users\gngn1\Desktop\FRST64.exe<br> Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0<br> Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3 </p>
<p> Date: 2022-09-26 01:58:41<br> Description: <br> Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br> For more information please see the
following:<br><a href="https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0" rel="external nofollow noopener" target="_blank">https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0</a><br>
Name: SettingsModifier:Win32/PossibleHostsFileHijack<br> Severity: Medium<br> Category: Settings Modifier<br> Path: file:_C:\Windows\System32\drivers\etc\hosts<br> Detection Origin: Local machine<br> Detection Type: Concrete<br>
Detection Source: System<br> Process Name: Unknown<br> Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0<br> Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3 </p>
<p> Date: 2022-09-26 00:15:31<br> Description: <br> Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br> For more information please see the
following:<br><a href="https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0" rel="external nofollow noopener" target="_blank">https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0</a><br>
Name: SettingsModifier:Win32/PossibleHostsFileHijack<br> Severity: Medium<br> Category: Settings Modifier<br> Path: file:_C:\Windows\System32\drivers\etc\hosts<br> Detection Origin: Local machine<br> Detection Type: Concrete<br>
Detection Source: System<br> Process Name: Unknown<br> Security intelligence Version: AV: 1.375.1006.0, AS: 1.375.1006.0, NIS: 1.375.1006.0<br> Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3<br> Event[0] </p>
<p> Date: 2022-09-28 22:41:33<br> Description: <br> Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.<br> Feature: On Access<br> Error Code: 0x8007043c<br> Error description: This service
cannot be started in Safe Mode <br> Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem. </p>
<p> Date: 2022-09-28 22:37:32<br> Description: <br> Microsoft Defender Antivirus has encountered an error trying to update security intelligence.<br> New security intelligence Version: <br> Previous security intelligence
Version: 1.375.1177.0<br> Update Source: Microsoft Update Server<br> Security intelligence Type: AntiVirus<br> Update Type: Full<br> Current Engine Version: <br> Previous Engine Version: 1.1.19600.3<br> Error code: 0x80240438<br>
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. </p>
<p> Date: 2022-09-28 13:39:15<br> Description: <br> Microsoft Defender Antivirus has encountered an error trying to update security intelligence.<br> New security intelligence Version: <br> Previous security intelligence
Version: 1.375.1134.0<br> Update Source: Microsoft Update Server<br> Security intelligence Type: AntiVirus<br> Update Type: Full<br> Current Engine Version: <br> Previous Engine Version: 1.1.19600.3<br> Error code: 0x8024402c<br>
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. </p>
<p> CodeIntegrity:<br> ===============<br> Date: 2022-09-28 23:19:07<br> Description: <br> Code Integrity determined that a process (\Device\HarddiskVolume8\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe)
attempted to load \Device\HarddiskVolume8\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements. </p>
<p> Date: 2022-09-28 22:32:20<br> Description: <br> Code Integrity determined that a process (\Device\HarddiskVolume8\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume8\Program Files\Bonjour\mdnsNSP.dll that
did not meet the Windows signing level requirements. </p>
<p>
<br> ==================== Memory info ===========================
</p>
<p> BIOS: Dell Inc. 1.5.0 02/11/2022<br> Motherboard: Dell Inc. 0YF8P5<br> Processor: Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz<br> Percentage of memory in use: 41%<br> Total physical RAM: 12021.07 MB<br> Available physical RAM: 7019.64
MB<br> Total Virtual: 28838.92 MB<br> Available Virtual: 23710.69 MB </p>
<p> ==================== Drives ================================ </p>
<p> Drive a: (1TB-LT) (Fixed) (Total:917.04 GB) (Free:297.48 GB) (Model: TOSHIBA MQ01ABD100) NTFS<br> Drive c: (OS) (Fixed) (Total:460.75 GB) (Free:50.22 GB) (Model: NVMe BC711 NVMe SK hynix 512GB) NTFS<br> Drive d: (RECOVERY) (Fixed)
(Total:13.24 GB) (Free:1.57 GB) (Model: TOSHIBA MQ01ABD100) NTFS ==>[system with boot components (obtained from drive)] </p>
<p> \\?\Volume{8a3cbc66-ab72-496a-8c28-f1c9d89e1ff4}\ (Windows RE tools) (Fixed) (Total:0.96 GB) (Free:0.36 GB) NTFS<br> \\?\Volume{e7899493-836e-40e2-a860-993bc8fe0b89}\ (WINRETOOLS) (Fixed) (Total:0.97 GB) (Free:0.48 GB) NTFS<br>
\\?\Volume{25391c42-c24a-4412-a42b-0763395eec6d}\ (Image) (Fixed) (Total:13.58 GB) (Free:0.15 GB) NTFS<br> \\?\Volume{7aa07a21-543e-4687-bcaf-54e5b284a176}\ (DELLSUPPORT) (Fixed) (Total:1.36 GB) (Free:0.53 GB) NTFS<br>
\\?\Volume{e3bd6638-6fd2-43f2-9f08-688f4c1389b4}\ () (Fixed) (Total:0.25 GB) (Free:0.14 GB) FAT32<br> \\?\Volume{d88befe7-be9f-42cc-886d-d916edbba0ff}\ (ESP) (Fixed) (Total:0.14 GB) (Free:0.07 GB) FAT32 </p>
<p> ==================== MBR & Partition Table ==================== </p>
<p> ==========================================================<br> Disk: 0 (Size: 931.5 GB) (Disk ID: A50E1C7D) </p>
<p> Partition: GPT. </p>
<p> ==========================================================<br> Disk: 1 (Size: 476.9 GB) (Disk ID: 416A8FEC) </p>
<p> Partition: GPT. </p>
<p> ==================== End of Addition.txt ======================= </p>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535841_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535841" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535841" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535841&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535841" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535841&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="okay i got it running from my desktop. this log looks completely different from the one above, very odd.
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-08-2022
Ran by God (administrator) on FAST-DELL (Dell Inc. Inspiron 3891) (29-09-2022 00:16:11)
Running from C:\Users\gngn1\Desktop
Loaded Profiles: God
Platform: Microsoft Windows 11 Home Version 21H2 22000.978 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_appbroker.exe
(C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc -> Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe
(C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe ->) (Logitech Inc -> Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\laclient.exe
(C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCopyAccelerator.exe
(DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxEM.exe
(explorer.exe ->) (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenu.exe
(explorer.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\Logitech\LogiOptions\LogiOptions.exe
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft OneDrive\OneDrive.exe
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(services.exe ->) (Apple Inc. -> Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(services.exe ->) (Code Sector -> ) C:\Program Files\TeraCopy\TeraCopyService.exe
(services.exe ->) (Dell Inc -> Dell Inc.) C:\Program Files\Dell\Fusion\FusionService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_f83b924791f3a52a\OneApp.IGCC.WinService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHDCPSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHeciSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\mewmiprov.inf_amd64_d4564390a9b1e980\WMIRegistrationService.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_7aa6ca9dbb25bff8\jhi_service.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_5d10f2aad7f84bec\LMS.exe
(services.exe ->) (Intel(R) Rapid Storage Technology -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iastorac.inf_amd64_68966115f2eef4e5\RstMwService.exe
(services.exe ->) (Károly Pados -> Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe <3>
(services.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe
(services.exe ->) (PhaseFive Systems LLC -> Phase Five Systems) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe
(services.exe ->) (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(services.exe ->) (voidtools -> voidtools) C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe
(services.exe ->) (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.) C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
(sihost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe\PAD.Console.Host.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe
==================== Registry (Whitelisted) ===================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163640 2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [509936 2018-04-11] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [3831808 2021-08-30] (Microsoft Windows Hardware Compatibility Publisher -> Logitech)
HKLM\...\Run: [LogiOptions] => C:\Program Files\Logitech\LogiOptions\LogiOptions.exe [1687616 2022-02-21] (Logitech Inc -> Logitech, Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [1067528 2022-07-25] (Adobe Inc. -> Adobe Inc.)
HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [3795376 2022-09-25] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Policies\Explorer: [HideSCAMeetNow] 1
HKU\S-1-5-21-1789883001-303321401-512692908-1003\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Startup: C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2021-12-30]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation -> Microsoft Corporation)
AlternateShell:
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
==================== Scheduled Tasks (Whitelisted) ============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {02FEA731-D2DD-4A8E-A439-563F55D53DFC} - System32\Tasks\Opera scheduled Autoupdate 1638694259 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software)
Task: {0335EFB7-AF7E-416D-9978-D34ABA156C86} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {05297C63-34A6-4FCA-A5F8-891900D5D30E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {0AA9AE9F-7BC1-4CF7-B0D0-942E8D8AB388} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
Task: {193C0CD3-8DE7-4B74-A2DD-718AAF02C2ED} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {1AEF3D55-5909-4E1E-8853-22E99F844F7C} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {487D899D-40F2-476C-BEF0-2FF05589EC63} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [616832 2019-09-04] (Apple Inc. -> Apple Inc.)
Task: {500823C9-7F32-4788-B34D-40329A313066} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1003 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Task: {5FD92CFE-F4D2-4D63-9C80-AC2D101820F1} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002 => C:\Users\gngn1\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)
Task: {6500E3AE-98EC-4892-B4CC-620672E1ECD0} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {6D5E4CE5-B360-40C2-82EA-F9193CE82B45} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [815 2021-09-08] () [File not signed]
Task: {81645350-7A7E-4586-930D-AA1963354214} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {87B48BF5-2794-481C-9766-B28425BE7E49} - System32\Tasks\EOSv3 Scheduler onTime => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {940B0A62-EB07-406B-AF8C-69A42C245B77} - System32\Tasks\Opera scheduled assistant Autoupdate 1638694264 => C:\Program Files\Opera\launcher.exe [2538448 2022-09-05] (Opera Norway AS -> Opera Software) -> --scheduledautoupdate --component-name=assistant --component-path="C:\Program Files\Opera\assistant" $(Arg0)
Task: {A7D8C990-6422-4667-87E3-FA40C47BB4B1} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {AC1FBF05-8B10-4509-AEF9-AB30ECDDC41C} - System32\Tasks\Microsoft\Windows\WaaSMedic\MaintenanceWork => {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}
Task: {B0DE073A-B771-46E8-8A43-62AAF41CD5E2} - System32\Tasks\OneDrive Per-Machine Standalone Update Task => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
Task: {C2820938-5262-4E5B-BA4C-08EE29C71694} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {CFB3D3C2-5ED7-4025-973B-4173E78BFF79} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {D15035A4-388C-4B0C-B13E-2588A970C419} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [64408 2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Task: {D24345F4-A990-448B-97A8-778C14BE4C7C} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {E13FF481-BB09-4CA9-9478-463D38661FA9} - System32\Tasks\TinyWall Controller => C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26] (Károly Pados -> Károly Pados)
Task: {FA7BFA7D-63B4-4DE5-8D36-09A74B86FCA2} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 9.9.9.9 149.112.112.112
Tcpip\..\Interfaces\{666ad4d3-6ec5-4013-a092-a6d61e020286}: [DhcpNameServer] 9.9.9.9 149.112.112.112
Edge:
=======
Edge Profile: C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default [2022-09-27]
Edge Extension: (Microsoft Power Automate) - C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\njjljiblognghfjfpcdpdbpbfcmhgafg [2022-08-08]
Edge HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [njjljiblognghfjfpcdpdbpbfcmhgafg]
FireFox:
========
FF DefaultProfile: cb410ea4.default
FF ProfilePath: C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\cb410ea4.default [2021-12-15]
FF ProfilePath: C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release [2022-09-28]
FF Session Restore: Mozilla\Firefox\Profiles\za350ywr.default-release -> is enabled.
FF Notifications: Mozilla\Firefox\Profiles\za350ywr.default-release -> hxxps://web.telegram.org; hxxps://www.kiiroo.com; hxxps://electrothreads.com
FF Extension: (Disconnect) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\2.0@disconnect.me.xpi [2022-01-11]
FF Extension: (Google Container) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\@contain-google.xpi [2022-01-11]
FF Extension: (Keepa - Amazon Price Tracker) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\amptra@keepa.com.xpi [2022-04-18]
FF Extension: (OneNote Web Clipper) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Clipper@OneNote.com.xpi [2022-04-14]
FF Extension: (Don't ***** With Paste) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Dont*****WithPaste@raim.ist.xpi [2022-01-11]
FF Extension: (Folx) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\folx5@eltima.com.xpi [2022-01-11]
FF Extension: (Disable WebRTC) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-5Fs7iTLscUaZBgwr@jetpack.xpi [2022-01-11]
FF Extension: (Honey) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-93CWPmRbVPjRQA@jetpack.xpi [2022-01-11]
FF Extension: (Decentraleyes) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-BoFifL9Vbdl2zQ@jetpack.xpi [2022-02-01]
FF Extension: (I don't care about cookies) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi [2022-09-15]
FF Extension: (Double-click Image Downloader) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xgtdawe3yyUeBQ@jetpack.xpi [2022-01-11]
FF Extension: (Reddit Enhancement Suite) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2022-02-02]
FF Extension: (Pinterest Save Button) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2022-03-02]
FF Extension: (JSONovich) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jsonovich@lackoftalent.org.xpi [2022-04-05]
FF Extension: (IDM Integration Module) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\mozilla_cc3@internetdownloadmanager.com.xpi [2022-05-27]
FF Extension: (Download Manager (S3)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\s3download@statusbar.xpi [2022-01-11]
FF Extension: (Save webP as PNG or JPEG) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\savewebpas@jeffersonscher.com.xpi [2022-09-23]
FF Extension: (LastPass: Free Password Manager) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\support@lastpass.com.xpi [2022-08-06]
FF Extension: (Google Translator for Firefox) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\translator@zoli.bod.xpi [2022-01-11]
FF Extension: (uBlock Origin) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\uBlock0@raymondhill.net.xpi [2022-09-20]
FF Extension: (Paste n' Go) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{000a756d-5efb-4897-b40c-57ef8c5caa59}.xpi [2022-01-11]
FF Extension: (Take Webpage Screenshots Entirely - FireShot) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}.xpi [2022-09-15]
FF Extension: (CSS Toggler) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{16898b73-edd0-419f-a0a9-e5afd2a4c904}.xpi [2022-05-02]
FF Extension: (Download All Images) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{32af1358-428a-446d-873e-5f8eb5f2a72e}.xpi [2022-08-22]
FF Extension: (Send to VLC (VideoLAN) media player) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{3e0ac434-26e0-4c03-b757-3078486800c3}.xpi [2022-01-11]
FF Extension: (Disable JavaScript) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{41f9e51d-35e4-4b29-af66-422ff81c8b41}.xpi [2022-01-11]
FF Extension: (Eno® from Capital One®) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d5b7a5e-5232-9e45-97f4-f8e1ca2626e5}.xpi [2022-07-20]
FF Extension: (Science Fiction Florest) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d6138be-7d98-4fed-8cb9-277c3a351183}.xpi [2022-01-11]
FF Extension: (Blue Carbon Fiber) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{5ab03bdd-3d91-4c73-801e-607ca27458d0}.xpi [2022-01-11]
FF Extension: (ColorZilla) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}.xpi [2022-01-11]
FF Extension: (Hot air balloons v5 by CP) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{790388bf-f135-4368-ab9b-36c8062a09c2}.xpi [2022-01-11]
FF Extension: (Plexus Crystals (Yellow)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{826d3ea1-5a85-4e6c-8749-aff3f72ccc5d}.xpi [2022-01-11]
FF Extension: (Clippings) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}.xpi [2022-09-19]
FF Extension: (Absolute Right Click) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{9350bc42-47fb-4598-ae0f-825e3dd9ceba}.xpi [2022-01-11]
FF Extension: (RESTClient) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ad0d925d-88f8-47f1-85ea-8463569e756e}.xpi [2022-04-05]
FF Extension: (Capital One Shopping: Online Coupon Tool) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{aff8af88-06a9-4eee-b383-3af08c47b8c8}.xpi [2022-09-26]
FF Extension: (The universe of ancient times.) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b6d370bd-f532-4049-9a82-f53b47f369b3}.xpi [2022-01-11]
FF Extension: (Video DownloadHelper) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2022-05-12]
FF Extension: (flashy pastel rainbow) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ced18bb2-3a5e-4d85-b0ad-5b99cb34fa73}.xpi [2022-01-11]
FF Extension: (Polynial design) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{d7dce9c0-165e-44ff-90b9-c5ce9f7a7721}.xpi [2022-01-11]
FF Extension: (Read Aloud: A Text to Speech Voice Reader) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ddc62400-f22d-4dd3-8b4a-05837de53c2e}.xpi [2022-09-01]
FF Extension: (Matte Black (Orange)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{e7c9fb23-17c0-4bb6-a8ba-ff52a7770b89}.xpi [2022-02-24]
FF Extension: (Plexus Crystals (Violet)) - C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ff571d12-dfde-4e8f-be1d-38c145a98443}.xpi [2022-02-24]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2022-07-25] (Adobe Inc. -> Adobe Systems)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2022-07-25] (Adobe Inc. -> Adobe Systems)
Chrome:
=======
CHR HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [gjgfobnenmnljakmhboildkafdkicala]
Opera:
=======
OPR Profile: C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable [2022-09-26]
OPR Notifications: Opera Stable -> hxxps://web.telegram.org; hxxps://www.philadelphiaeagles.com
OPR DefaultSuggestURL: Opera Stable -> hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}
OPR Extension: (Rich Hints Agent) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2022-07-28]
OPR Extension: (Opera Crypto Wallet) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\gojhcdgcpbpfigcaejpfhfegekdgiblk [2022-07-28]
OPR Extension: (Amazon Assistant Promotion) - C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable\Extensions\kbmoiomgmchbpihhdpabemajcbjpcijk [2021-12-20]
==================== Services (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [923656 2022-07-25] (Adobe Inc. -> Adobe Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [99104 2021-08-20] (Apple Inc. -> Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [12131256 2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
S3 dcsvc; C:\Windows\system32\dcsvc.dll [831488 2022-09-13] (Microsoft Windows -> Microsoft Corporation)
R2 Everything; C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe [2266128 2022-09-22] (voidtools -> voidtools)
S3 FileSyncHelper; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncHelper.exe [3383688 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
R2 FusionService; C:\Program Files\Dell\Fusion\FusionService.exe [19096 2021-10-13] (Dell Inc -> Dell Inc.)
R2 JumpConnect; C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe [154080 2022-01-07] (PhaseFive Systems LLC -> Phase Five Systems)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7901368 2021-12-05] (Malwarebytes Inc -> Malwarebytes)
S3 OneDrive Updater Service; C:\Program Files\Microsoft OneDrive\22.191.0911.0001\OneDriveUpdaterService.exe [3804032 2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
R2 OptionsPlusUpdaterService; C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe [17029376 2022-09-12] (Logitech Inc -> Logitech, Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [12912936 2021-11-16] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
R2 TeraCopyService.exe; C:\Program Files\TeraCopy\TeraCopyService.exe [114384 2021-04-21] (Code Sector -> )
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26] (Károly Pados -> Károly Pados)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe [3125112 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe [133560 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
S2 Wondershare InstallAssist; C:\ProgramData\Wondershare\Service\InstallAssistService.exe [X]
R2 ZoomCptService; "C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\gngn1\AppData\Roaming\Zoom"
===================== Drivers (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AppleKmdfFilter; C:\Windows\System32\drivers\AppleKmdfFilter.sys [20032 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 AppleLowerFilter; C:\Windows\System32\drivers\AppleLowerFilter.sys [35976 2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 DDDriver; C:\Windows\System32\drivers\dddriver64Dcsa.sys [43400 2021-09-09] (Microsoft Windows Hardware Compatibility Publisher -> Dell Technologies)
R0 fse; C:\Windows\System32\drivers\fse.sys [193888 2022-05-11] (Microsoft Windows -> Microsoft Corporation)
S3 IntelGNA; C:\Windows\System32\DriverStore\FileRepository\gna.inf_amd64_c08af0e43cbc91c3\gna.sys [83856 2020-08-04] (Gaussian Mixture Models and Neural Networks Accelerator -> Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210352 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-12-05] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2022-03-27] (Malwarebytes Inc -> Malwarebytes)
R3 MpKsl84bd6d14; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E54752FF-50C6-4067-A464-757ABA79C676}\MpKslDrv.sys [228600 2022-09-28] (Microsoft Windows -> Microsoft Corporation)
S3 MYFAULT; C:\Windows\system32\drivers\myfault.sys [27848 2022-09-27] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals)
R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [72792 2021-11-30] (Insecure.Com LLC -> Insecure.Com LLC.)
U5 PROCMON24; C:\Windows\System32\Drivers\PROCMON24.sys [95632 2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Sysinternals - www.sysinternals.com)
R3 USBPcap; C:\Windows\system32\DRIVERS\USBPcap.sys [52872 2020-05-22] (Tomasz Moń -> USBPcap)
S3 vmbusproxy; C:\Windows\system32\drivers\vmbusproxy.sys [90112 2022-04-06] (Microsoft Windows -> )
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49576 2022-09-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [453904 2022-09-07] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [94480 2022-09-07] (Microsoft Windows -> Microsoft Corporation)
R3 WiManH; C:\Windows\System32\DriverStore\FileRepository\wiman.inf_amd64_f0ed422f0b4a6c99\WiManH\WiManH.sys [172896 2020-11-23] (Intel Wireless Driver -> )
U4 npcap_wifi; no ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
NETSVC: DcSvc -> C:\Windows\system32\dcsvc.dll (Microsoft Corporation)
==================== One month (created) (Whitelisted) =========
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-09-29 00:16 - 2022-09-29 00:16 - 000031964 _____ C:\Users\gngn1\Desktop\FRST.txt
2022-09-29 00:16 - 2022-09-29 00:16 - 000000000 ____D C:\FRST
2022-09-29 00:14 - 2022-09-29 00:15 - 002371072 _____ (Farbar) C:\Users\gngn1\Desktop\frst64.exe
2022-09-28 22:41 - 2022-09-28 22:41 - 000000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2022-09-28 13:35 - 2022-09-28 13:35 - 000000519 _____ C:\Users\gngn1\Desktop\OS (C) - Shortcut.lnk
2022-09-27 03:10 - 2022-09-27 03:10 - 000027848 _____ (Sysinternals) C:\Windows\system32\Drivers\myfault.sys
2022-09-26 22:56 - 2022-09-26 22:56 - 000003194 _____ C:\Windows\system32\Tasks\OneDrive Per-Machine Standalone Update Task
2022-09-26 22:56 - 2022-09-26 22:56 - 000002104 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2022-09-26 05:16 - 2022-09-26 05:16 - 000095632 ____H (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON24.SYS
2022-09-26 01:57 - 2022-09-26 01:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\ClassicShell
2022-09-26 01:56 - 2022-09-26 01:56 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\ClassicShell
2022-09-26 01:33 - 2022-09-26 01:33 - 000210352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2022-09-26 00:31 - 2022-09-26 00:31 - 000000000 ____D C:\Users\Sokka\AppData\Local\Comms
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D C:\Users\Sokka\AppData\Local\Mozilla
2022-09-26 00:16 - 2022-09-26 22:56 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1003
2022-09-26 00:16 - 2022-09-26 00:16 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Logishrd
2022-09-26 00:15 - 2022-09-26 01:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\LogiOptionsPlus
2022-09-26 00:15 - 2022-09-26 00:57 - 000000000 ____D C:\Users\Sokka\AppData\Local\D3DSCache
2022-09-26 00:15 - 2022-09-26 00:31 - 000000000 ____D C:\Users\Sokka\AppData\Local\Packages
2022-09-26 00:15 - 2022-09-26 00:15 - 000002411 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2022-09-26 00:15 - 2022-09-26 00:15 - 000000020 ___SH C:\Users\Sokka\ntuser.ini
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 __SHD C:\Users\Sokka\IntelGraphicsProfiles
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\TinyWall
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Roaming\Adobe
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\LocalLow\Intel
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\VirtualStore
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\Publishers
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka\AppData\Local\ConnectedDevicesPlatform
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka
2022-09-26 00:15 - 2022-08-16 04:55 - 000000000 ___RD C:\Users\Sokka\OneDrive
2022-09-26 00:15 - 2021-06-05 07:04 - 000001281 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk
2022-09-26 00:15 - 2021-06-05 07:04 - 000000407 _____ C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk
2022-09-26 00:12 - 2022-09-26 00:12 - 000000000 ____D C:\Users\Public\Documents\MDMDiagnostics
2022-09-24 13:51 - 2022-09-25 22:10 - 000000000 ____D C:\TDSSKiller_Quarantine
2022-09-24 13:45 - 2022-09-24 13:45 - 005054744 _____ (AO Kaspersky Lab) C:\Users\gngn1\Downloads\tdsskiller.exe
2022-09-24 13:43 - 2022-09-24 13:44 - 000000000 ____D C:\AdwCleaner
2022-09-24 13:43 - 2022-09-24 13:43 - 008551608 _____ (Malwarebytes) C:\Users\gngn1\Downloads\AdwCleaner.exe
2022-09-23 11:32 - 2022-09-24 11:44 - 000000000 ____D C:\Program Files\Mozilla Firefox
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\Users\gngn1\AppData\Local\falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\Program Files\Falkon
2022-09-23 01:42 - 2022-09-23 01:43 - 065878530 _____ C:\Users\gngn1\Downloads\Falkon.Installer.3.1.0.x64.exe
2022-09-23 01:33 - 2022-09-23 01:33 - 000022555 _____ C:\Users\gngn1\Downloads\surf-2.1.tar.gz
2022-09-23 00:58 - 2022-09-23 00:58 - 001418600 _____ (Thomas E Dickey ) C:\Users\gngn1\Downloads\lynx-newssl-setup.exe
2022-09-22 22:51 - 2022-09-22 22:52 - 000000000 ___HD C:\adobeTemp
2022-09-22 13:36 - 2022-09-22 13:36 - 029933858 _____ C:\Users\gngn1\AppData\LocalLow\wbk28E7.tmp
2022-09-22 12:12 - 2022-06-27 00:17 - 004946512 _____ (Intel Corporation) C:\Windows\system32\Drivers\Netwtw10.sys
2022-09-22 12:12 - 2022-06-27 00:17 - 001626200 _____ (Intel Corporation) C:\Windows\system32\IntelIHVRouter10.dll
2022-09-22 12:12 - 2022-06-25 21:53 - 055467080 _____ C:\Windows\system32\Drivers\Netwfw10.dat
2022-09-22 11:21 - 2022-09-26 00:14 - 000000000 ____D C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64
2022-09-22 11:21 - 2022-09-22 11:21 - 001804512 _____ C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64.zip
2022-09-21 22:30 - 2022-09-21 22:30 - 000003842 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onLogOn
2022-09-21 22:30 - 2022-09-21 22:30 - 000003400 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onTime
2022-09-21 16:58 - 2022-09-21 16:58 - 015274968 _____ (ESET) C:\Users\gngn1\Desktop\esetonlinescanner.exe
2022-09-21 16:58 - 2022-09-21 16:58 - 000001290 _____ C:\Users\gngn1\Desktop\ESET Online Scanner.lnk
2022-09-19 19:18 - 2022-09-19 19:18 - 000134259 _____ C:\Users\gngn1\Downloads\Beautiful identical blondes *****ing - XNXX.COM.mp4
2022-09-19 08:17 - 2022-09-19 08:17 - 000131268 _____ C:\Users\gngn1\Downloads\Blonde Blows and Toes - XNXX.COM.mp4
2022-09-19 02:21 - 2022-09-19 02:21 - 000132024 _____ C:\Users\gngn1\Downloads\Mad land owner put sexy brunette student in bondage and roug.mp4
2022-09-19 02:09 - 2022-09-19 02:09 - 000133819 _____ C:\Users\gngn1\Downloads\Femdom Pegging With Big Strapon - XNXX.COM.mp4
2022-09-17 02:23 - 2022-09-17 02:23 - 000000986 _____ C:\Users\Public\Desktop\PotPlayer 64 bit.lnk
2022-09-15 15:14 - 2022-09-15 15:14 - 000004158 _____ C:\Windows\system32\Tasks\Opera scheduled assistant Autoupdate 1638694264
2022-09-13 21:17 - 2022-09-13 21:17 - 000335872 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll
2022-09-13 21:17 - 2022-09-13 21:17 - 000015030 _____ C:\Windows\system32\DrtmAuthTxt.wim
2022-09-13 21:15 - 2022-09-13 21:15 - 000000000 ___HD C:\$WinREAgent
2022-09-13 13:14 - 2022-09-13 13:14 - 000000000 ____D C:\Users\gngn1\AppData\Local\FirmwareUpdateTool
2022-09-12 23:57 - 2022-09-28 22:58 - 000000000 ____D C:\Users\gngn1\AppData\Local\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-22 14:29 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\logioptionsplus
2022-09-12 23:57 - 2022-09-12 23:58 - 000000000 ____D C:\Program Files\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-12 23:57 - 000000931 _____ C:\Users\Public\Desktop\Logi Options+.lnk
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D C:\ProgramData\LogiOptionsPlus
2022-09-07 09:15 - 2022-09-07 09:15 - 000003946 _____ C:\Windows\system32\Tasks\Opera scheduled Autoupdate 1638694259
2022-09-07 09:15 - 2022-09-07 09:15 - 000001075 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2022-09-02 20:34 - 2022-09-02 20:41 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Wireshark
2022-09-02 20:32 - 2022-09-02 20:32 - 000003460 _____ C:\Windows\system32\Tasks\npcapwatchdog
2022-09-02 20:32 - 2022-09-02 20:32 - 000001789 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\SysWOW64\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\system32\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\USBPcap
2022-09-02 20:31 - 2022-09-02 20:33 - 000000000 ____D C:\Program Files\Wireshark
2022-09-02 20:31 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\Npcap
2022-09-02 20:27 - 2022-09-02 20:28 - 077256616 _____ (Wireshark development team) C:\Users\gngn1\Downloads\Wireshark-win64-3.6.7.exe
2022-09-01 10:21 - 2022-09-28 15:26 - 000000000 ____D C:\AITEMP
2022-09-01 08:50 - 2022-09-21 16:58 - 000001396 _____ C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2022-09-01 08:50 - 2022-09-21 16:58 - 000000000 ____D C:\Users\gngn1\AppData\Local\ESET
==================== One month (modified) ==================
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-09-29 00:15 - 2022-01-11 17:07 - 000000000 ____D C:\Users\gngn1\Documents\Outlook Files
2022-09-29 00:12 - 2021-12-15 02:36 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TinyWall
2022-09-28 23:59 - 2021-06-05 07:10 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ___HD C:\Program Files\WindowsApps
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\AppReadiness
2022-09-28 23:11 - 2021-12-06 03:03 - 000000000 ____D C:\Users\gngn1\AppData\Local\ClassicShell
2022-09-28 23:08 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemTemp
2022-09-28 23:03 - 2021-12-15 02:36 - 000000000 ____D C:\ProgramData\TinyWall
2022-09-28 23:03 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files\Opera
2022-09-28 23:03 - 2021-11-09 18:32 - 000980092 _____ C:\Windows\system32\PerfStringBackup.INI
2022-09-28 23:03 - 2021-06-05 07:09 - 000000000 ____D C:\Windows\INF
2022-09-28 22:58 - 2022-03-27 14:36 - 000000000 ____D C:\Intel
2022-09-28 22:58 - 2021-12-05 03:54 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2022-09-28 22:58 - 2021-12-05 03:23 - 000000000 ___RD C:\Users\gngn1\OneDrive
2022-09-28 22:58 - 2021-11-09 18:28 - 000012288 ___SH C:\DumpStack.log.tmp
2022-09-28 22:58 - 2021-11-09 18:28 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-09-28 22:57 - 2022-03-27 11:47 - 000692370 _____ C:\Windows\ntbtlog.txt
2022-09-28 22:57 - 2021-06-05 07:01 - 000786432 _____ C:\Windows\system32\config\BBI
2022-09-28 22:38 - 2021-12-05 03:10 - 000000000 ____D C:\Users\gngn1
2022-09-28 22:36 - 2021-12-15 02:18 - 000000000 ____D C:\Users\gngn1\AppData\LocalLow\Mozilla
2022-09-28 22:34 - 2022-03-25 05:54 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\TeraCopy
2022-09-28 22:27 - 2021-11-09 18:28 - 000000000 ____D C:\Windows\system32\SleepStudy
2022-09-28 13:46 - 2022-01-12 13:20 - 000000000 ___RD C:\Users\gngn1\Creative Cloud Files
2022-09-28 13:35 - 2022-03-11 04:25 - 000036208 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2022-09-27 22:25 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Local\D3DSCache
2022-09-27 22:08 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Local\Packages
2022-09-27 22:08 - 2021-11-09 18:29 - 000000000 ____D C:\ProgramData\Packages
2022-09-27 22:06 - 2022-08-17 08:58 - 000000000 ____D C:\Program Files\Microsoft OneDrive
2022-09-27 21:15 - 2022-03-11 04:10 - 000000000 ____D C:\sysinternals
2022-09-26 22:56 - 2021-12-15 00:05 - 000003588 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1001
2022-09-26 12:34 - 2022-04-06 22:49 - 000001623 _____ C:\Windows\system32\config\VSMIDK
2022-09-26 09:15 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\LiveKernelReports
2022-09-26 03:16 - 2022-02-07 01:19 - 000003118 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1789883001-303321401-512692908-1002
2022-09-26 02:18 - 2022-02-12 00:36 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2022-09-26 02:05 - 2022-01-08 17:39 - 000000000 ____D C:\Users\gngn1\AppData\Local\CrashDumps
2022-09-26 00:31 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\PrintDialog
2022-09-26 00:15 - 2021-11-09 18:52 - 000000000 __RHD C:\Users\Public\AccountPictures
2022-09-26 00:15 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2022-09-25 23:22 - 2021-12-05 03:22 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Adobe
2022-09-24 22:56 - 2021-06-05 07:01 - 000000000 ____D C:\Windows\CbsTemp
2022-09-24 11:44 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2022-09-24 11:44 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\ServiceState
2022-09-23 13:32 - 2021-12-05 03:50 - 000001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2022-09-23 13:32 - 2021-12-05 03:50 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2022-09-23 12:35 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\SecurityHealth
2022-09-22 21:52 - 2022-07-08 12:14 - 000000000 ____D C:\ProgramData\boost_interprocess
2022-09-22 13:38 - 2022-01-11 17:45 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\vlc
2022-09-22 11:18 - 2022-08-04 21:50 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\QtProject
2022-09-21 12:09 - 2021-12-22 14:02 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Telegram Desktop
2022-09-21 12:02 - 2022-01-04 03:43 - 000000000 ____D C:\Users\gngn1\AppData\Roaming\Spotify
2022-09-21 12:00 - 2022-01-15 00:13 - 000000000 ____D C:\Users\gngn1\AppData\Local\Spotify
2022-09-20 17:51 - 2022-05-25 03:10 - 000000000 ____D C:\Users\gngn1\dwhelper
2022-09-18 02:58 - 2021-11-09 18:41 - 000000000 ____D C:\Program Files\Microsoft Office
2022-09-16 09:26 - 2022-02-19 22:29 - 001285856 _____ C:\Windows\system32\FNTCACHE.DAT
2022-09-16 09:26 - 2022-02-03 16:36 - 000000000 ____D C:\ProgramData\Logishrd
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SysWOW64\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemResources
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\setup
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\oobe
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\DDFs
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\appraiser
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\Provisioning
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\bcastdvr
2022-09-13 21:21 - 2021-12-06 16:53 - 000000000 ____D C:\Windows\system32\MRT
2022-09-13 21:19 - 2021-12-06 16:53 - 141646296 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2022-09-13 21:17 - 2021-11-09 18:31 - 003103744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2022-09-13 02:12 - 2022-01-12 13:12 - 000000000 ____D C:\Program Files\Common Files\Adobe
2022-09-07 04:33 - 2021-11-09 18:28 - 000000000 ____D C:\Windows\system32\Drivers\wd
==================== Files in the root of some directories ========
2022-06-23 03:39 - 2022-06-23 03:39 - 000000036 _____ () C:\Users\gngn1\AppData\Local\.__explain_this_is_writeable_not_delete__
2021-12-06 02:51 - 2022-08-25 23:21 - 000007686 _____ () C:\Users\gngn1\AppData\Local\Resmon.ResmonCfg
==================== SigCheck ============================
(There is no automatic fix for files that do not pass verification.)
==================== End of FRST.txt ========================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-08-2022
Ran by God (29-09-2022 00:16:53)
Running from C:\Users\gngn1\Desktop
Microsoft Windows 11 Home Version 21H2 22000.978 (X64) (2021-12-05 08:22:38)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
(If an entry is included in the fixlist, it will be removed.)
Administrator (S-1-5-21-1789883001-303321401-512692908-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1789883001-303321401-512692908-503 - Limited - Disabled)
God (S-1-5-21-1789883001-303321401-512692908-1001 - Administrator - Enabled) => C:\Users\gngn1
Guest (S-1-5-21-1789883001-303321401-512692908-501 - Limited - Disabled)
Sokka (S-1-5-21-1789883001-303321401-512692908-1003 - Limited - Enabled) => C:\Users\Sokka
WDAGUtilityAccount (S-1-5-21-1789883001-303321401-512692908-504 - Limited - Disabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
7-Zip 19.00 (x64 edition) (HKLM\...\{23170F69-40C1-2702-1900-000001000000}) (Version: 19.00.00.0 - Igor Pavlov)
7-Zip 21.06 (x64) (HKLM\...\7-Zip) (Version: 21.06 - Igor Pavlov)
Adobe Bridge 2022 (HKLM-x32\...\KBRG_12_0_1) (Version: 12.0.1 - Adobe Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 5.8.0.592 - Adobe Inc.)
Adobe Illustrator 2022 (HKLM-x32\...\ILST_26_0_2) (Version: 26.0.2 - Adobe Inc.)
Adobe Premiere Rush (HKLM-x32\...\RUSH_2_0) (Version: 2.0 - Adobe Inc.)
Apple Mobile Device Support (HKLM\...\{527DD209-8A66-482F-8779-C7B3BACCA8F1}) (Version: 15.0.0.16 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{A3985C05-7386-411F-A4BF-32A73F37EB44}) (Version: 2.6.3.1 - Apple Inc.)
Audacity 3.1.2 (HKLM\...\Audacity_is1) (Version: 3.1.2 - Audacity Team)
Autopsy (HKLM\...\{1633CA1B-52C0-47B5-9A31-5A7764F4BA83}) (Version: 4.19.3 - The Sleuth Kit)
Classic Shell (HKLM\...\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}) (Version: 4.3.1 - IvoSoft)
Dell SupportAssist OS Recovery Plugin for Dell Update (HKLM-x32\...\{ec40a028-983b-4213-af2c-77ed6f6fe1d5}) (Version: 5.4.1.14954 - Dell Inc.)
Dell SupportAssist Remediation (HKLM-x32\...\{0b3f567c-a2ee-437a-861f-bb6da9f2111b}) (Version: 5.5.0.16046 - Dell Inc.)
Dynamic Application Loader Host Interface Service (HKLM\...\{A28339C8-E641-4CCE-A316-56F405D1C245}) (Version: 1.0.0.0 - Intel Corporation) Hidden
EaseUS MobiSaver 8.0.2 (HKLM-x32\...\EaseUS MobiSaver_is1) (Version: - EaseUS)
EaseUS MobiUnlock 3.0.1 (HKLM-x32\...\EaseUS MobiUnlock_is1) (Version: - EaseUS)
Falkon 3.1.0 x64 (HKLM-x32\...\Falkon) (Version: 3.1.0 x64 - Falkon Team)
FastStone Image Viewer 7.5 (HKLM-x32\...\FastStone Image Viewer) (Version: 7.5 - FastStone Soft)
FileZilla Client 3.58.0 (HKLM-x32\...\FileZilla Client) (Version: 3.58.0 - Tim Kosse)
Fusion Service (HKLM\...\{599709E7-DD10-4FF5-96D5-7C6F6B5F62C0}) (Version: 1.92.22.0 - Dell.Inc) Hidden
Fusion Service (HKLM-x32\...\{81ce0187-37c1-4c23-8387-44454e1796ad}) (Version: 1.92.22.0 - Dell.Inc)
Google Earth Pro (HKLM\...\{C36E66A6-6EE5-47DB-945F-A6F03225D540}) (Version: 7.3.4.8573 - Google)
Intel(R) LMS (HKLM\...\{A0983640-26D2-4CD8-A512-747BF3CF3F82}) (Version: 1.0.0.0 - Intel Corporation) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 2101.15.0.2080 - Intel Corporation)
iTunes (HKLM\...\{0B3CC856-3A62-443A-B6CE-DED2D4495D56}) (Version: 12.12.2.2 - Apple Inc.)
Jump Desktop (HKLM\...\{388F7980-94E2-4BAD-9123-F07E05BD16A2}) (Version: 8.4.27.0 - Phase Five Systems)
Jump Desktop Connect (HKLM-x32\...\{081CADBE-4FE4-4AA9-A187-221A03078C6A}) (Version: 6.7.69.0 - Phase Five Systems)
Logi Options+ (HKLM\...\{850cdc16-85df-4052-b06e-4e3e9e83c5c6}) (Version: 1.22.5550 - Logitech)
Logitech Options (HKLM\...\LogiOptions) (Version: 9.60.87 - Logitech)
Malwarebytes version 4.4.11.149 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.11.149 - Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 105.0.1343.53 - Microsoft Corporation)
Microsoft OneDrive (HKLM\...\OneDriveSetup.exe) (Version: 22.191.0911.0001 - Microsoft Corporation)
Microsoft OneNote - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.15601.20148 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{6A2A8076-135F-4F55-BB02-DED67C8C6934}) (Version: 4.67.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 (HKLM-x32\...\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 (HKLM-x32\...\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 (HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 (HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 (HKLM-x32\...\{D401961D-3A20-3AC7-943B-6139D5BD490A}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 (HKLM-x32\...\{8122DAB1-ED4D-3676-BB0A-CA368196543E}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 (HKLM-x32\...\{2d507699-404c-4c8b-a54a-38e352f32cdd}) (Version: 14.32.31326.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 (HKLM-x32\...\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}) (Version: 14.32.31326.0 - Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31326 (HKLM\...\{38624EB5-356D-4B08-8357-C33D89A5C0C5}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31326 (HKLM\...\{C96241EA-9900-4FE8-85B3-1E238D509DF6}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326 (HKLM-x32\...\{A250E750-DB3F-40C1-8460-8EF77C7582DA}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326 (HKLM-x32\...\{46E11E7F-01E1-44D0-BB86-C67342D253DD}) (Version: 14.32.31326 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\{7C0242A3-8B66-35D1-9FE0-13B426ACB609}) (Version: 10.0.60729 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.60724 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 105.0.1 (x64 en-US)) (Version: 105.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 94.0.2 - Mozilla)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.60 - Nmap Project)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20064 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20148 - Microsoft Corporation) Hidden
Opera Stable 90.0.4480.84 (HKLM-x32\...\Opera 90.0.4480.84) (Version: 90.0.4480.84 - Opera Software)
PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version: 220914 - Kakao Corp.)
PuTTY release 0.76 (64-bit) (HKLM\...\{1E0D5689-40F1-4E46-ABBB-EAAC68B5CD89}) (Version: 0.76.0.0 - Simon Tatham)
qBittorrent 4.3.9 (HKLM-x32\...\qBittorrent) (Version: 4.3.9 - The qBittorrent project)
Revo Uninstaller 2.3.8 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.3.8 - VS Revo Group, Ltd.)
Spotify (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Spotify) (Version: 1.1.94.870.gf994cb0b - Spotify AB)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.3.3 - Krzysztof Kowalczyk)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.24.5 - TeamViewer)
Telegram Desktop version 4.1.1 (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 4.1.1 - Telegram FZ-LLC)
TeraCopy (HKLM\...\{F8B0BB18-B1E6-4821-8C5B-883AA5DE3EEA}) (Version: 3.9.0 - Code Sector)
TinyWall (HKLM-x32\...\{6A366BCB-2A38-4D2A-80FD-A5E0C32C97C8}) (Version: 3.2.3.0 - Károly Pados)
USBPcap 1.5.4.0 (HKLM\...\USBPcap) (Version: 1.5.4.0 - Tomasz Mon)
UXP WebView Support (HKLM-x32\...\UXPW_1_1_0) (Version: 1.1.0 - Adobe Inc.)
VdhCoApp 1.6.3 (HKLM\...\weh-iss-net.downloadhelper.coapp_is1) (Version: - DownloadHelper)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.16 - VideoLAN)
WinDirStat 1.1.2 (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\WinDirStat) (Version: - )
WinMerge 2.16.16.0 x64 (HKLM\...\WinMerge_is1) (Version: 2.16.16.0 - Thingamahoochie Software)
WinRAR 6.02 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.02.0 - win.rar GmbH)
Wireshark 3.6.7 64-bit (HKLM-x32\...\Wireshark) (Version: 3.6.7 - The Wireshark developer community, hxxps://www.wireshark.org)
XnView 2.50.4 (HKLM-x32\...\XnView_is1) (Version: 2.50.4 - Gougelet Pierre-e)
Zoom (HKLM-x32\...\{1B8D4A17-201A-4113-A512-B7DEEF293AF1}) (Version: 5.8.2048 - Zoom)
Packages:
=========
Adobe Notification Client -> C:\Program Files\WindowsApps\AdobeNotificationClient_3.0.1.1_x86__enpm4xejd91yc [2022-04-28] (Adobe Systems Incorporated)
Dell Mobile Connect -> C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnectPlus_4.1.8330.0_x64__0vhbc3ng4wbp0 [2022-09-26] (Screenovate Technologies)
Intel® Optane™ Memory and Storage Management -> C:\Program Files\WindowsApps\AppUp.IntelOptaneMemoryandStorageManagement_18.1.1032.0_x64__8j3eq9eme6ctt [2022-09-26] (INTEL CORP)
MPEG-2 Video Extension -> C:\Program Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe [2022-09-26] (Microsoft Corporation)
Photos Media Engine Add-on -> C:\Program Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2022-04-02] (Microsoft Corporation)
Power Automate -> C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe [2022-09-26] (Microsoft Corporation) [Startup Task]
Unigram—Telegram for Windows -> C:\Program Files\WindowsApps\38833FF26BA1D.UnigramPreview_8.9.7687.0_x64__g9c9v27vpyspw [2022-09-05] (Unigram, Inc.) [Startup Task]
==================== Custom CLSID (Whitelisted): ==============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-231FB76D9980} -> [Creative Cloud Files] => C:\Users\gngn1\Creative Cloud Files [2022-01-12 13:20]
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{23B3E3D8-C162-4A8B-AB0C-0905DCB1DF19}\InprocServer32 -> C:\Users\gngn1\AppData\Local\Packages\Microsoft.PowerAutomateDesktop_8wekyb3d8bbwe\TempState\RDP\DVCPlugin\x64\Microsoft.Flow.RPA.Desktop.UIAutomation.RDP.DVC.Plugin.dll (Microsoft Corporation -> )
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32 -> C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe (Adobe Inc. -> Adobe Inc.)
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{375360E1-2D4B-4DEB-9C05-B3A3CA553923}\InprocServer32 -> C:\Program Files\Mozilla Firefox\notificationserver.dll (Mozilla Corporation -> Mozilla Foundation)
CustomCLSID: HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Inc. -> Adobe Systems)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ OptaneIconOverlay] -> {A3AF6F6C-8BED-3D93-8B5D-33427B5D38E9} => C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers1: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers1: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers2: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers2: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers3: [OptaneContextMenu] -> {AD7EBB13-617D-3270-8FA8-46583499C4FB} => C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll [2022-02-07] (Intel Corporation -> )
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers4: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka -> hxxps://winmerge.org)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
ContextMenuHandlers6: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} => C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander Roshal)
==================== Codecs (Whitelisted) ====================
==================== Shortcuts & WMI ========================
==================== Loaded Modules (Whitelisted) =============
2022-02-21 11:25 - 2022-02-21 11:25 - 000144896 _____ () [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\libssh2.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000077824 _____ () [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\zlib.dll
2021-12-05 03:51 - 2021-11-24 09:00 - 000093696 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 003664184 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 000291128 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Windows\system32\StartMenuHelper64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll] C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll
2022-01-07 10:41 - 2022-01-07 10:41 - 013733888 _____ (Phase Five Systems) [File not signed] C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnectCore.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000355840 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBCURL.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 002286747 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBEAY32.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000416627 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\SSLEAY32.dll
==================== Alternate Data Streams (Whitelisted) ========
==================== Safe Mode (Whitelisted) ==================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled => "AlternateShell"="cmd.exe"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65395606.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\65395606.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
==================== Association (Whitelisted) =================
==================== Internet Explorer (Whitelisted) ==========
URLSearchHook: [S-1-5-21-1789883001-303321401-512692908-1001] ATTENTION => Default URLSearchHook is missing
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2022-08-16] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft Corporation)
==================== Hosts content: =========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2021-06-05 07:08 - 2021-10-11 02:45 - 000334861 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
0.0.0.0 fr.a2dfp.net
0.0.0.0 mfr.a2dfp.net
0.0.0.0 ad.a8.net
0.0.0.0 asy.a8ww.net
0.0.0.0 static.a-ads.com
0.0.0.0 abcstats.com
0.0.0.0 track.acclaimnetwork.com
0.0.0.0 csh.actiondesk.com
0.0.0.0 ads.activepower.net
0.0.0.0 app.activetrail.com
0.0.0.0 ad2games.com
0.0.0.0 adadvisor.net
0.0.0.0 www.adchimp.com
0.0.0.0 pixel.adcrowd.com
0.0.0.0 ct1.addthis.com
0.0.0.0 static.uk.addynamo.com
0.0.0.0 adexc.net
0.0.0.0 static.adfclick1.com
0.0.0.0 server.adformdsp.net
0.0.0.0 s.adframesrc.com
0.0.0.0 media.adfrontiers.com
0.0.0.0 www.adgitize.com
0.0.0.0 www.ad-groups.com #[Ban Man Pro Banner Code]
0.0.0.0 adgrx.com
0.0.0.0 adhall.com
0.0.0.0 adhitzads.com
0.0.0.0 aj.adjungle.com
0.0.0.0 adserver-e7.com
0.0.0.0 n.admagnet.net
There are 8702 more lines.
2022-01-20 10:16 - 2022-08-07 23:11 - 000000374 _____ C:\Windows\system32\drivers\etc\hosts.ics
==================== Other Areas ===========================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1789883001-303321401-512692908-1003\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 9.9.9.9 - 149.112.112.112
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
Network Binding:
=============
Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Bluetooth Network Connection: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Wi-Fi: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Wi-Fi: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled)
==================== MSCONFIG/TASK MANAGER disabled items ==
(If an entry is included in the fixlist, it will be removed.)
HKLM\...\StartupApproved\Run: => "Everything"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "Opera Browser Assistant"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Opera Browser Assistant"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: => "Speech Recognition"
==================== FirewallRules (Whitelisted) ================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [Microsoft-Windows-Unified-Telemetry-Client] => (Block) C:\Windows\system32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{C2A5E20E-1F04-4D7D-ADAA-9026D35A3B26}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{027E032D-A7ED-45B3-AB1D-5C808C685D7A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{4665FCD0-7E10-41E1-90FE-309580DEF7CD}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1E860482-8990-4E25-9246-9A99F50B6E0E}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{380E5FDE-93A1-4238-BE5C-FEF5E36946D7}] => (Allow) C:\Program Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe (PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{B5C81192-EC77-485C-99B4-B8AAB7195F28}] => (Allow) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE (Logitech Inc -> Logitech, Inc.)
FirewallRules: [{93AB2033-C6B3-4FC4-9928-E46BFC60D137}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{97046305-7548-4DED-B501-487DBADD4D15}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{EA21E87C-9F2A-4449-8408-C08AF06912CD}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{EF0DC3B7-2A94-41EF-9F5A-7678A08AD664}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{2AE5D8DA-0340-43A6-A8DB-4DC1A0D30C42}] => (Allow) C:\Program Files\Opera\90.0.4480.54\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{8FEE7E9A-04FF-4D4E-9C6E-0149217D6928}] => (Allow) C:\Program Files\Opera\90.0.4480.84\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{BC39B814-683D-46EE-9ECB-9C7F751AA32E}] => (Allow) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe (Logitech Inc -> Logitech, Inc.)
==================== Restore Points =========================
28-09-2022 23:00:02 Removed Bonjour
28-09-2022 23:01:27 Removed 7-Zip 19.00 (x64 edition)
==================== Faulty Device Manager Devices ============
Name: Realtek PCIe GbE Family Controller
Description: Realtek PCIe GbE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: rt640x64
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
==================== Event log errors: ========================
Application errors:
==================
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]
Error: (09/28/2022 01:39:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program explorer.exe version 10.0.22000.978 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 1e84
Start Time: 01d8d36839d9a69c
Termination Time: 20
Application Path: C:\Windows\explorer.exe
Report Id: 9e6212d3-1134-4a4f-b69b-c2ec549a2dbf
Faulting package full name:
Faulting package-relative application ID:
Hang type: Unknown
Error: (09/28/2022 01:38:56 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).
Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 12007) (User: )
Description: Event-ID 12007
Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent) (EventID: 0) (User: )
Description: Event-ID 0
System errors:
=============
Error: (09/28/2022 11:58:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 15420).
Error: (09/28/2022 11:28:54 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 11432).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16948).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16600).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16476).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 15328).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16400).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User: FAST-DELL)
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80092013. The TLS connection request has failed. The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16516).
Windows Defender:
================
Date: 2022-09-26 10:30:42
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 10:30:30
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 02:23:28
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\gngn1\Desktop\FRST64.exe
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 01:58:41
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS: 1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 00:15:31
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1006.0, AS: 1.375.1006.0, NIS: 1.375.1006.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Event[0]
Date: 2022-09-28 22:41:33
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
Date: 2022-09-28 22:37:32
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.375.1177.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19600.3
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
Date: 2022-09-28 13:39:15
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.375.1134.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19600.3
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
CodeIntegrity:
===============
Date: 2022-09-28 23:19:07
Description:
Code Integrity determined that a process (\Device\HarddiskVolume8\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume8\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2022-09-28 22:32:20
Description:
Code Integrity determined that a process (\Device\HarddiskVolume8\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume8\Program Files\Bonjour\mdnsNSP.dll that did not meet the Windows signing level requirements.
==================== Memory info ===========================
BIOS: Dell Inc. 1.5.0 02/11/2022
Motherboard: Dell Inc. 0YF8P5
Processor: Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
Percentage of memory in use: 41%
Total physical RAM: 12021.07 MB
Available physical RAM: 7019.64 MB
Total Virtual: 28838.92 MB
Available Virtual: 23710.69 MB
==================== Drives ================================
Drive a: (1TB-LT) (Fixed) (Total:917.04 GB) (Free:297.48 GB) (Model: TOSHIBA MQ01ABD100) NTFS
Drive c: (OS) (Fixed) (Total:460.75 GB) (Free:50.22 GB) (Model: NVMe BC711 NVMe SK hynix 512GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:13.24 GB) (Free:1.57 GB) (Model: TOSHIBA MQ01ABD100) NTFS ==>[system with boot components (obtained from drive)]
\\?\Volume{8a3cbc66-ab72-496a-8c28-f1c9d89e1ff4}\ (Windows RE tools) (Fixed) (Total:0.96 GB) (Free:0.36 GB) NTFS
\\?\Volume{e7899493-836e-40e2-a860-993bc8fe0b89}\ (WINRETOOLS) (Fixed) (Total:0.97 GB) (Free:0.48 GB) NTFS
\\?\Volume{25391c42-c24a-4412-a42b-0763395eec6d}\ (Image) (Fixed) (Total:13.58 GB) (Free:0.15 GB) NTFS
\\?\Volume{7aa07a21-543e-4687-bcaf-54e5b284a176}\ (DELLSUPPORT) (Fixed) (Total:1.36 GB) (Free:0.53 GB) NTFS
\\?\Volume{e3bd6638-6fd2-43f2-9f08-688f4c1389b4}\ () (Fixed) (Total:0.25 GB) (Free:0.14 GB) FAT32
\\?\Volume{d88befe7-be9f-42cc-886d-d916edbba0ff}\ (ESP) (Fixed) (Total:0.14 GB) (Free:0.07 GB) FAT32
==================== MBR & Partition Table ====================
==========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: A50E1C7D)
Partition: GPT.
==========================================================
Disk: 1 (Size: 476.9 GB) (Disk ID: 416A8FEC)
Partition: GPT.
==================== End of Addition.txt =======================
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535841">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535849"></a>
<article data-membergroup="4" id="elComment_1535849" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T06:46:10Z" title="09/29/2022 06:46 AM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535849_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535849"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664433970,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535849}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849" title="Share Post 1535849" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535849_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535849" data-role="shareComment">ID:1535849</a>
<li>
<a href="#elControls_1535849_menu" class="ipsComment_ellipsis" id="elControls_1535849" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535849_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535849_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535849_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535849" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T06:46:10Z" title="09/29/2022 06:46 AM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_5">
<p> Please ATTACH all logs unless otherwise requested, thank you
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" id="ips_uid_9540_7" rel="">@malwareismyfriend</a>
</p>
<p> </p>
<p> Please run the following fix, once the fix has been completed, please attach the FIXLOG.TXT file to your next reply. I will check back on you again some time tomorrow. </p>
<p> </p>
<p> </p>
<p> Please download the attached <strong>fixlist.txt</strong> file and save it to the Desktop or location where you ran FRST from.<br><span style="text-decoration:underline"><strong>NOTE.</strong></span> It's important that both files,
<strong>FRST</strong> or <strong>FRST64</strong>, and <strong>fixlist.txt </strong>are in the same location or the fix will not work. </p>
<p>
<span style="font-size:16px;"><span style="color:#c0392b;"><strong>Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.</strong></span></span>
</p>
<p>
<span style="color:#ff0000;"><strong>NOTICE: </strong>This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be
undone.</span>
</p>
<p> Run <strong>FRST<span style="color:#0000FF"> </span></strong>or<strong><span style="color:#0000FF"> </span>FRST64</strong> and press the <strong>Fix</strong> button just once and wait.<br> If the tool needs a restart please make sure
you let the system restart normally and let the tool complete its run after restart.<br> The tool will make a log on the Desktop (<strong>Fixlog.txt</strong>) or wherever you ran FRST from. Please attach or post it to your next reply.
</p>
<p>
<span style="color:#008000"><strong>Note: If the tool warned you about an outdated version please download and run the updated version.</strong></span>
</p>
<p>
<strong>NOTE-1:</strong> This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk
integrity. Depending on the speed of your computer this fix may take 30 minutes or more.
</p>
<p>
<strong>NOTE-2: </strong>As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed.
Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external
<a href="https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/" rel="external nofollow noopener" target="_blank">password manager</a> is highly recommended instead of using your
browser to store passwords.
</p>
<p>
<strong>NOTE-3: </strong>As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.
</p>
<p> The following directories are emptied: </p>
<ul>
<li> Windows Temp </li>
<li> Users Temp folders </li>
<li> Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History </li>
<li> Recently opened files cache </li>
<li> Discord cache </li>
<li> Java cache </li>
<li> Steam HTML cache </li>
<li> Explorer thumbnail and icon cache </li>
<li> BITS transfer queue (qmgr*.dat files) </li>
<li> Recycle Bin </li>
</ul>
<p>
<strong>Important:</strong> items are <strong>permanently</strong> deleted. They are not moved to quarantine. <span style="color:#c0392b;"><strong>If you have any questions or concerns please ask before running this fix.</strong></span>
</p>
<p> The system will be rebooted after the fix has run. </p>
<p>
<a class="ipsAttachLink ipsAttachLink_block" data-fileid="354719" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354719&key=5f4f6e8f45b524b106ca50b085a33dbc" data-fileext="txt" rel=""> <span class="ipsAttachLink_title">fixlist.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a>
</p>
<p> Thanks </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535849_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535849" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535849" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535849&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535849" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535849&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Please ATTACH all logs unless otherwise requested, thank you @malwareismyfriend
Please run the following fix, once the fix has been completed, please attach the FIXLOG.TXT file to your next reply. I will check back on you again some time tomorrow.
Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.
Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.
Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.
Note: If the tool warned you about an outdated version please download and run the updated version.
NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.
NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.
The following directories are emptied:
Windows Temp
Users Temp folders
Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
Recently opened files cache
Discord cache
Java cache
Steam HTML cache
Explorer thumbnail and icon cache
BITS transfer queue (qmgr*.dat files)
Recycle Bin
Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
The system will be rebooted after the fix has run.
fixlist.txt
Thanks
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535849">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535855"></a>
<article id="elComment_1535855" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T07:35:14Z" title="09/29/2022 07:35 AM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535855_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535855"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664436914,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535855}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855" title="Share Post 1535855" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535855_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535855" data-role="shareComment">ID:1535855</a>
<li>
<a href="#elControls_1535855_menu" class="ipsComment_ellipsis" id="elControls_1535855" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535855_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535855_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535855_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535855" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T07:35:14Z" title="09/29/2022 07:35 AM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone"> (edited) </span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_6">
<p> </p>
<p>
<a class="ipsAttachLink ipsAttachLink_block" data-fileext="txt" data-fileid="354722" data-filekey="5ebf33ea1ccd63d630fb3300cc7f04d4" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354722&key=5ebf33ea1ccd63d630fb3300cc7f04d4" rel=""> <span class="ipsAttachLink_title">Fixlog.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a>
</p>
<span class="ipsType_reset ipsType_medium ipsType_light" data-excludequote="">
<strong>Edited <time datetime="2022-09-29T17:34:27Z" title="09/29/2022 05:34 PM" data-short="Sep 29">September 29, 2022</time> by AdvancedSetup</strong>
<br>Removed unwanted direct log posting </span>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535855_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535855" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535855" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535855&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535855" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535855&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Fixlog.txt
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535855">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535905"></a>
<article data-membergroup="4" id="elComment_1535905" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T17:35:14Z" title="09/29/2022 05:35 PM" data-short="Sep 29">September 29, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535905_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535905"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664472914,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535905}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905" title="Share Post 1535905" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535905_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535905" data-role="shareComment">ID:1535905</a>
<li>
<a href="#elControls_1535905_menu" class="ipsComment_ellipsis" id="elControls_1535905" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535905_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535905_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535905_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535905" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905" class="ipsType_blendLinks">Posted <time datetime="2022-09-29T17:35:14Z" title="09/29/2022 05:35 PM" data-short="Sep 29">September 29, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_7">
<p> Please stop posting logs directly. We only want or need the attachments. Thank you
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="">@malwareismyfriend</a>
</p>
<p> </p>
<p> Please download and run the following <strong>Kaspersky Virus Removal Tool 2020 </strong>and save it to your Desktop. </p>
<p>
<span style="color:#16a085;"><em>(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)</em></span>
</p>
<p> Download: <a href="http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe" rel="external nofollow noopener" target="_blank">Kaspersky Virus Removal Tool</a>
</p>
<p> How to run a scan with Kaspersky Virus Removal Tool 2020<br><a href="https://support.kaspersky.com/15674" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://support.kaspersky.com/15674</a>
</p>
<p> How to run Kaspersky Virus Removal Tool 2020 in the advanced mode<br><a href="https://support.kaspersky.com/15680" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://support.kaspersky.com/15680</a>
</p>
<p> How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan<br><a href="https://support.kaspersky.com/15681" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://support.kaspersky.com/15681</a>
</p>
<p> </p>
<div>
<div>
<table border="0" cellpadding="3" cellspacing="1" width="100%">
<tbody>
<tr>
<td valign="top" width="100%">
<div>
<br> Select the
<a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.d8a92efbbe8519698b9988e9b50cabda.png" title="Enlarge image" data-fileid="339903" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339903" data-ratio="89.29" data-unique="snf5f4cnz" width="28" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.d8a92efbbe8519698b9988e9b50cabda.png"></a><span
id="cke_bm_1929C" style="display: none;"> </span> <strong>Windows Key</strong> and <strong>R Key</strong> together, the "Run" box should
open.<br><br><a href="https://imgur.com/J20WNqX" rel="external nofollow noopener" target="_blank"><img alt="user posted image" border="0" data-ratio="52.24" width="402" src="//content.invisioncic.com/Mmalware/imageproxy/J20WNqX.jpg.66d63346798b8dc045fc2f5bcd115906.jpg" class="ipsImage_thumbnailed"></a><br><br>
Drag and Drop <strong>KVRT.exe</strong> into the Run
Box.<br><br><a href="https://imgur.com/EOPgDgR" rel="external nofollow noopener" target="_blank"><img alt="user posted image" border="0" data-ratio="38.17" width="545" src="//content.invisioncic.com/Mmalware/imageproxy/EOPgDgR.jpg.d5b242479888ecb281534148131e6caa.jpg" class="ipsImage_thumbnailed"></a>
</div>
<div>
<br> C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run
box.<br><br><a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.fd982d043eda7c751c33948fc25bfdc1.png" title="Enlarge image" data-fileid="339906" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339906" data-ratio="51.63" data-unique="ht5842rut" width="399" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.fd982d043eda7c751c33948fc25bfdc1.png"></a><br><br>
add -<strong>dontencrypt </strong>Note the space between <b>KVRT.exe</b> and <b>-</b><strong>dontencrypt</strong><br><br><b>C:\Users\{your user name}\DESKTOP\KVRT.exe </b><strong>-dontencrypt</strong> should now show
in the Run box.
</div>
<div> </div>
<div>
<a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.a97114addba1d65d6fcc45dcb838eb1b.png" title="Enlarge image" data-fileid="339917" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339917" data-ratio="51.63" data-unique="csj5a8e94" width="399" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.a97114addba1d65d6fcc45dcb838eb1b.png"></a><br><br><br>
That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.<br><br> Reports are saved
here <strong>C:\KVRT2020_Data\Reports</strong> and look similar to this <b>report_20210123_113021.klr</b><br> Right-click direct onto that report, select > open with > <strong>Notepad</strong>. Save that file and
attach it to your reply.<br><br> To start the scan select OK in the "Run" box.<br><br> A <strong>EULA</strong> window will open, tick all confirmation boxes then select
"Accept"<br><br><a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.cb5db7e0a20fe9f93c91fcfeba50611a.png" title="Enlarge image" data-fileid="339916" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339916" data-ratio="128.03" data-unique="tzvnh92ze" width="528" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.cb5db7e0a20fe9f93c91fcfeba50611a.png"></a><br><br>
In the new window select "Change
Parameters"<br><br><a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.70e402cf07e70d4376d5f941fdd92b05.png" title="Enlarge image" data-fileid="339918" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339918" data-ratio="91.84" data-unique="ihe4s6ezs" width="490" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.70e402cf07e70d4376d5f941fdd92b05.png"></a><br><br>
In the new window ensure all selection boxes are ticked, then select "OK" The scan should now
start...<br><br><a href="https://imgur.com/u7sZMKW" rel="external nofollow noopener" target="_blank"><img alt="user posted image" border="0" data-ratio="74.04" width="366" src="//content.invisioncic.com/Mmalware/imageproxy/u7sZMKW.jpg.d25f0fae7466bb26f471ae71a8570e04.jpg" class="ipsImage_thumbnailed"></a><br><br>
When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select
"Continue"<br><br><a href="https://imgur.com/9AyeJlX" rel="external nofollow noopener" target="_blank"><img alt="user posted image" border="0" data-ratio="78.10" width="767" src="//content.invisioncic.com/Mmalware/imageproxy/9AyeJlX.jpg.3344e68a95866181286d29fc33371d01.jpg" class="ipsImage_thumbnailed"></a><br><br>
When complete, or if nothing was found select
"Close"<br><br><a href="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.c6c0a3fcd9aa24473e07162b62025e86.png" title="Enlarge image" data-fileid="339920" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="339920" data-ratio="91.84" data-unique="ljfl82187" width="490" src="//content.invisioncic.com/Mmalware/monthly_2022_01/image.png.c6c0a3fcd9aa24473e07162b62025e86.png"></a><br><br>
Attach the <strong>report information</strong> as previously instructed...
</div>
<div> </div>
<div> Thank you </div>
<div> </div>
<div> </div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535905_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535905" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535905" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535905&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535905" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535905&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Please stop posting logs directly. We only want or need the attachments. Thank you @malwareismyfriend
Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.
(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)
Download: Kaspersky Virus Removal Tool
How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674
How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680
How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681
Select the Windows Key and R Key together, the "Run" box should open.
Drag and Drop KVRT.exe into the Run Box.
C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.
add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.
Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.
To start the scan select OK in the "Run" box.
A EULA window will open, tick all confirmation boxes then select "Accept"
In the new window select "Change Parameters"
In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...
When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"
When complete, or if nothing was found select "Close"
Attach the report information as previously instructed...
Thank you
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535905">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535991"></a>
<article id="elComment_1535991" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T01:48:50Z" title="09/30/2022 01:48 AM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535991_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535991"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664502530,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535991}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991" title="Share Post 1535991" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535991_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535991" data-role="shareComment">ID:1535991</a>
<li>
<a href="#elControls_1535991_menu" class="ipsComment_ellipsis" id="elControls_1535991" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535991_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535991_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535991_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535991" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T01:48:50Z" title="09/30/2022 01:48 AM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_8">
<p> it took over 6 hours to complete this scan, it didn't detect much of anything. </p>
<p> </p>
<p>
<a class="ipsAttachLink ipsAttachLink_block" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354770&key=83eeb02c84e20320576a19e014839d86" data-fileext="txt" data-fileid="354770" data-filekey="83eeb02c84e20320576a19e014839d86"> <span class="ipsAttachLink_title">report_2022.09.29_14.42.09.klr.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a>
</p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535991_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535991" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535991" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535991&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535991" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535991&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="it took over 6 hours to complete this scan, it didn't detect much of anything.
report_2022.09.29_14.42.09.klr.txt " data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535991">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535994"></a>
<article data-membergroup="4" id="elComment_1535994" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T02:02:33Z" title="09/30/2022 02:02 AM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535994_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535994"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664503353,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535994}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994" title="Share Post 1535994" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535994_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535994" data-role="shareComment">ID:1535994</a>
<li>
<a href="#elControls_1535994_menu" class="ipsComment_ellipsis" id="elControls_1535994" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535994_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535994_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535994_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535994" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T02:02:33Z" title="09/30/2022 02:02 AM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_9">
<p> That's a good thing. </p>
<p> Have you put it back on the network now?
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="">@malwareismyfriend</a>
</p>
<p> </p>
<p> </p>
<p>
<strong><span style="color:#3498db;"><span style="font-size:22px;">SecurityCheck by glax24</span></span> </strong><br><br> I would like you to run a
tool named <strong>SecurityCheck</strong> to inquire about the current security update status of some applications.
</p>
<ul>
<li> Download <strong>SecurityCheck</strong> by glax24:
<a href="https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe</a>
</li>
<li> If Microsoft SmartScreen blocks the download, click through to save the file </li>
<li> This tool is safe. Smartscreen is overly sensitive. </li>
<li> If SmartScreen blocks the file from running click on <strong>More info</strong> and <strong>Run anyway</strong>
</li>
<li> Right-click with your mouse on the <strong>Securitycheck.exe</strong> and select "<strong>Run as administrator</strong>" and reply YES to allow to run & go forward </li>
<li> Wait for the scan to finish. It will open a text file named <strong>SecurityCheck.txt </strong>Close the file. Attach it with your next reply. </li>
<li> You can find this file in a folder called SecurityCheck, <strong>C:\SecurityCheck\SecurityCheck.txt</strong>
</li>
</ul>
<p> </p>
<p style="margin-left: 40px;">
<a href="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.435e92f61a2ec1359ae7912bd7e19f42.png" title="Enlarge image" data-fileid="332484" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="332484" data-ratio="93.61" data-unique="9phbvi9z6" width="532" src="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.435e92f61a2ec1359ae7912bd7e19f42.png"></a>
</p>
<p style="margin-left: 40px;">
<a href="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.e52cdda9ef538097c50a16aa652eb709.png" title="Enlarge image" data-fileid="332485" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="332485" data-ratio="93.61" data-unique="sls32msfb" width="532" src="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.e52cdda9ef538097c50a16aa652eb709.png"></a>
</p>
<p style="margin-left: 40px;">
<a href="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.feb5e803ad803e7a21c887b1712cd19d.png" title="Enlarge image" data-fileid="332486" data-wrappedlink="" data-ipslightbox="" data-ipslightbox-group="undefined"><img alt="image.png" class="ipsImage ipsImage_thumbnailed" data-fileid="332486" data-ratio="35.66" data-unique="mstpgofif" width="272" src="//content.invisioncic.com/Mmalware/monthly_2021_09/image.png.feb5e803ad803e7a21c887b1712cd19d.png"></a>
</p>
<p> </p>
<p> Thank you </p>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535994_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535994" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535994" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535994&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535994" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535994&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="That's a good thing.
Have you put it back on the network now? @malwareismyfriend
SecurityCheck by glax24
I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
If Microsoft SmartScreen blocks the download, click through to save the file
This tool is safe. Smartscreen is overly sensitive.
If SmartScreen blocks the file from running click on More info and Run anyway
Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward
Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
Thank you
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535994">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1535999"></a>
<article id="elComment_1535999" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T04:14:26Z" title="09/30/2022 04:14 AM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1535999_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1535999"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664511266,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1535999}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999" title="Share Post 1535999" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535999_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535999" data-role="shareComment">ID:1535999</a>
<li>
<a href="#elControls_1535999_menu" class="ipsComment_ellipsis" id="elControls_1535999" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1535999_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1535999_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1535999_menu" data-ipsdialog-title="Share this post" id="elSharePost_1535999" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T04:14:26Z" title="09/30/2022 04:14 AM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_10">
<p>
<a class="ipsAttachLink ipsAttachLink_block" data-fileid="354772" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354772&key=9ef22524bfafa6f9c8367735f3cb6743" data-fileext="txt" rel=""> <span class="ipsAttachLink_title">SecurityCheck.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a>
</p>
<p> ' </p>
<p> I've had it on the network since I first msged you, but I block all outgoing and incoming requests with TinyWall when I'm not using it to run these security apps. </p>
<p> </p>
<p> I've gone into process explorer and found a bunch of very odd looking processes, further investigation in the properties that a lot of these processes have in common. They all have administrator flagged for DENY. The owner is NT
AUTHORITY/LogonSessionID_0_1053163. Most run from "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\", and there is about 30-40 processes using svchost. and some operating system files are not signed. Looking at the
TCP connections, there is a lot of SYSTEM connections with "TIME WAIT" going to a random IP hosted by amazon or some other big provider. </p>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1535999_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535999" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535999" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535999&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1535999" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1535999&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="SecurityCheck.txt
'
I've had it on the network since I first msged you, but I block all outgoing and incoming requests with TinyWall when I'm not using it to run these security apps.
I've gone into process explorer and found a bunch of very odd looking processes, further investigation in the properties that a lot of these processes have in common. They all have administrator flagged for DENY. The owner is NT AUTHORITY/LogonSessionID_0_1053163. Most run from "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\", and there is about 30-40 processes using svchost. and some operating system files are not signed. Looking at the TCP connections, there is a lot of SYSTEM connections with "TIME WAIT" going to a random IP hosted by amazon or some other big provider.
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1535999">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1536003"></a>
<article data-membergroup="4" id="elComment_1536003" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T05:53:50Z" title="09/30/2022 05:53 AM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1536003_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1536003"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664517230,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1536003}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003" title="Share Post 1536003" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536003_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536003" data-role="shareComment">ID:1536003</a>
<li>
<a href="#elControls_1536003_menu" class="ipsComment_ellipsis" id="elControls_1536003" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1536003_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1536003_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536003_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536003" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T05:53:50Z" title="09/30/2022 05:53 AM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> You're running <strong>Torrent software </strong> on the system.
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" id="ips_uid_6281_12" rel="">@malwareismyfriend</a>
</p>
<p> </p>
<p> Torrenting is the act of downloading and uploading files through the BitTorrent network </p>
<p> The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.<br> Torrenting non-copyrighted
material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P. </p>
<p> Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.<br> When sharing files, please keep in mind that you're increasing your system's attack surface area, which
can increase the risk of infection. </p>
<p> Scan all files before running them. <a href="https://www.virustotal.com" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://www.virustotal.com</a>
</p>
<p>
<strong><span style="font-size:18px;"><span style="color:#16a085;">If you don't need or use the P2P software, you should uninstall it to improve security of your system and data.</span></span></strong>
</p>
<p>
<strong>Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security
Agency</strong><br><a href="https://www.cisa.gov/uscert/ncas/tips/ST05-007" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://www.cisa.gov/uscert/ncas/tips/ST05-007</a>
</p>
<p> </p>
<p> We're not done yet, but most processes are normal and have some very strange names, but in most cases they're normal. </p>
<p> </p>
<p> Please uninstall, update, or otherwise address the following as appropriate for your system </p>
<p> </p>
<p> ---------------------- [ AntiVirusFirewallInstall ] -----------------------<br> Malwarebytes version 4.4.11.149 v.4.4.11.149 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.malwarebytes.com/products/" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p>
<br> --------------------------- [ OtherUtilities ] ----------------------------<br> SumatraPDF v.3.3.3 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.sumatrapdfreader.org/download-free-pdf-viewer.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> PuTTY release 0.76 (64-bit) v.0.76.0.0 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> FileZilla Client 3.58.0 v.3.58.0 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://filezilla-project.org/download.php?show_all=1" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> TeamViewer v.15.24.5 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://download.teamviewer.com/download/TeamViewer_Setup.exe" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> Wireshark 3.6.7 64-bit v.3.6.7 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.wireshark.org/download.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p>
<br> ------------------------------ [ ArchAndFM ] ------------------------------<br> 7-Zip 21.06 (x64) v.21.06 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.7-zip.org/download.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span><br>
<span style="color:blue"><strong>Uninstall old version and install new one.</strong></span>
</p>
<p> WinRAR 6.02 (64-bit) v.6.02.0 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.rarlab.com/download.htm" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> 7-Zip 19.00 (x64 edition) v.19.00.00.0 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.7-zip.org/download.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span><br>
<span style="color:blue"><strong>Uninstall old version and install new one.</strong></span>
</p>
<p>
<br> ------------------------------- [ Imaging ] -------------------------------<br> FastStone Image Viewer 7.5 v.7.5 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.faststone.org/FSIVDownload.htm" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> XnView 2.50.4 v.2.50.4 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://download.xnview.com/XnView-win-full.exe" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p>
<br> -------------------------- [ IMAndCollaborate ] ---------------------------<br> Telegram Desktop version 4.1.1 v.4.1.1 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://github.com/telegramdesktop/tdesktop/releases/latest" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> Zoom v.5.8.2048 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://zoom.us/client/latest/ZoomInstaller.exe" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> --------------------------------- [ P2P ] --------------------------------- </p>
<p> qBittorrent 4.3.9 v.4.3.9 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.qbittorrent.org/download.php" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p>
<br> -------------------------------- [ Media ] --------------------------------<br> Audacity 3.1.2 v.3.1.2 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.audacityteam.org/download/windows/" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> VLC media player v.3.0.16 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.videolan.org/vlc/download-windows.html" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> iTunes v.12.12.2.2 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://www.apple.com/itunes/download/" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span><br>
<span style="color:blue"><strong>^Please use Apple Software Update tool.^</strong></span>
</p>
<p> Spotify v.1.1.94.870.gf994cb0b <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://download.scdn.co/SpotifySetup.exe" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> </p>
<p> ------------------------------- [ Browser ] -------------------------------<br> Opera Stable 90.0.4480.84 v.90.0.4480.84 <span style="color:red"><strong>Warning! </strong></span><span
style="color:red"><strong><a href="https://net.geo.opera.com/opera/stable/windows" rel="external nofollow noopener" target="_blank">Download Update</a></strong></span>
</p>
<p> </p>
<p> ---------------------------- [ UnwantedApps ] -----------------------------<br> VdhCoApp 1.6.3 <strong>Warning!</strong> Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended.
Possible you became a victim of fraud or social engineering.<br> ----------------------------- [ End of Log ] ------------------------------ </p>
<p> </p>
<p> </p>
<p>
<span style="font-size:20px;"><strong><span style="color:#16a085;">Then check for Windows Updates and install any found and restart the computer.</span></strong></span>
</p>
<p> </p>
<p> Once that has all been completed and the computer restarted, get me new, fresh logs from the Farbar program. </p>
<p>
<strong>FRST.TXT<br> ADDITION.TXT</strong>
</p>
<p> </p>
<p> Thank you </p>
<p> </p>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1536003_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536003" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536003" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536003&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536003" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1536003&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="You're running Torrent software on the system. @malwareismyfriend
Torrenting is the act of downloading and uploading files through the BitTorrent network
The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.
Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.
Scan all files before running them. https://www.virustotal.com
If you don't need or use the P2P software, you should uninstall it to improve security of your system and data.
Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency https://www.cisa.gov/uscert/ncas/tips/ST05-007
We're not done yet, but most processes are normal and have some very strange names, but in most cases they're normal.
Please uninstall, update, or otherwise address the following as appropriate for your system
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.4.11.149 v.4.4.11.149 Warning! Download Update
--------------------------- [ OtherUtilities ] ----------------------------
SumatraPDF v.3.3.3 Warning! Download Update
PuTTY release 0.76 (64-bit) v.0.76.0.0 Warning! Download Update
FileZilla Client 3.58.0 v.3.58.0 Warning! Download Update
TeamViewer v.15.24.5 Warning! Download Update
Wireshark 3.6.7 64-bit v.3.6.7 Warning! Download Update
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.06 (x64) v.21.06 Warning! Download Update Uninstall old version and install new one.
WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update
7-Zip 19.00 (x64 edition) v.19.00.00.0 Warning! Download Update Uninstall old version and install new one.
------------------------------- [ Imaging ] -------------------------------
FastStone Image Viewer 7.5 v.7.5 Warning! Download Update
XnView 2.50.4 v.2.50.4 Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------
Telegram Desktop version 4.1.1 v.4.1.1 Warning! Download Update
Zoom v.5.8.2048 Warning! Download Update
--------------------------------- [ P2P ] ---------------------------------
qBittorrent 4.3.9 v.4.3.9 Warning! Download Update
-------------------------------- [ Media ] --------------------------------
Audacity 3.1.2 v.3.1.2 Warning! Download Update
VLC media player v.3.0.16 Warning! Download Update
iTunes v.12.12.2.2 Warning! Download Update ^Please use Apple Software Update tool.^
Spotify v.1.1.94.870.gf994cb0b Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Opera Stable 90.0.4480.84 v.90.0.4480.84 Warning! Download Update
---------------------------- [ UnwantedApps ] -----------------------------
VdhCoApp 1.6.3 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
Then check for Windows Updates and install any found and restart the computer.
Once that has all been completed and the computer restarted, get me new, fresh logs from the Farbar program.
FRST.TXT
ADDITION.TXT
Thank you
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536003">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1536011"></a>
<article id="elComment_1536011" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T08:39:33Z" title="09/30/2022 08:39 AM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1536011_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1536011"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1664527173,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1536011}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011" title="Share Post 1536011" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536011_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536011" data-role="shareComment">ID:1536011</a>
<li>
<a href="#elControls_1536011_menu" class="ipsComment_ellipsis" id="elControls_1536011" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1536011_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1536011_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536011_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536011" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T08:39:33Z" title="09/30/2022 08:39 AM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_11">
<p> I have never been on the TOR network, can you tell me how to uninstall whatever you are talking about? </p>
<p> I have uninstalled <span style="background-color:#ffffff;color:#353c41;font-size:14px;">VdhCoApp, don't even use it either. I also downloaded qtorrent.</span>I </p>
<p> I used a program called "Patch my PC updater" to update all the programs, patchmypc.com </p>
<p> </p>
<p>
<a class="ipsAttachLink ipsAttachLink_block" data-fileid="354778" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354778&key=cff8111e352a02a8003698763fd5fe52" data-fileext="txt" rel=""> <span class="ipsAttachLink_title">FRST.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a><a class="ipsAttachLink ipsAttachLink_block" data-fileid="354779" href="https://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=354779&key=b994a24b903b508e7256eb5353351bcb" data-fileext="txt" rel=""> <span class="ipsAttachLink_title">Addition.txt</span><span class="ipsAttachLink_metaInfo">Fetching info...</span> </a>
</p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1536011_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536011" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536011" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536011&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536011" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1536011&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="I have never been on the TOR network, can you tell me how to uninstall whatever you are talking about?
I have uninstalled VdhCoApp, don't even use it either. I also downloaded qtorrent.I
I used a program called "Patch my PC updater" to update all the programs, patchmypc.com
FRST.txtAddition.txt
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536011">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1536058"></a>
<article data-membergroup="4" id="elComment_1536058" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T18:55:23Z" title="09/30/2022 06:55 PM" data-short="Sep 30">September 30, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1536058_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1536058"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1664564123,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1536058}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058" title="Share Post 1536058" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536058_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536058" data-role="shareComment">ID:1536058</a>
<li>
<a href="#elControls_1536058_menu" class="ipsComment_ellipsis" id="elControls_1536058" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1536058_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1536058_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1536058_menu" data-ipsdialog-title="Share this post" id="elSharePost_1536058" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058" class="ipsType_blendLinks">Posted <time datetime="2022-09-30T18:55:23Z" title="09/30/2022 06:55 PM" data-short="Sep 30">September 30, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> You're right about not having P2P bit torrent network software. Not sure why the Security Scanner showed that. </p>
<p> You can delete the qbitorrent program download, not needed. </p>
<p> </p>
<p> How is the computer running now? </p>
<p> Are you still having any alerts or issues?
<a contenteditable="false" data-ipshover="" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" data-mentionid="297963" href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="">@malwareismyfriend</a>
</p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1536058_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536058" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536058" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536058&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1536058" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1536058&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="You're right about not having P2P bit torrent network software. Not sure why the Security Scanner showed that.
You can delete the qbitorrent program download, not needed.
How is the computer running now?
Are you still having any alerts or issues? @malwareismyfriend
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1536058">More sharing options...</button>
</div>
</div>
</div>
</article>
<ul class="ipsTopicMeta">
<li class="ipsTopicMeta__item ipsTopicMeta__item--time"> 2 weeks later... </li>
</ul>
<a id="comment-1537123"></a>
<article id="elComment_1537123" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-09T18:23:35Z" title="10/09/2022 06:23 PM" data-short="Oct 9">October 9, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537123_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537123"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1665339815,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537123}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123" title="Share Post 1537123" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537123_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537123" data-role="shareComment">ID:1537123</a>
<li>
<a href="#elControls_1537123_menu" class="ipsComment_ellipsis" id="elControls_1537123" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537123_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537123_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537123_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537123" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123" class="ipsType_blendLinks">Posted <time datetime="2022-10-09T18:23:35Z" title="10/09/2022 06:23 PM" data-short="Oct 9">October 9, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> yes still issues. </p>
<p> </p>
<p> lots of TIME WAIT connections in my firewall with SYSTEM process 4 connecting to masked IP addresses like </p>
<p> 35.186.227.140 </p>
<p> 72.21.91.29 </p>
<p> 20.60.179.4 </p>
<p> 172.67.185.102 </p>
<p> 34.120.5.221 </p>
<p> 172.67.155.249 </p>
<p> 52.170.249.225 </p>
<p> 192.0.73.2 </p>
<p> ....and more, I can see usually see at least 10 or more more of them at a time using netstat or simply looking at my firewall status.These are all on port 443 or 80, all in TIME WAIT status with SYSTEM as the PID. Other strange
activity as well. </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537123_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537123" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537123" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537123&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537123" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537123&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="yes still issues.
lots of TIME WAIT connections in my firewall with SYSTEM process 4 connecting to masked IP addresses like
35.186.227.140
72.21.91.29
20.60.179.4
172.67.185.102
34.120.5.221
172.67.155.249
52.170.249.225
192.0.73.2
....and more, I can see usually see at least 10 or more more of them at a time using netstat or simply looking at my firewall status.These are all on port 443 or 80, all in TIME WAIT status with SYSTEM as the PID. Other strange activity as well.
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537123">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1537175"></a>
<article data-membergroup="4" id="elComment_1537175" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T02:01:02Z" title="10/10/2022 02:01 AM" data-short="Oct 10">October 10, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537175_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537175"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1665367262,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537175}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175" title="Share Post 1537175" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537175_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537175" data-role="shareComment">ID:1537175</a>
<li>
<a href="#elControls_1537175_menu" class="ipsComment_ellipsis" id="elControls_1537175" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537175_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537175_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537175_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537175" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T02:01:02Z" title="10/10/2022 02:01 AM" data-short="Oct 10">October 10, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> I'm sorry but we don't support router issues. Routers can have thousands of IP listed and have nothing to do with what is going on with Windows. </p>
<p> We need to see alerts, blocks from onboard security software, event log entries, obvious issues in Windows. We've now run a few different antivirus scanners and Windows is looking clean at this point. </p>
<p> You can do a Factory Reset on your <strong>Router</strong> if you own it. </p>
<p> </p>
<p> </p>
<p> Please ensure that you have the user manual for your router. Then perform a factory reset. </p>
<p>
<strong>How To Reset Your
Router</strong><br><a href="https://setuprouter.com/networking/how-to-reset-your-router/" ipsnoembed="true" rel="external nofollow noopener" target="_blank">https://setuprouter.com/networking/how-to-reset-your-router/</a>
</p>
<p> </p>
<p> Depending on one's preferences and the Router's capabilities please consider the following. </p>
<ul>
<li> Disable acceptance of <a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol" rel="external nofollow noopener" target="_blank">ICMP</a> Pings </li>
<li> Change the Default Router password using a <a href="https://en.wikipedia.org/wiki/Password_strength" rel="external nofollow noopener" target="_blank">Strong Password</a>
</li>
<li> Use a <a href="https://en.wikipedia.org/wiki/Password_strength" rel="external nofollow noopener" target="_blank">Strong</a> WiFi password on
<a href="https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2" rel="external nofollow noopener" target="_blank">WPA2</a> using
<a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard" rel="external nofollow noopener" target="_blank">AES</a> encryption or Enable
<a href="https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3" rel="external nofollow noopener" target="_blank">WPA3</a> if it is an option. </li>
<li> Disable Remote Management </li>
<li> Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example:
Keep <a href="https://en.wikipedia.org/wiki/Internet_of_things" rel="external nofollow noopener" target="_blank">IoT</a> devices on one network and mobile devices on another. </li>
<li> Change the network name (<a href="https://en.wikipedia.org/wiki/Service_set_(802.11_network)#SSID" rel="external nofollow noopener" target="_blank">SSID</a>). Do not use your; Name, Postal address, or other personal
information. Make it unique or whimsical and known to your family/group. </li>
<li> Is the Router Firmware up-to-date? Updating the firmware mitigates exploitable vulnerabilities. </li>
<li> Specifically set Firewall rules to BLOCK; TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555 </li>
<li> Document passwords created and store them in a safe but accessible location. </li>
</ul>
<p> </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537175_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537175" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537175" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537175&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537175" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537175&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="I'm sorry but we don't support router issues. Routers can have thousands of IP listed and have nothing to do with what is going on with Windows.
We need to see alerts, blocks from onboard security software, event log entries, obvious issues in Windows. We've now run a few different antivirus scanners and Windows is looking clean at this point.
You can do a Factory Reset on your Router if you own it.
Please ensure that you have the user manual for your router. Then perform a factory reset.
How To Reset Your Router https://setuprouter.com/networking/how-to-reset-your-router/
Depending on one's preferences and the Router's capabilities please consider the following.
Disable acceptance of ICMP Pings
Change the Default Router password using a Strong Password
Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
Disable Remote Management
Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
Change the network name (SSID). Do not use your; Name, Postal address, or other personal information. Make it unique or whimsical and known to your family/group.
Is the Router Firmware up-to-date? Updating the firmware mitigates exploitable vulnerabilities.
Specifically set Firewall rules to BLOCK; TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
Document passwords created and store them in a safe but accessible location.
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537175">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1537182"></a>
<article id="elComment_1537182" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T04:29:19Z" title="10/10/2022 04:29 AM" data-short="Oct 10">October 10, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537182_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537182"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1665376159,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537182}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182" title="Share Post 1537182" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537182_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537182" data-role="shareComment">ID:1537182</a>
<li>
<a href="#elControls_1537182_menu" class="ipsComment_ellipsis" id="elControls_1537182" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537182_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537182_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537182_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537182" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T04:29:19Z" title="10/10/2022 04:29 AM" data-short="Oct 10">October 10, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> These are connections that are made to PID 4 which is a process that runs in Windows 11. This has nothing to do with my router. The firewall is a software based firewall called Tinywall, which is how I am able to see where
these connections are being made. </p>
<p> </p>
<p> Is the PID 4 SYSTEM even supposed to have any external based TCP connections? </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537182_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537182" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537182" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537182&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537182" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537182&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="These are connections that are made to PID 4 which is a process that runs in Windows 11. This has nothing to do with my router. The firewall is a software based firewall called Tinywall, which is how I am able to see where these connections are being made.
Is the PID 4 SYSTEM even supposed to have any external based TCP connections?
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537182">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1537184"></a>
<article data-membergroup="4" id="elComment_1537184" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T05:09:34Z" title="10/10/2022 05:09 AM" data-short="Oct 10">October 10, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537184_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537184"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1665378574,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537184}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184" title="Share Post 1537184" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537184_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537184" data-role="shareComment">ID:1537184</a>
<li>
<a href="#elControls_1537184_menu" class="ipsComment_ellipsis" id="elControls_1537184" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537184_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537184_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537184_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537184" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184" class="ipsType_blendLinks">Posted <time datetime="2022-10-10T05:09:34Z" title="10/10/2022 05:09 AM" data-short="Oct 10">October 10, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> Absolutely, quite a few in fact. </p>
<p> Open an elevated admin command prompt and then copy and paste the following into the Window and press the Enter key. </p>
<p> You'll see a ton of programs that run under SVCHOST.EXE and most of them have access to the Internet </p>
<pre class="ipsCode prettyprint lang-html prettyprinted" id="ips_uid_6398_13" style=""><span class="pln">tasklist /svc /fi "IMAGENAME eq svchost.exe"</span></pre>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537184_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537184" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537184" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537184&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537184" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537184&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Absolutely, quite a few in fact.
Open an elevated admin command prompt and then copy and paste the following into the Window and press the Enter key.
You'll see a ton of programs that run under SVCHOST.EXE and most of them have access to the Internet
tasklist /svc /fi "IMAGENAME eq svchost.exe"
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537184">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1537895"></a>
<article id="elComment_1537895" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ">
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-14T05:26:11Z" title="10/14/2022 05:26 AM" data-short="Oct 14">October 14, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to malwareismyfriend's profile" class="ipsType_break">malwareismyfriend</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to malwareismyfriend's profile">
<img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2372c462%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EM%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E" alt="malwareismyfriend" loading="lazy">
</a>
</div>
</li>
<li data-role="group">Members</li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/297963-malwareismyfriend/content/" rel="nofollow" title="9 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 9
</a>
</li>
</ul>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537895_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537895"
data-quotedata="{"userid":297963,"username":"malwareismyfriend","timestamp":1665725171,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537895}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsComment_authorBadge">Author</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895" title="Share Post 1537895" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537895_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537895" data-role="shareComment">ID:1537895</a>
<li>
<a href="#elControls_1537895_menu" class="ipsComment_ellipsis" id="elControls_1537895" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537895_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537895_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537895_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537895" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895" class="ipsType_blendLinks">Posted <time datetime="2022-10-14T05:26:11Z" title="10/14/2022 05:26 AM" data-short="Oct 14">October 14, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> Right I know about svchost, and the dozens of services that run that as a parent process. But I am specifically talking about the system process with PID 4. </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537895_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537895" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537895" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537895&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537895" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537895&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Right I know about svchost, and the dozens of services that run that as a parent process. But I am specifically talking about the system process with PID 4.
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537895">More sharing options...</button>
</div>
</div>
</div>
</article>
<a id="comment-1537946"></a>
<article data-membergroup="4" id="elComment_1537946" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-10-14T17:03:58Z" title="10/14/2022 05:03 PM" data-short="Oct 14">October 14, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1537946_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1537946"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1665767038,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1537946}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946" title="Share Post 1537946" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537946_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537946" data-role="shareComment">ID:1537946</a>
<li>
<a href="#elControls_1537946_menu" class="ipsComment_ellipsis" id="elControls_1537946" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1537946_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1537946_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1537946_menu" data-ipsdialog-title="Share this post" id="elSharePost_1537946" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946" class="ipsType_blendLinks">Posted <time datetime="2022-10-14T17:03:58Z" title="10/14/2022 05:03 PM" data-short="Oct 14">October 14, 2022</time></a>
<span class="ipsResponsive_hidePhone"> (edited) </span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages" id="ips_uid_8053_12">
<p> That is a kernel level part of the <strong>system</strong>
</p>
<p> 4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System </p>
<p>
<br> It's the Windows Kernel. A system virtual process<br> This virtual process contains all running kernel-mode drivers. This also includes Windows File Sharing, HTTP.SYS SMB to name a few.
</p>
<p> Without writing your own driver to access this process I'm not aware of any means to monitor it's processes from User Mode level. </p>
<p> You can run the following from a command prompt, which should show what connections are made under PID 4 </p>
<p>
<strong>netstat -aon</strong>
</p>
<p> </p>
<p>
<a class="ipsAttachLink ipsAttachLink_image" href="//content.invisioncic.com/Mmalware/monthly_2022_10/image.png.d9d56d6727b4a6af5a77780e9c73d753.png" data-fileid="355581" data-fileext="png" rel="" data-fullurl="//content.invisioncic.com/Mmalware/monthly_2022_10/image.png.d9d56d6727b4a6af5a77780e9c73d753.png" data-ipslightbox="" data-ipslightbox-group="g13250"><img class="ipsImage ipsImage_thumbnailed" data-fileid="355581" data-ratio="131.35" data-unique="xq4xha6ry" width="571" alt="image.png" src="//content.invisioncic.com/Mmalware/monthly_2022_10/image.thumb.png.e2abc928066da2f03ff0b8d1ce119e8f.png"></a>
</p>
<p> </p>
<p> </p>
<span class="ipsType_reset ipsType_medium ipsType_light" data-excludequote="">
<strong>Edited <time datetime="2022-10-14T17:04:30Z" title="10/14/2022 05:04 PM" data-short="Oct 14">October 14, 2022</time> by AdvancedSetup</strong>
<br>Updated information </span>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1537946_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537946" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537946" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537946&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1537946" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1537946&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="That is a kernel level part of the system
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
It's the Windows Kernel. A system virtual process
This virtual process contains all running kernel-mode drivers. This also includes Windows File Sharing, HTTP.SYS SMB to name a few.
Without writing your own driver to access this process I'm not aware of any means to monitor it's processes from User Mode level.
You can run the following from a command prompt, which should show what connections are made under PID 4
netstat -aon
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1537946">More sharing options...</button>
</div>
</div>
</div>
</article>
<ul class="ipsTopicMeta">
<li class="ipsTopicMeta__item ipsTopicMeta__item--time"> 1 month later... </li>
</ul>
<a id="comment-1545496"></a>
<article data-membergroup="4" id="elComment_1545496" class="cPost ipsBox ipsResponsive_pull ipsComment ipsComment_parent ipsClearfix ipsClear ipsColumns ipsColumns_noSpacing ipsColumns_collapsePhone ipsComment_highlighted ">
<div class="ipsResponsive_showPhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<div class="cAuthorPane_mobile ipsResponsive_showPhone">
<div class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</div>
<div class="cAuthorPane_content">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_break ipsType_blendLinks ipsFlex ipsFlex-ai:center">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break"><span style="color:red; font-weight:bold">AdvancedSetup</span></a>
</h3>
<div class="ipsType_light ipsType_reset">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496" rel="nofollow" class="ipsType_blendLinks">Posted <time datetime="2022-12-14T00:39:06Z" title="12/14/2022 12:39 AM" data-short="Dec 14">December 14, 2022</time></a>
</div>
</div>
</div>
<aside class="ipsComment_author cAuthorPane ipsColumn ipsColumn_medium ipsResponsive_hidePhone">
<h3 class="ipsType_sectionHead cAuthorPane_author ipsType_blendLinks ipsType_break"><strong>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard&referrer=https%253A%252F%252Fforums.malwarebytes.com%252Ftopic%252F290671-malware-infected-from-usb-drive%252F" title="Go to AdvancedSetup's profile" class="ipsType_break">AdvancedSetup</a></strong>
</h3>
<ul class="cAuthorPane_info ipsList_reset">
<li data-role="photo" class="cAuthorPane_photo">
<div class="cAuthorPane_photoWrap">
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/" rel="nofollow" data-ipshover="" data-ipshover-width="370" data-ipshover-target="https://forums.malwarebytes.com/profile/2065-advancedsetup/?do=hovercard" class="ipsUserPhoto ipsUserPhoto_large" title="Go to AdvancedSetup's profile">
<img src="//content.invisioncic.com/Mmalware/monthly_2020_11/what_kirk.thumb.gif.70b2b23aa23a2941e8842dad5086b144.gif" alt="AdvancedSetup" loading="lazy">
</a>
<span class="cAuthorPane_badge cAuthorPane_badge--moderator" data-ipstooltip="" title="AdvancedSetup is a moderator"></span>
</div>
</li>
<li data-role="group"><span style="color:red; font-weight:bold">Root Admin</span></li>
<li data-role="group-icon"><img src="//content.invisioncic.com/Mmalware/monthly_2020_11/455389808_MWBStaffLogoShort.png.471513c6a13f05393350352f7bc42e55.png" alt="" class="cAuthorGroupIcon"></li>
<li data-role="stats" class="ipsMargin_top">
<ul class="ipsList_reset ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:center ipsGap_row:2 cAuthorPane_stats">
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/content/" rel="nofollow" title="104,817 posts" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-comment"></i> 104.8k
</a>
</li>
<li>
<a href="https://forums.malwarebytes.com/profile/2065-advancedsetup/solutions/" rel="nofollow" title="295 solutions" data-ipstooltip="" class="ipsType_blendLinks">
<i class="fa fa-check-circle"></i> 295
</a>
</li>
</ul>
</li>
<li data-role="custom-field" class="ipsResponsive_hidePhone ipsType_break">
<span class="ft">Location: </span><span class="fc">The United Federation of Planets</span>
</li>
</ul>
</aside>
<div class="ipsColumn ipsColumn_fluid ipsMargin:none">
<div id="comment-1545496_wrap" data-controller="core.front.core.comment" data-commentapp="forums" data-commenttype="forums" data-commentid="1545496"
data-quotedata="{"userid":2065,"username":"AdvancedSetup","timestamp":1670978346,"contentapp":"forums","contenttype":"forums","contentid":290671,"contentclass":"forums_Topic","contentcommentid":1545496}"
class="ipsComment_content ipsType_medium">
<div class="ipsComment_meta ipsType_light ipsFlex ipsFlex-ai:center ipsFlex-jc:between ipsFlex-fd:row-reverse">
<div class="ipsType_light ipsType_reset ipsType_blendLinks ipsComment_toolWrap">
<div class="ipsResponsive_hidePhone ipsComment_badges">
<ul class="ipsList_reset ipsFlex ipsFlex-jc:end ipsFlex-fw:wrap ipsGap:2 ipsGap_row:1">
<li><strong class="ipsBadge ipsBadge_large ipsBadge_highlightedGroup">Root Admin</strong></li>
</ul>
</div>
<ul class="ipsList_reset ipsComment_tools">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496" title="Share Post 1545496" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1545496_menu" data-ipsdialog-title="Share this post" id="elSharePost_1545496" data-role="shareComment">ID:1545496</a>
<li>
<a href="#elControls_1545496_menu" class="ipsComment_ellipsis" id="elControls_1545496" title="More options..." data-ipsmenu="" data-ipsmenu-appendto="#comment-1545496_wrap"><i class="fa fa-ellipsis-h"></i></a>
<ul id="elControls_1545496_menu" class="ipsMenu ipsMenu_narrow ipsHide">
<li class="ipsMenu_item">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496" title="Share this post" data-ipsdialog="" data-ipsdialog-size="narrow" data-ipsdialog-content="#elSharePost_1545496_menu" data-ipsdialog-title="Share this post" id="elSharePost_1545496" data-role="shareComment">Share</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="ipsType_reset ipsResponsive_hidePhone">
<a href="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496" class="ipsType_blendLinks">Posted <time datetime="2022-12-14T00:39:06Z" title="12/14/2022 12:39 AM" data-short="Dec 14">December 14, 2022</time></a>
<span class="ipsResponsive_hidePhone">
</span>
</div>
</div>
<div class="cPost_contentWrap">
<div data-role="commentContent" class="ipsType_normal ipsType_richText ipsPadding_bottom ipsContained" data-controller="core.front.core.lightboxedImages">
<p> Due to the lack of feedback, this topic is closed to prevent others from posting here. </p>
<p> If you need this topic reopened, please send a <strong>Private Message</strong> to any one of the moderating team members. Please include a link to this topic with your request. </p>
<p> This applies only to the originator of this topic. Other members who need assistance
<strong><a href="https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/" rel="">please start your own topic in a new thread</a></strong>. </p>
<p>
<a href="https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/" rel="">Tips to help protect from infection</a>
</p>
<p> Thanks </p>
<p> </p>
</div>
</div>
<div class="ipsPadding ipsHide cPostShareMenu" id="elSharePost_1545496_menu">
<h5 class="ipsType_normal ipsType_reset">Link to post</h5>
<input type="text" value="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496" class="ipsField_fullWidth">
<h5 class="ipsType_normal ipsType_reset ipsSpacer_top">Share on other sites</h5>
<ul class="ipsList_inline ipsList_noSpacing ipsClearfix" data-controller="core.front.core.sharelink">
<li>
<a href="https://twitter.com/share?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1545496" class="cShareLink cShareLink_twitter" target="_blank" data-role="shareLink" title="Share on Twitter" data-ipstooltip="" rel="nofollow noopener">
<i class="fa fa-twitter"></i>
</a>
</li>
<li>
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1545496" class="cShareLink cShareLink_facebook" target="_blank" data-role="shareLink" title="Share on Facebook" data-ipstooltip="" rel="noopener nofollow">
<i class="fa fa-facebook"></i>
</a>
</li>
<li>
<a href="https://www.reddit.com/submit?url=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1545496&title=malware+infected+from+USB+drive" rel="nofollow noopener" class="cShareLink cShareLink_reddit" target="_blank" title="Share on Reddit" data-ipstooltip="">
<i class="fa fa-reddit"></i>
</a>
</li>
<li>
<a href="mailto:?subject=malware%20infected%20from%20USB%20drive&body=https%3A%2F%2Fforums.malwarebytes.com%2Ftopic%2F290671-malware-infected-from-usb-drive%2F%3Fdo%3DfindComment%26comment%3D1545496" rel="nofollow" class="cShareLink cShareLink_email" title="Share via email" data-ipstooltip="">
<i class="fa fa-envelope"></i>
</a>
</li>
<li>
<a href="https://pinterest.com/pin/create/button/?url=https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment%26comment=1545496&media=https://content.invisioncic.com/Mmalware/monthly_2020_09/MB_ICON_196x196.png.add66bd0622be5122328978d35ce35c3.png" class="cShareLink cShareLink_pinterest" rel="nofollow noopener" target="_blank" data-role="shareLink" title="Share on Pinterest" data-ipstooltip="">
<i class="fa fa-pinterest"></i>
</a>
</li>
</ul>
<hr class="ipsHr">
<button class="ipsHide ipsButton ipsButton_small ipsButton_light ipsButton_fullWidth ipsMargin_top:half" data-controller="core.front.core.webshare" data-role="webShare" data-websharetitle="malware infected from USB drive" data-websharetext="Due to the lack of feedback, this topic is closed to prevent others from posting here.
If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.
This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.
Tips to help protect from infection
Thanks
" data-webshareurl="https://forums.malwarebytes.com/topic/290671-malware-infected-from-usb-drive/?do=findComment&comment=1545496">More sharing options...</button>
</div>
</div>
</div>
</article>
<input type="hidden" name="csrfKey" value="a6da0c542bb8c458b99f094026422455">
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="28" class="ipsButton ipsButton_link ipsButton_link_secondary">Light (Default)</button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="31" class="ipsButton ipsButton_link ipsButton_link_secondary">Dark </button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="29" class="ipsButton ipsButton_link ipsButton_link_secondary">Night </button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="34" class="ipsButton ipsButton_link ipsButton_link_secondary">Cosmos </button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="38" class="ipsButton ipsButton_link ipsButton_link_secondary">Crimson </button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="27" class="ipsButton ipsButton_link ipsButton_link_secondary">Legacy Dark </button>
</form>POST //forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455
<form action="//forums.malwarebytes.com/theme/?csrfKey=a6da0c542bb8c458b99f094026422455" method="post">
<input type="hidden" name="ref" value="aHR0cHM6Ly9mb3J1bXMubWFsd2FyZWJ5dGVzLmNvbS90b3BpYy8yOTA2NzEtbWFsd2FyZS1pbmZlY3RlZC1mcm9tLXVzYi1kcml2ZS8=">
<button type="submit" name="id" value="37" class="ipsButton ipsButton_link ipsButton_link_secondary">IPS Default </button>
</form>Text Content
Jump to content
* Existing user? Sign In
SIGN IN
*
*
* Remember me Not recommended on shared computers
* Sign In
Forgot your password?
* Staff Sign In
* Sign Up
*
* Browse
* Forums
* Guidelines
* Staff
* Online Users
* Members
* Leaderboard
* More
* Activity
* All Activity
* My Activity Streams
* Unread Content
* Content I Started
* Search
* More
* Personal
* Malwarebytes for Windows
* Malwarebytes for Mac
* Malwarebytes Privacy VPN
* Malwarebytes Browser Guard
* Malwarebtyes AdwCleaner
* Malwarebytes for Chromebook
* Malwarebytes for Android
* Malwarebytes for iOS
* More
* Business
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Protection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Endpoint Security
* More
* Business Modules
* DNS Filtering
* Vulnerability & Patch Management
* Remediation for CrowdStrike®
* More
* Partners
* Managed Service Providers
* Computer Repair
* Resellers
* Technology Partners
* More
* Learn
* Start here
* VPN
* Antivirus
* Malware
* Android Antivirus
* Mac Antivirus
* Hacker
* Cybersecurity
* Identity Theft
* Password Manager
* Type of malware/attacks
* Ransomware
* Keylogger
* Adware
* Spyware
* SQL Injection
* DDoS
* Cryptojacking
* Data Breach
* Computer Virus
* Social Engineering
* How does it get on my computer?
* Malvertising
* Emotet
* Trojan
* Exploit
* Backdoor
* Scams and grifts
* Scam Call
* Spam
* Phishing
* Spoofing
* Blog
* Support
* Personal Support
* Business Support
* Vulnerability Disclosure
* More
* More
* More
This Topic
* Everywhere
* This Forum
* This Topic
* Events
* Status Updates
* Topics
* Pages
* Members
* Resolved Malware Removal Logs
*
*
* All Activity
* Home
* Malware Removal Help
* Windows Malware Removal Help & Support
* Resolved Malware Removal Logs
* malware infected from USB drive
MALWARE INFECTED FROM USB DRIVE
*
*
*
*
*
--------------------------------------------------------------------------------
By malwareismyfriend
September 29, 2022 in Resolved Malware Removal Logs
Share
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
Followers 2
RECOMMENDED POSTS
MALWAREISMYFRIEND
Posted September 29, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
ID:1535831
* * Share
Posted September 29, 2022 (edited)
put a USB drive in my computer a few days ago, computer started acting
strangly. Adobe Illustrator not working properly, anti-virus programs not
working properly, even FRST didn't load correctly until I re-downloaded it. I
notice a lot of entries in my process list using process explorer and dozens of
outbound connections using svchost and system. I had to boot in safe mode and
run an old copy of FRST because I couldn't downlaod a fresh copy without
networking.
Addition.txtUnavailable FRST.txtUnavailable
Edited September 29, 2022 by AdvancedSetup
Removed unwanted text
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
*
*
*
* Root Admin
ADVANCEDSETUP
Posted September 29, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1535834
* * Share
Posted September 29, 2022
Hello @malwareismyfriend
You will need to have access to the Internet from another computer or some way
to transfer files. (it seems you've already done so as you posted logs)
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit
* Double-click to run it. When the tool opens click Yes to disclaimer.
* Press the Scan button.
* It will make a log (FRST.txt) in the same directory the tool is run. Please
attach it to your reply.
* The first time the tool is run, it also makes another log (Addition.txt).
Please attach it to your reply as well.
Thank you
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted September 29, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1535841
* * Share
Posted September 29, 2022
okay i got it running from my desktop. this log looks completely different from
the one above, very odd.
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-08-2022
Ran by God (administrator) on FAST-DELL (Dell Inc. Inspiron 3891) (29-09-2022
00:16:11)
Running from C:\Users\gngn1\Desktop
Loaded Profiles: God
Platform: Microsoft Windows 11 Home Version 21H2 22000.978 (X64) Language:
English (United States)
Default browser: FF
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file
will not be moved.)
(C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe ->) (Logitech Inc ->
Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_appbroker.exe
(C:\Program Files\LogiOptionsPlus\logioptionsplus_updater.exe ->) (Logitech Inc
-> Logitech, Inc.) C:\Program Files\LogiOptionsPlus\logioptionsplus_agent.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc ->
Logitech) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe
(C:\Program Files\Logitech\LogiOptions\LogiOptions.exe ->) (Logitech Inc ->
Logitech, Inc.)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe
(C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe ->)
(Logitech Inc -> Logitech, Inc.)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\laclient.exe
(C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe
->) (Microsoft Windows Publisher -> Microsoft Corporation)
C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MpCopyAccelerator.exe
(DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe
->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxEM.exe
(explorer.exe ->) (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program
Files\Classic Shell\ClassicStartMenu.exe
(explorer.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program
Files\Logitech\LogiOptions\LogiOptions.exe
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program
Files\Microsoft OneDrive\OneDrive.exe
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common
Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(services.exe ->) (Apple Inc. -> Apple Inc.) C:\Program Files\Common
Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(services.exe ->) (Code Sector -> ) C:\Program
Files\TeraCopy\TeraCopyService.exe
(services.exe ->) (Dell Inc -> Dell Inc.) C:\Program
Files\Dell\Fusion\FusionService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_ca344d3091c489b2\igfxCUIService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_f83b924791f3a52a\OneApp.IGCC.WinService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHDCPSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\IntelCpHeciSvc.exe
(services.exe ->) (Intel Corporation -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\mewmiprov.inf_amd64_d4564390a9b1e980\WMIRegistrationService.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel
Corporation)
C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_7aa6ca9dbb25bff8\jhi_service.exe
(services.exe ->) (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel
Corporation)
C:\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_5d10f2aad7f84bec\LMS.exe
(services.exe ->) (Intel(R) Rapid Storage Technology -> Intel Corporation)
C:\Windows\System32\DriverStore\FileRepository\iastorac.inf_amd64_68966115f2eef4e5\RstMwService.exe
(services.exe ->) (Károly Pados -> Károly Pados) C:\Program Files
(x86)\TinyWall\TinyWall.exe <3>
(services.exe ->) (Logitech Inc -> Logitech, Inc.) C:\Program
Files\LogiOptionsPlus\logioptionsplus_updater.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program
Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation)
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication
Foundation\SMSvcHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation)
C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation)
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation)
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe
(services.exe ->) (PhaseFive Systems LLC -> Phase Five Systems) C:\Program Files
(x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe
(services.exe ->) (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(services.exe ->) (voidtools -> voidtools)
C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe
(services.exe ->) (Zoom Video Communications, Inc. -> Zoom Video Communications,
Inc.) C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
(sihost.exe ->) (Microsoft Corporation) C:\Program
Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe\PAD.Console.Host.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program
Files\Microsoft Office\root\Office16\WINWORD.EXE
(svchost.exe ->) (Microsoft Corporation) C:\Program
Files\WindowsApps\Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation)
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation)
C:\Windows\System32\dllhost.exe <3>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation)
C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation)
C:\Windows\System32\wlanext.exe
==================== Registry (Whitelisted) ===================
(If an entry is included in the fixlist, the registry item will be restored to
default or removed. The file will not be moved.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic
Shell\ClassicStartMenu.exe [163640 2017-08-13] (Ivaylo Beltchev -> IvoSoft)
[File not signed]
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common
Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [509936 2018-04-11] (Adobe
Systems Incorporated -> Adobe Systems Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll
[3831808 2021-08-30] (Microsoft Windows Hardware Compatibility Publisher ->
Logitech)
HKLM\...\Run: [LogiOptions] => C:\Program
Files\Logitech\LogiOptions\LogiOptions.exe [1687616 2022-02-21] (Logitech Inc ->
Logitech, Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe
Creative Cloud\ACC\Creative Cloud.exe [1067528 2022-07-25] (Adobe Inc. -> Adobe
Inc.)
HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <====
ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [OneDrive] =>
C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Run:
[MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472] => "C:\Program Files
(x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
--win-session-start /prefetch:5 [3795376 2022-09-25] (Microsoft Corporation ->
Microsoft Corporation)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Policies\Explorer:
[HideSCAMeetNow] 1
HKU\S-1-5-21-1789883001-303321401-512692908-1003\...\Run: [OneDrive] =>
C:\Program Files\Microsoft OneDrive\OneDrive.exe [2630024 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
Startup: C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\Send to OneNote.lnk [2021-12-30]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft
Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation -> Microsoft
Corporation)
AlternateShell:
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Policies\Microsoft\Edge:
Restriction <==== ATTENTION
==================== Scheduled Tasks (Whitelisted) ============
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
Task: {02FEA731-D2DD-4A8E-A439-563F55D53DFC} - System32\Tasks\Opera scheduled
Autoupdate 1638694259 => C:\Program Files\Opera\launcher.exe [2538448
2022-09-05] (Opera Norway AS -> Opera Software)
Task: {0335EFB7-AF7E-416D-9978-D34ABA156C86} -
System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program
Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120
2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {05297C63-34A6-4FCA-A5F8-891900D5D30E} -
System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled
Scan => C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft
Windows Publisher -> Microsoft Corporation)
Task: {0AA9AE9F-7BC1-4CF7-B0D0-942E8D8AB388} - System32\Tasks\Mozilla\Firefox
Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla
Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
Task: {193C0CD3-8DE7-4B74-A2DD-718AAF02C2ED} -
System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup =>
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe
[1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {1AEF3D55-5909-4E1E-8853-22E99F844F7C} -
System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program
Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23709120
2022-09-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {487D899D-40F2-476C-BEF0-2FF05589EC63} -
System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple
Software Update\SoftwareUpdate.exe [616832 2019-09-04] (Apple Inc. -> Apple
Inc.)
Task: {500823C9-7F32-4788-B34D-40329A313066} - System32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1003 => C:\Program Files\Microsoft
OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
Task: {5FD92CFE-F4D2-4D63-9C80-AC2D101820F1} - System32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1002 =>
C:\Users\gngn1\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
/reporting (No File)
Task: {6500E3AE-98EC-4892-B4CC-620672E1ECD0} -
System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program
Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18]
(Microsoft Corporation -> Microsoft Corporation)
Task: {6D5E4CE5-B360-40C2-82EA-F9193CE82B45} - System32\Tasks\npcapwatchdog =>
C:\Program Files\Npcap\CheckStatus.bat [815 2021-09-08] () [File not signed]
Task: {81645350-7A7E-4586-930D-AA1963354214} -
System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache
Maintenance => C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-09-07] (Microsoft
Windows Publisher -> Microsoft Corporation)
Task: {87B48BF5-2794-481C-9766-B28425BE7E49} - System32\Tasks\EOSv3 Scheduler
onTime =>
C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
[21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {940B0A62-EB07-406B-AF8C-69A42C245B77} - System32\Tasks\Opera scheduled
assistant Autoupdate 1638694264 => C:\Program Files\Opera\launcher.exe [2538448
2022-09-05] (Opera Norway AS -> Opera Software) -> --scheduledautoupdate
--component-name=assistant --component-path="C:\Program Files\Opera\assistant"
$(Arg0)
Task: {A7D8C990-6422-4667-87E3-FA40C47BB4B1} - System32\Tasks\EOSv3 Scheduler
onLogOn =>
C:\Users\gngn1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
[21737944 2022-09-21] (ESET, spol. s r.o. -> ESET)
Task: {AC1FBF05-8B10-4509-AEF9-AB30ECDDC41C} -
System32\Tasks\Microsoft\Windows\WaaSMedic\MaintenanceWork =>
{72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}
Task: {B0DE073A-B771-46E8-8A43-62AAF41CD5E2} - System32\Tasks\OneDrive
Per-Machine Standalone Update Task => C:\Program Files\Microsoft
OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
Task: {C2820938-5262-4E5B-BA4C-08EE29C71694} -
System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program
Files\Microsoft Office\root\Office16\sdxhelper.exe [142208 2022-09-18]
(Microsoft Corporation -> Microsoft Corporation)
Task: {CFB3D3C2-5ED7-4025-973B-4173E78BFF79} -
System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification
=> C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCmdRun.exe
[1335960 2022-09-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {D15035A4-388C-4B0C-B13E-2588A970C419} -
System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program
Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft
Shared\Office16\operfmon.exe [64408 2022-09-08] (Microsoft Corporation ->
Microsoft Corporation)
Task: {D24345F4-A990-448B-97A8-778C14BE4C7C} - System32\Tasks\Mozilla\Firefox
Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla
Firefox\firefox.exe --MOZ_LOG
sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log
--backgroundtask backgroundupdate
Task: {E13FF481-BB09-4CA9-9478-463D38661FA9} - System32\Tasks\TinyWall
Controller => C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26]
(Károly Pados -> Károly Pados)
Task: {FA7BFA7D-63B4-4DE5-8D36-09A74B86FCA2} - System32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1001 => C:\Program Files\Microsoft
OneDrive\OneDriveStandaloneUpdater.exe [4165520 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
(If an entry is included in the fixlist, the task (.job) file will be moved. The
file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job =>
C:\Windows\explorer.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be
removed or restored to default.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 9.9.9.9 149.112.112.112
Tcpip\..\Interfaces\{666ad4d3-6ec5-4013-a092-a6d61e020286}: [DhcpNameServer]
9.9.9.9 149.112.112.112
Edge:
=======
Edge Profile: C:\Users\gngn1\AppData\Local\Microsoft\Edge\User Data\Default
[2022-09-27]
Edge Extension: (Microsoft Power Automate) -
C:\Users\gngn1\AppData\Local\Microsoft\Edge\User
Data\Default\Extensions\njjljiblognghfjfpcdpdbpbfcmhgafg [2022-08-08]
Edge
HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension:
[njjljiblognghfjfpcdpdbpbfcmhgafg]
FireFox:
========
FF DefaultProfile: cb410ea4.default
FF ProfilePath:
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\cb410ea4.default
[2021-12-15]
FF ProfilePath:
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release
[2022-09-28]
FF Session Restore: Mozilla\Firefox\Profiles\za350ywr.default-release -> is
enabled.
FF Notifications: Mozilla\Firefox\Profiles\za350ywr.default-release ->
hxxps://web.telegram.org; hxxps://www.kiiroo.com; hxxps://electrothreads.com
FF Extension: (Disconnect) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\2.0@disconnect.me.xpi
[2022-01-11]
FF Extension: (Google Container) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\@contain-google.xpi
[2022-01-11]
FF Extension: (Keepa - Amazon Price Tracker) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\amptra@keepa.com.xpi
[2022-04-18]
FF Extension: (OneNote Web Clipper) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Clipper@OneNote.com.xpi
[2022-04-14]
FF Extension: (Don't ***** With Paste) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\Dont*****WithPaste@raim.ist.xpi
[2022-01-11]
FF Extension: (Folx) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\folx5@eltima.com.xpi
[2022-01-11]
FF Extension: (Disable WebRTC) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-5Fs7iTLscUaZBgwr@jetpack.xpi
[2022-01-11]
FF Extension: (Honey) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-93CWPmRbVPjRQA@jetpack.xpi
[2022-01-11]
FF Extension: (Decentraleyes) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-BoFifL9Vbdl2zQ@jetpack.xpi
[2022-02-01]
FF Extension: (I don't care about cookies) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi
[2022-09-15]
FF Extension: (Double-click Image Downloader) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xgtdawe3yyUeBQ@jetpack.xpi
[2022-01-11]
FF Extension: (Reddit Enhancement Suite) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
[2022-02-02]
FF Extension: (Pinterest Save Button) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi
[2022-03-02]
FF Extension: (JSONovich) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\jsonovich@lackoftalent.org.xpi
[2022-04-05]
FF Extension: (IDM Integration Module) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\mozilla_cc3@internetdownloadmanager.com.xpi
[2022-05-27]
FF Extension: (Download Manager (S3)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\s3download@statusbar.xpi
[2022-01-11]
FF Extension: (Save webP as PNG or JPEG) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\savewebpas@jeffersonscher.com.xpi
[2022-09-23]
FF Extension: (LastPass: Free Password Manager) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\support@lastpass.com.xpi
[2022-08-06]
FF Extension: (Google Translator for Firefox) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\translator@zoli.bod.xpi
[2022-01-11]
FF Extension: (uBlock Origin) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\uBlock0@raymondhill.net.xpi
[2022-09-20]
FF Extension: (Paste n' Go) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{000a756d-5efb-4897-b40c-57ef8c5caa59}.xpi
[2022-01-11]
FF Extension: (Take Webpage Screenshots Entirely - FireShot) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}.xpi
[2022-09-15]
FF Extension: (CSS Toggler) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{16898b73-edd0-419f-a0a9-e5afd2a4c904}.xpi
[2022-05-02]
FF Extension: (Download All Images) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{32af1358-428a-446d-873e-5f8eb5f2a72e}.xpi
[2022-08-22]
FF Extension: (Send to VLC (VideoLAN) media player) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{3e0ac434-26e0-4c03-b757-3078486800c3}.xpi
[2022-01-11]
FF Extension: (Disable JavaScript) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{41f9e51d-35e4-4b29-af66-422ff81c8b41}.xpi
[2022-01-11]
FF Extension: (Eno® from Capital One®) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d5b7a5e-5232-9e45-97f4-f8e1ca2626e5}.xpi
[2022-07-20]
FF Extension: (Science Fiction Florest) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{4d6138be-7d98-4fed-8cb9-277c3a351183}.xpi
[2022-01-11]
FF Extension: (Blue Carbon Fiber) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{5ab03bdd-3d91-4c73-801e-607ca27458d0}.xpi
[2022-01-11]
FF Extension: (ColorZilla) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}.xpi
[2022-01-11]
FF Extension: (Hot air balloons v5 by CP) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{790388bf-f135-4368-ab9b-36c8062a09c2}.xpi
[2022-01-11]
FF Extension: (Plexus Crystals (Yellow)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{826d3ea1-5a85-4e6c-8749-aff3f72ccc5d}.xpi
[2022-01-11]
FF Extension: (Clippings) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}.xpi
[2022-09-19]
FF Extension: (Absolute Right Click) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{9350bc42-47fb-4598-ae0f-825e3dd9ceba}.xpi
[2022-01-11]
FF Extension: (RESTClient) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ad0d925d-88f8-47f1-85ea-8463569e756e}.xpi
[2022-04-05]
FF Extension: (Capital One Shopping: Online Coupon Tool) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{aff8af88-06a9-4eee-b383-3af08c47b8c8}.xpi
[2022-09-26]
FF Extension: (The universe of ancient times.) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b6d370bd-f532-4049-9a82-f53b47f369b3}.xpi
[2022-01-11]
FF Extension: (Video DownloadHelper) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
[2022-05-12]
FF Extension: (flashy pastel rainbow) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ced18bb2-3a5e-4d85-b0ad-5b99cb34fa73}.xpi
[2022-01-11]
FF Extension: (Polynial design) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{d7dce9c0-165e-44ff-90b9-c5ce9f7a7721}.xpi
[2022-01-11]
FF Extension: (Read Aloud: A Text to Speech Voice Reader) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ddc62400-f22d-4dd3-8b4a-05837de53c2e}.xpi
[2022-09-01]
FF Extension: (Matte Black (Orange)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{e7c9fb23-17c0-4bb6-a8ba-ff52a7770b89}.xpi
[2022-02-24]
FF Extension: (Plexus Crystals (Violet)) -
C:\Users\gngn1\AppData\Roaming\Mozilla\Firefox\Profiles\za350ywr.default-release\Extensions\{ff571d12-dfde-4e8f-be1d-38c145a98443}.xpi
[2022-02-24]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft
Office\root\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation ->
Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program
Files\VideoLAN\VLC\npvlc.dll [2021-06-18] (VideoLAN -> VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe
Creative Cloud\Utils\npAdobeAAMDetect64.dll [2022-07-25] (Adobe Inc. -> Adobe
Systems)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program
Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\NPSPWRAP.DLL [2022-07-07] (Microsoft Corporation -> Microsoft
Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe
Creative Cloud\Utils\npAdobeAAMDetect32.dll [2022-07-25] (Adobe Inc. -> Adobe
Systems)
Chrome:
=======
CHR
HKU\S-1-5-21-1789883001-303321401-512692908-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension:
[gjgfobnenmnljakmhboildkafdkicala]
Opera:
=======
OPR Profile: C:\Users\gngn1\AppData\Roaming\Opera Software\Opera Stable
[2022-09-26]
OPR Notifications: Opera Stable -> hxxps://web.telegram.org;
hxxps://www.philadelphiaeagles.com
OPR DefaultSuggestURL: Opera Stable ->
hxxps://www.google.com/complete/search?client=opera&q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}
OPR Extension: (Rich Hints Agent) - C:\Users\gngn1\AppData\Roaming\Opera
Software\Opera Stable\Extensions\enegjkbbakeegngfapepobipndnebkdk [2022-07-28]
OPR Extension: (Opera Crypto Wallet) - C:\Users\gngn1\AppData\Roaming\Opera
Software\Opera Stable\Extensions\gojhcdgcpbpfigcaejpfhfegekdgiblk [2022-07-28]
OPR Extension: (Amazon Assistant Promotion) -
C:\Users\gngn1\AppData\Roaming\Opera Software\Opera
Stable\Extensions\kbmoiomgmchbpihhdpabemajcbjpcijk [2021-12-20]
==================== Services (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop
Common\ElevationManager\AdobeUpdateService.exe [923656 2022-07-25] (Adobe Inc.
-> Adobe Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile
Device Support\AppleMobileDeviceService.exe [99104 2021-08-20] (Apple Inc. ->
Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft
Shared\ClickToRun\OfficeClickToRun.exe [12131256 2022-09-18] (Microsoft
Corporation -> Microsoft Corporation)
S3 dcsvc; C:\Windows\system32\dcsvc.dll [831488 2022-09-13] (Microsoft Windows
-> Microsoft Corporation)
R2 Everything; C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64\Everything.exe
[2266128 2022-09-22] (voidtools -> voidtools)
S3 FileSyncHelper; C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncHelper.exe [3383688 2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
R2 FusionService; C:\Program Files\Dell\Fusion\FusionService.exe [19096
2021-10-13] (Dell Inc -> Dell Inc.)
R2 JumpConnect; C:\Program Files (x86)\Phase Five Systems\Jump Desktop
Connect\6.7.69.0\JumpConnect.exe [154080 2022-01-07] (PhaseFive Systems LLC ->
Phase Five Systems)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
[7901368 2021-12-05] (Malwarebytes Inc -> Malwarebytes)
S3 OneDrive Updater Service; C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\OneDriveUpdaterService.exe [3804032 2022-09-26]
(Microsoft Corporation -> Microsoft Corporation)
R2 OptionsPlusUpdaterService; C:\Program
Files\LogiOptionsPlus\logioptionsplus_updater.exe [17029376 2022-09-12]
(Logitech Inc -> Logitech, Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
[12912936 2021-11-16] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
R2 TeraCopyService.exe; C:\Program Files\TeraCopy\TeraCopyService.exe [114384
2021-04-21] (Code Sector -> )
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [867080 2021-10-26]
(Károly Pados -> Károly Pados)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\NisSrv.exe [3125112 2022-09-07] (Microsoft
Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MsMpEng.exe [133560 2022-09-07] (Microsoft
Windows Publisher -> Microsoft Corporation)
S2 Wondershare InstallAssist;
C:\ProgramData\Wondershare\Service\InstallAssistService.exe [X]
R2 ZoomCptService; "C:\Program Files (x86)\Common
Files\Zoom\Support\CptService.exe" -user_path
"C:\Users\gngn1\AppData\Roaming\Zoom"
===================== Drivers (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
S3 AppleKmdfFilter; C:\Windows\System32\drivers\AppleKmdfFilter.sys [20032
2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 AppleLowerFilter; C:\Windows\System32\drivers\AppleLowerFilter.sys [35976
2020-10-09] (WDKTestCert build,132303256403278908 -> Apple Inc.)
S3 DDDriver; C:\Windows\System32\drivers\dddriver64Dcsa.sys [43400 2021-09-09]
(Microsoft Windows Hardware Compatibility Publisher -> Dell Technologies)
R0 fse; C:\Windows\System32\drivers\fse.sys [193888 2022-05-11] (Microsoft
Windows -> Microsoft Corporation)
S3 IntelGNA;
C:\Windows\System32\DriverStore\FileRepository\gna.inf_amd64_c08af0e43cbc91c3\gna.sys
[83856 2020-08-04] (Gaussian Mixture Models and Neural Networks Accelerator ->
Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [210352
2022-09-26] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-12-05]
(Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992
2022-03-27] (Malwarebytes Inc -> Malwarebytes)
R3 MpKsl84bd6d14; C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{E54752FF-50C6-4067-A464-757ABA79C676}\MpKslDrv.sys [228600 2022-09-28]
(Microsoft Windows -> Microsoft Corporation)
S3 MYFAULT; C:\Windows\system32\drivers\myfault.sys [27848 2022-09-27]
(Microsoft Windows Hardware Compatibility Publisher -> Sysinternals)
R1 npcap; C:\Windows\system32\DRIVERS\npcap.sys [72792 2021-11-30] (Insecure.Com
LLC -> Insecure.Com LLC.)
U5 PROCMON24; C:\Windows\System32\Drivers\PROCMON24.sys [95632 2022-09-26]
(Microsoft Windows Hardware Compatibility Publisher -> Sysinternals -
www.sysinternals.com)
R3 USBPcap; C:\Windows\system32\DRIVERS\USBPcap.sys [52872 2020-05-22] (Tomasz
Moń -> USBPcap)
S3 vmbusproxy; C:\Windows\system32\drivers\vmbusproxy.sys [90112 2022-04-06]
(Microsoft Windows -> )
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49576 2022-09-07]
(Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [453904 2022-09-07]
(Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [94480 2022-09-07]
(Microsoft Windows -> Microsoft Corporation)
R3 WiManH;
C:\Windows\System32\DriverStore\FileRepository\wiman.inf_amd64_f0ed422f0b4a6c99\WiManH\WiManH.sys
[172896 2020-11-23] (Intel Wireless Driver -> )
U4 npcap_wifi; no ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
NETSVC: DcSvc -> C:\Windows\system32\dcsvc.dll (Microsoft Corporation)
==================== One month (created) (Whitelisted) =========
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-09-29 00:16 - 2022-09-29 00:16 - 000031964 _____
C:\Users\gngn1\Desktop\FRST.txt
2022-09-29 00:16 - 2022-09-29 00:16 - 000000000 ____D C:\FRST
2022-09-29 00:14 - 2022-09-29 00:15 - 002371072 _____ (Farbar)
C:\Users\gngn1\Desktop\frst64.exe
2022-09-28 22:41 - 2022-09-28 22:41 - 000000214 _____
C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2022-09-28 13:35 - 2022-09-28 13:35 - 000000519 _____ C:\Users\gngn1\Desktop\OS
(C) - Shortcut.lnk
2022-09-27 03:10 - 2022-09-27 03:10 - 000027848 _____ (Sysinternals)
C:\Windows\system32\Drivers\myfault.sys
2022-09-26 22:56 - 2022-09-26 22:56 - 000003194 _____
C:\Windows\system32\Tasks\OneDrive Per-Machine Standalone Update Task
2022-09-26 22:56 - 2022-09-26 22:56 - 000002104 _____
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2022-09-26 05:16 - 2022-09-26 05:16 - 000095632 ____H (Sysinternals -
www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON24.SYS
2022-09-26 01:57 - 2022-09-26 01:57 - 000000000 ____D
C:\Users\Sokka\AppData\Local\ClassicShell
2022-09-26 01:56 - 2022-09-26 01:56 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\ClassicShell
2022-09-26 01:33 - 2022-09-26 01:33 - 000210352 _____ (Malwarebytes)
C:\Windows\system32\Drivers\MbamChameleon.sys
2022-09-26 00:31 - 2022-09-26 00:31 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Comms
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D
C:\Users\Sokka\AppData\LocalLow\Mozilla
2022-09-26 00:30 - 2022-09-26 00:30 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Mozilla
2022-09-26 00:16 - 2022-09-26 22:56 - 000003588 _____
C:\Windows\system32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1003
2022-09-26 00:16 - 2022-09-26 00:16 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\Logishrd
2022-09-26 00:15 - 2022-09-26 01:57 - 000000000 ____D
C:\Users\Sokka\AppData\Local\LogiOptionsPlus
2022-09-26 00:15 - 2022-09-26 00:57 - 000000000 ____D
C:\Users\Sokka\AppData\Local\D3DSCache
2022-09-26 00:15 - 2022-09-26 00:31 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Packages
2022-09-26 00:15 - 2022-09-26 00:15 - 000002411 _____
C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft
Edge.lnk
2022-09-26 00:15 - 2022-09-26 00:15 - 000000020 ___SH C:\Users\Sokka\ntuser.ini
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 __SHD
C:\Users\Sokka\IntelGraphicsProfiles
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\TinyWall
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Roaming\Adobe
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\LocalLow\Intel
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Local\VirtualStore
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Local\Publishers
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D
C:\Users\Sokka\AppData\Local\ConnectedDevicesPlatform
2022-09-26 00:15 - 2022-09-26 00:15 - 000000000 ____D C:\Users\Sokka
2022-09-26 00:15 - 2022-08-16 04:55 - 000000000 ___RD C:\Users\Sokka\OneDrive
2022-09-26 00:15 - 2021-06-05 07:04 - 000001281 _____
C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Administrative Tools.lnk
2022-09-26 00:15 - 2021-06-05 07:04 - 000000407 _____
C:\Users\Sokka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File
Explorer.lnk
2022-09-26 00:12 - 2022-09-26 00:12 - 000000000 ____D
C:\Users\Public\Documents\MDMDiagnostics
2022-09-24 13:51 - 2022-09-25 22:10 - 000000000 ____D C:\TDSSKiller_Quarantine
2022-09-24 13:45 - 2022-09-24 13:45 - 005054744 _____ (AO Kaspersky Lab)
C:\Users\gngn1\Downloads\tdsskiller.exe
2022-09-24 13:43 - 2022-09-24 13:44 - 000000000 ____D C:\AdwCleaner
2022-09-24 13:43 - 2022-09-24 13:43 - 008551608 _____ (Malwarebytes)
C:\Users\gngn1\Downloads\AdwCleaner.exe
2022-09-23 11:32 - 2022-09-24 11:44 - 000000000 ____D C:\Program Files\Mozilla
Firefox
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D
C:\Users\gngn1\AppData\Local\falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Falkon
2022-09-23 01:44 - 2022-09-23 01:44 - 000000000 ____D C:\Program Files\Falkon
2022-09-23 01:42 - 2022-09-23 01:43 - 065878530 _____
C:\Users\gngn1\Downloads\Falkon.Installer.3.1.0.x64.exe
2022-09-23 01:33 - 2022-09-23 01:33 - 000022555 _____
C:\Users\gngn1\Downloads\surf-2.1.tar.gz
2022-09-23 00:58 - 2022-09-23 00:58 - 001418600 _____ (Thomas E Dickey )
C:\Users\gngn1\Downloads\lynx-newssl-setup.exe
2022-09-22 22:51 - 2022-09-22 22:52 - 000000000 ___HD C:\adobeTemp
2022-09-22 13:36 - 2022-09-22 13:36 - 029933858 _____
C:\Users\gngn1\AppData\LocalLow\wbk28E7.tmp
2022-09-22 12:12 - 2022-06-27 00:17 - 004946512 _____ (Intel Corporation)
C:\Windows\system32\Drivers\Netwtw10.sys
2022-09-22 12:12 - 2022-06-27 00:17 - 001626200 _____ (Intel Corporation)
C:\Windows\system32\IntelIHVRouter10.dll
2022-09-22 12:12 - 2022-06-25 21:53 - 055467080 _____
C:\Windows\system32\Drivers\Netwfw10.dat
2022-09-22 11:21 - 2022-09-26 00:14 - 000000000 ____D
C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64
2022-09-22 11:21 - 2022-09-22 11:21 - 001804512 _____
C:\Users\gngn1\Downloads\Everything-1.4.1.1020.x64.zip
2022-09-21 22:30 - 2022-09-21 22:30 - 000003842 _____
C:\Windows\system32\Tasks\EOSv3 Scheduler onLogOn
2022-09-21 22:30 - 2022-09-21 22:30 - 000003400 _____
C:\Windows\system32\Tasks\EOSv3 Scheduler onTime
2022-09-21 16:58 - 2022-09-21 16:58 - 015274968 _____ (ESET)
C:\Users\gngn1\Desktop\esetonlinescanner.exe
2022-09-21 16:58 - 2022-09-21 16:58 - 000001290 _____
C:\Users\gngn1\Desktop\ESET Online Scanner.lnk
2022-09-19 19:18 - 2022-09-19 19:18 - 000134259 _____
C:\Users\gngn1\Downloads\Beautiful identical blondes *****ing - XNXX.COM.mp4
2022-09-19 08:17 - 2022-09-19 08:17 - 000131268 _____
C:\Users\gngn1\Downloads\Blonde Blows and Toes - XNXX.COM.mp4
2022-09-19 02:21 - 2022-09-19 02:21 - 000132024 _____
C:\Users\gngn1\Downloads\Mad land owner put sexy brunette student in bondage and
roug.mp4
2022-09-19 02:09 - 2022-09-19 02:09 - 000133819 _____
C:\Users\gngn1\Downloads\Femdom Pegging With Big Strapon - XNXX.COM.mp4
2022-09-17 02:23 - 2022-09-17 02:23 - 000000986 _____
C:\Users\Public\Desktop\PotPlayer 64 bit.lnk
2022-09-15 15:14 - 2022-09-15 15:14 - 000004158 _____
C:\Windows\system32\Tasks\Opera scheduled assistant Autoupdate 1638694264
2022-09-13 21:17 - 2022-09-13 21:17 - 000335872 _____
C:\Windows\system32\Windows.Management.InprocObjects.dll
2022-09-13 21:17 - 2022-09-13 21:17 - 000015030 _____
C:\Windows\system32\DrtmAuthTxt.wim
2022-09-13 21:15 - 2022-09-13 21:15 - 000000000 ___HD C:\$WinREAgent
2022-09-13 13:14 - 2022-09-13 13:14 - 000000000 ____D
C:\Users\gngn1\AppData\Local\FirmwareUpdateTool
2022-09-12 23:57 - 2022-09-28 22:58 - 000000000 ____D
C:\Users\gngn1\AppData\Local\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-22 14:29 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\logioptionsplus
2022-09-12 23:57 - 2022-09-12 23:58 - 000000000 ____D C:\Program
Files\LogiOptionsPlus
2022-09-12 23:57 - 2022-09-12 23:57 - 000000931 _____
C:\Users\Public\Desktop\Logi Options+.lnk
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logi
2022-09-12 23:57 - 2022-09-12 23:57 - 000000000 ____D
C:\ProgramData\LogiOptionsPlus
2022-09-07 09:15 - 2022-09-07 09:15 - 000003946 _____
C:\Windows\system32\Tasks\Opera scheduled Autoupdate 1638694259
2022-09-07 09:15 - 2022-09-07 09:15 - 000001075 _____
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2022-09-02 20:34 - 2022-09-02 20:41 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\Wireshark
2022-09-02 20:32 - 2022-09-02 20:32 - 000003460 _____
C:\Windows\system32\Tasks\npcapwatchdog
2022-09-02 20:32 - 2022-09-02 20:32 - 000001789 _____
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\SysWOW64\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Windows\system32\Npcap
2022-09-02 20:32 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\USBPcap
2022-09-02 20:31 - 2022-09-02 20:33 - 000000000 ____D C:\Program Files\Wireshark
2022-09-02 20:31 - 2022-09-02 20:32 - 000000000 ____D C:\Program Files\Npcap
2022-09-02 20:27 - 2022-09-02 20:28 - 077256616 _____ (Wireshark development
team) C:\Users\gngn1\Downloads\Wireshark-win64-3.6.7.exe
2022-09-01 10:21 - 2022-09-28 15:26 - 000000000 ____D C:\AITEMP
2022-09-01 08:50 - 2022-09-21 16:58 - 000001396 _____
C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online
Scanner.lnk
2022-09-01 08:50 - 2022-09-21 16:58 - 000000000 ____D
C:\Users\gngn1\AppData\Local\ESET
==================== One month (modified) ==================
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-09-29 00:15 - 2022-01-11 17:07 - 000000000 ____D
C:\Users\gngn1\Documents\Outlook Files
2022-09-29 00:12 - 2021-12-15 02:36 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\TinyWall
2022-09-28 23:59 - 2021-06-05 07:10 - 000000000 ____D
C:\ProgramData\regid.1991-06.com.microsoft
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ___HD C:\Program
Files\WindowsApps
2022-09-28 23:47 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\AppReadiness
2022-09-28 23:11 - 2021-12-06 03:03 - 000000000 ____D
C:\Users\gngn1\AppData\Local\ClassicShell
2022-09-28 23:08 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemTemp
2022-09-28 23:03 - 2021-12-15 02:36 - 000000000 ____D C:\ProgramData\TinyWall
2022-09-28 23:03 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files\Opera
2022-09-28 23:03 - 2021-11-09 18:32 - 000980092 _____
C:\Windows\system32\PerfStringBackup.INI
2022-09-28 23:03 - 2021-06-05 07:09 - 000000000 ____D C:\Windows\INF
2022-09-28 22:58 - 2022-03-27 14:36 - 000000000 ____D C:\Intel
2022-09-28 22:58 - 2021-12-05 03:54 - 000000000 ____D C:\Program Files
(x86)\TeamViewer
2022-09-28 22:58 - 2021-12-05 03:23 - 000000000 ___RD C:\Users\gngn1\OneDrive
2022-09-28 22:58 - 2021-11-09 18:28 - 000012288 ___SH C:\DumpStack.log.tmp
2022-09-28 22:58 - 2021-11-09 18:28 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-09-28 22:57 - 2022-03-27 11:47 - 000692370 _____ C:\Windows\ntbtlog.txt
2022-09-28 22:57 - 2021-06-05 07:01 - 000786432 _____
C:\Windows\system32\config\BBI
2022-09-28 22:38 - 2021-12-05 03:10 - 000000000 ____D C:\Users\gngn1
2022-09-28 22:36 - 2021-12-15 02:18 - 000000000 ____D
C:\Users\gngn1\AppData\LocalLow\Mozilla
2022-09-28 22:34 - 2022-03-25 05:54 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\TeraCopy
2022-09-28 22:27 - 2021-11-09 18:28 - 000000000 ____D
C:\Windows\system32\SleepStudy
2022-09-28 13:46 - 2022-01-12 13:20 - 000000000 ___RD C:\Users\gngn1\Creative
Cloud Files
2022-09-28 13:35 - 2022-03-11 04:25 - 000036208 _____ (Sysinternals -
www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2022-09-27 22:25 - 2021-12-05 03:22 - 000000000 ____D
C:\Users\gngn1\AppData\Local\D3DSCache
2022-09-27 22:08 - 2021-12-05 03:22 - 000000000 ____D
C:\Users\gngn1\AppData\Local\Packages
2022-09-27 22:08 - 2021-11-09 18:29 - 000000000 ____D C:\ProgramData\Packages
2022-09-27 22:06 - 2022-08-17 08:58 - 000000000 ____D C:\Program Files\Microsoft
OneDrive
2022-09-27 21:15 - 2022-03-11 04:10 - 000000000 ____D C:\sysinternals
2022-09-26 22:56 - 2021-12-15 00:05 - 000003588 _____
C:\Windows\system32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1001
2022-09-26 12:34 - 2022-04-06 22:49 - 000001623 _____
C:\Windows\system32\config\VSMIDK
2022-09-26 09:15 - 2021-06-05 07:10 - 000000000 ____D
C:\Windows\LiveKernelReports
2022-09-26 03:16 - 2022-02-07 01:19 - 000003118 _____
C:\Windows\system32\Tasks\OneDrive Reporting
Task-S-1-5-21-1789883001-303321401-512692908-1002
2022-09-26 02:18 - 2022-02-12 00:36 - 000000000 ____D
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2022-09-26 02:05 - 2022-01-08 17:39 - 000000000 ____D
C:\Users\gngn1\AppData\Local\CrashDumps
2022-09-26 00:31 - 2021-06-05 07:10 - 000000000 ___RD C:\Windows\PrintDialog
2022-09-26 00:15 - 2021-11-09 18:52 - 000000000 __RHD
C:\Users\Public\AccountPictures
2022-09-26 00:15 - 2021-06-05 07:10 - 000000000 ___RD
C:\Windows\ImmersiveControlPanel
2022-09-25 23:22 - 2021-12-05 03:22 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\Adobe
2022-09-24 22:56 - 2021-06-05 07:01 - 000000000 ____D C:\Windows\CbsTemp
2022-09-24 11:44 - 2021-12-05 03:50 - 000000000 ____D C:\Program Files
(x86)\Mozilla Maintenance Service
2022-09-24 11:44 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\ServiceState
2022-09-23 13:32 - 2021-12-05 03:50 - 000001007 _____
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2022-09-23 13:32 - 2021-12-05 03:50 - 000000000 ____D
C:\Windows\system32\Tasks\Mozilla
2022-09-23 12:35 - 2021-06-05 07:10 - 000000000 ____D
C:\Windows\system32\SecurityHealth
2022-09-22 21:52 - 2022-07-08 12:14 - 000000000 ____D
C:\ProgramData\boost_interprocess
2022-09-22 13:38 - 2022-01-11 17:45 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\vlc
2022-09-22 11:18 - 2022-08-04 21:50 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\QtProject
2022-09-21 12:09 - 2021-12-22 14:02 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\Telegram Desktop
2022-09-21 12:02 - 2022-01-04 03:43 - 000000000 ____D
C:\Users\gngn1\AppData\Roaming\Spotify
2022-09-21 12:00 - 2022-01-15 00:13 - 000000000 ____D
C:\Users\gngn1\AppData\Local\Spotify
2022-09-20 17:51 - 2022-05-25 03:10 - 000000000 ____D C:\Users\gngn1\dwhelper
2022-09-18 02:58 - 2021-11-09 18:41 - 000000000 ____D C:\Program Files\Microsoft
Office
2022-09-16 09:26 - 2022-02-19 22:29 - 001285856 _____
C:\Windows\system32\FNTCACHE.DAT
2022-09-16 09:26 - 2022-02-03 16:36 - 000000000 ____D C:\ProgramData\Logishrd
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SysWOW64\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\SystemResources
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\setup
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\oobe
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\Dism
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\system32\DDFs
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D
C:\Windows\system32\appraiser
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\Provisioning
2022-09-16 09:25 - 2021-06-05 07:10 - 000000000 ____D C:\Windows\bcastdvr
2022-09-13 21:21 - 2021-12-06 16:53 - 000000000 ____D C:\Windows\system32\MRT
2022-09-13 21:19 - 2021-12-06 16:53 - 141646296 ____C (Microsoft Corporation)
C:\Windows\system32\MRT.exe
2022-09-13 21:17 - 2021-11-09 18:31 - 003103744 _____ (Microsoft Corporation)
C:\Windows\SysWOW64\PrintConfig.dll
2022-09-13 02:12 - 2022-01-12 13:12 - 000000000 ____D C:\Program Files\Common
Files\Adobe
2022-09-07 04:33 - 2021-11-09 18:28 - 000000000 ____D
C:\Windows\system32\Drivers\wd
==================== Files in the root of some directories ========
2022-06-23 03:39 - 2022-06-23 03:39 - 000000036 _____ ()
C:\Users\gngn1\AppData\Local\.__explain_this_is_writeable_not_delete__
2021-12-06 02:51 - 2022-08-25 23:21 - 000007686 _____ ()
C:\Users\gngn1\AppData\Local\Resmon.ResmonCfg
==================== SigCheck ============================
(There is no automatic fix for files that do not pass verification.)
==================== End of FRST.txt ========================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-08-2022
Ran by God (29-09-2022 00:16:53)
Running from C:\Users\gngn1\Desktop
Microsoft Windows 11 Home Version 21H2 22000.978 (X64) (2021-12-05 08:22:38)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
(If an entry is included in the fixlist, it will be removed.)
Administrator (S-1-5-21-1789883001-303321401-512692908-500 - Administrator -
Disabled)
DefaultAccount (S-1-5-21-1789883001-303321401-512692908-503 - Limited -
Disabled)
God (S-1-5-21-1789883001-303321401-512692908-1001 - Administrator - Enabled) =>
C:\Users\gngn1
Guest (S-1-5-21-1789883001-303321401-512692908-501 - Limited - Disabled)
Sokka (S-1-5-21-1789883001-303321401-512692908-1003 - Limited - Enabled) =>
C:\Users\Sokka
WDAGUtilityAccount (S-1-5-21-1789883001-303321401-512692908-504 - Limited -
Disabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date)
{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to
unhide them. The adware programs should be uninstalled manually.)
7-Zip 19.00 (x64 edition) (HKLM\...\{23170F69-40C1-2702-1900-000001000000})
(Version: 19.00.00.0 - Igor Pavlov)
7-Zip 21.06 (x64) (HKLM\...\7-Zip) (Version: 21.06 - Igor Pavlov)
Adobe Bridge 2022 (HKLM-x32\...\KBRG_12_0_1) (Version: 12.0.1 - Adobe Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 5.8.0.592 -
Adobe Inc.)
Adobe Illustrator 2022 (HKLM-x32\...\ILST_26_0_2) (Version: 26.0.2 - Adobe Inc.)
Adobe Premiere Rush (HKLM-x32\...\RUSH_2_0) (Version: 2.0 - Adobe Inc.)
Apple Mobile Device Support (HKLM\...\{527DD209-8A66-482F-8779-C7B3BACCA8F1})
(Version: 15.0.0.16 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{A3985C05-7386-411F-A4BF-32A73F37EB44})
(Version: 2.6.3.1 - Apple Inc.)
Audacity 3.1.2 (HKLM\...\Audacity_is1) (Version: 3.1.2 - Audacity Team)
Autopsy (HKLM\...\{1633CA1B-52C0-47B5-9A31-5A7764F4BA83}) (Version: 4.19.3 - The
Sleuth Kit)
Classic Shell (HKLM\...\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}) (Version: 4.3.1
- IvoSoft)
Dell SupportAssist OS Recovery Plugin for Dell Update
(HKLM-x32\...\{ec40a028-983b-4213-af2c-77ed6f6fe1d5}) (Version: 5.4.1.14954 -
Dell Inc.)
Dell SupportAssist Remediation
(HKLM-x32\...\{0b3f567c-a2ee-437a-861f-bb6da9f2111b}) (Version: 5.5.0.16046 -
Dell Inc.)
Dynamic Application Loader Host Interface Service
(HKLM\...\{A28339C8-E641-4CCE-A316-56F405D1C245}) (Version: 1.0.0.0 - Intel
Corporation) Hidden
EaseUS MobiSaver 8.0.2 (HKLM-x32\...\EaseUS MobiSaver_is1) (Version: - EaseUS)
EaseUS MobiUnlock 3.0.1 (HKLM-x32\...\EaseUS MobiUnlock_is1) (Version: -
EaseUS)
Falkon 3.1.0 x64 (HKLM-x32\...\Falkon) (Version: 3.1.0 x64 - Falkon Team)
FastStone Image Viewer 7.5 (HKLM-x32\...\FastStone Image Viewer) (Version: 7.5 -
FastStone Soft)
FileZilla Client 3.58.0 (HKLM-x32\...\FileZilla Client) (Version: 3.58.0 - Tim
Kosse)
Fusion Service (HKLM\...\{599709E7-DD10-4FF5-96D5-7C6F6B5F62C0}) (Version:
1.92.22.0 - Dell.Inc) Hidden
Fusion Service (HKLM-x32\...\{81ce0187-37c1-4c23-8387-44454e1796ad}) (Version:
1.92.22.0 - Dell.Inc)
Google Earth Pro (HKLM\...\{C36E66A6-6EE5-47DB-945F-A6F03225D540}) (Version:
7.3.4.8573 - Google)
Intel(R) LMS (HKLM\...\{A0983640-26D2-4CD8-A512-747BF3CF3F82}) (Version: 1.0.0.0
- Intel Corporation) Hidden
Intel(R) Management Engine Components
(HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 2101.15.0.2080 -
Intel Corporation)
iTunes (HKLM\...\{0B3CC856-3A62-443A-B6CE-DED2D4495D56}) (Version: 12.12.2.2 -
Apple Inc.)
Jump Desktop (HKLM\...\{388F7980-94E2-4BAD-9123-F07E05BD16A2}) (Version:
8.4.27.0 - Phase Five Systems)
Jump Desktop Connect (HKLM-x32\...\{081CADBE-4FE4-4AA9-A187-221A03078C6A})
(Version: 6.7.69.0 - Phase Five Systems)
Logi Options+ (HKLM\...\{850cdc16-85df-4052-b06e-4e3e9e83c5c6}) (Version:
1.22.5550 - Logitech)
Logitech Options (HKLM\...\LogiOptions) (Version: 9.60.87 - Logitech)
Malwarebytes version 4.4.11.149
(HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.11.149 -
Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version:
16.0.15601.20148 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 105.0.1343.53 - Microsoft
Corporation)
Microsoft OneDrive (HKLM\...\OneDriveSetup.exe) (Version: 22.191.0911.0001 -
Microsoft Corporation)
Microsoft OneNote - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version:
16.0.15601.20148 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{6A2A8076-135F-4F55-BB02-DED67C8C6934})
(Version: 4.67.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
(HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 -
Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
(HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 -
Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
(HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 -
Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
(HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 -
Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030
(HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030
(HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
(HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
(HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664
(HKLM-x32\...\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}) (Version: 12.0.40664.0 -
Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664
(HKLM-x32\...\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}) (Version: 12.0.40664.0 -
Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664
(HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664
(HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664
(HKLM-x32\...\{D401961D-3A20-3AC7-943B-6139D5BD490A}) (Version: 12.0.40664 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664
(HKLM-x32\...\{8122DAB1-ED4D-3676-BB0A-CA368196543E}) (Version: 12.0.40664 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326
(HKLM-x32\...\{2d507699-404c-4c8b-a54a-38e352f32cdd}) (Version: 14.32.31326.0 -
Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326
(HKLM-x32\...\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}) (Version: 14.32.31326.0 -
Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31326
(HKLM\...\{38624EB5-356D-4B08-8357-C33D89A5C0C5}) (Version: 14.32.31326 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31326
(HKLM\...\{C96241EA-9900-4FE8-85B3-1E238D509DF6}) (Version: 14.32.31326 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326
(HKLM-x32\...\{A250E750-DB3F-40C1-8460-8EF77C7582DA}) (Version: 14.32.31326 -
Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326
(HKLM-x32\...\{46E11E7F-01E1-44D0-BB86-C67342D253DD}) (Version: 14.32.31326 -
Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
(HKLM\...\{7C0242A3-8B66-35D1-9FE0-13B426ACB609}) (Version: 10.0.60729 -
Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft
Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.60724 -
Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 105.0.1 (x64 en-US))
(Version: 105.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version:
94.0.2 - Mozilla)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.60 - Nmap Project)
Office 16 Click-to-Run Extensibility Component
(HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20064 -
Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component
(HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15601.20148 -
Microsoft Corporation) Hidden
Opera Stable 90.0.4480.84 (HKLM-x32\...\Opera 90.0.4480.84) (Version:
90.0.4480.84 - Opera Software)
PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version: 220914 - Kakao Corp.)
PuTTY release 0.76 (64-bit) (HKLM\...\{1E0D5689-40F1-4E46-ABBB-EAAC68B5CD89})
(Version: 0.76.0.0 - Simon Tatham)
qBittorrent 4.3.9 (HKLM-x32\...\qBittorrent) (Version: 4.3.9 - The qBittorrent
project)
Revo Uninstaller 2.3.8 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1)
(Version: 2.3.8 - VS Revo Group, Ltd.)
Spotify (HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\Spotify) (Version:
1.1.94.870.gf994cb0b - Spotify AB)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.3.3 - Krzysztof Kowalczyk)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.24.5 - TeamViewer)
Telegram Desktop version 4.1.1
(HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1)
(Version: 4.1.1 - Telegram FZ-LLC)
TeraCopy (HKLM\...\{F8B0BB18-B1E6-4821-8C5B-883AA5DE3EEA}) (Version: 3.9.0 -
Code Sector)
TinyWall (HKLM-x32\...\{6A366BCB-2A38-4D2A-80FD-A5E0C32C97C8}) (Version: 3.2.3.0
- Károly Pados)
USBPcap 1.5.4.0 (HKLM\...\USBPcap) (Version: 1.5.4.0 - Tomasz Mon)
UXP WebView Support (HKLM-x32\...\UXPW_1_1_0) (Version: 1.1.0 - Adobe Inc.)
VdhCoApp 1.6.3 (HKLM\...\weh-iss-net.downloadhelper.coapp_is1) (Version: -
DownloadHelper)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.16 - VideoLAN)
WinDirStat 1.1.2
(HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\WinDirStat) (Version: - )
WinMerge 2.16.16.0 x64 (HKLM\...\WinMerge_is1) (Version: 2.16.16.0 -
Thingamahoochie Software)
WinRAR 6.02 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.02.0 - win.rar GmbH)
Wireshark 3.6.7 64-bit (HKLM-x32\...\Wireshark) (Version: 3.6.7 - The Wireshark
developer community, hxxps://www.wireshark.org)
XnView 2.50.4 (HKLM-x32\...\XnView_is1) (Version: 2.50.4 - Gougelet Pierre-e)
Zoom (HKLM-x32\...\{1B8D4A17-201A-4113-A512-B7DEEF293AF1}) (Version: 5.8.2048 -
Zoom)
Packages:
=========
Adobe Notification Client -> C:\Program
Files\WindowsApps\AdobeNotificationClient_3.0.1.1_x86__enpm4xejd91yc
[2022-04-28] (Adobe Systems Incorporated)
Dell Mobile Connect -> C:\Program
Files\WindowsApps\ScreenovateTechnologies.DellMobileConnectPlus_4.1.8330.0_x64__0vhbc3ng4wbp0
[2022-09-26] (Screenovate Technologies)
Intel® Optane™ Memory and Storage Management -> C:\Program
Files\WindowsApps\AppUp.IntelOptaneMemoryandStorageManagement_18.1.1032.0_x64__8j3eq9eme6ctt
[2022-09-26] (INTEL CORP)
MPEG-2 Video Extension -> C:\Program
Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe
[2022-09-26] (Microsoft Corporation)
Photos Media Engine Add-on -> C:\Program
Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe
[2022-04-02] (Microsoft Corporation)
Power Automate -> C:\Program
Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.4447.0_x64__8wekyb3d8bbwe
[2022-09-26] (Microsoft Corporation) [Startup Task]
Unigram—Telegram for Windows -> C:\Program
Files\WindowsApps\38833FF26BA1D.UnigramPreview_8.9.7687.0_x64__g9c9v27vpyspw
[2022-09-05] (Unigram, Inc.) [Startup Task]
==================== Custom CLSID (Whitelisted): ==============
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-231FB76D9980}
-> [Creative Cloud Files] => C:\Users\gngn1\Creative Cloud Files [2022-01-12
13:20]
CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{23B3E3D8-C162-4A8B-AB0C-0905DCB1DF19}\InprocServer32
->
C:\Users\gngn1\AppData\Local\Packages\Microsoft.PowerAutomateDesktop_8wekyb3d8bbwe\TempState\RDP\DVCPlugin\x64\Microsoft.Flow.RPA.Desktop.UIAutomation.RDP.DVC.Plugin.dll
(Microsoft Corporation -> )
CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32
-> C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe (Adobe
Inc. -> Adobe Inc.)
CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{375360E1-2D4B-4DEB-9C05-B3A3CA553923}\InprocServer32
-> C:\Program Files\Mozilla Firefox\notificationserver.dll (Mozilla Corporation
-> Mozilla Foundation)
CustomCLSID:
HKU\S-1-5-21-1789883001-303321401-512692908-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32
-> C:\Program Files (x86)\Adobe\Adobe Creative
Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Inc. -> Adobe Systems)
ShellIconOverlayIdentifiers: [ OneDrive1] ->
{BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive2] ->
{5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive3] ->
{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive4] ->
{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] ->
{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive6] ->
{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive7] ->
{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] ->
{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common
Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco2] ->
{853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common
Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco3] ->
{42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common
Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-09-07] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ OptaneIconOverlay] ->
{A3AF6F6C-8BED-3D93-8B5D-33427B5D38E9} =>
C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll
[2022-02-07] (Intel Corporation -> )
ShellIconOverlayIdentifiers-x32: [ OneDrive1] ->
{BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive2] ->
{5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive3] ->
{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive4] ->
{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive5] ->
{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive6] ->
{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive7] ->
{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft
OneDrive\22.191.0911.0001\FileSyncShell64.dll [2022-09-26] (Microsoft
Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>
C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll
[2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>
C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} =>
C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
[2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers1: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} =>
C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers1: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} =>
C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka
-> hxxps://winmerge.org)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} =>
C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander
Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA}
=> C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander
Roshal)
ContextMenuHandlers2: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} =>
C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers2: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} =>
C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka
-> hxxps://winmerge.org)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} =>
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05]
(Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers3: [OptaneContextMenu] ->
{AD7EBB13-617D-3270-8FA8-46583499C4FB} =>
C:\Windows\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_ff8d0bd695f4bb2e\OptaneShellExt.dll
[2022-02-07] (Intel Corporation -> )
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>
C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll
[2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>
C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} =>
C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers4: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} =>
C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka
-> hxxps://winmerge.org)
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>
C:\Program Files\Microsoft OneDrive\22.191.0911.0001\FileSyncShell64.dll
[2022-09-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} =>
C:\Program Files\WinMerge\ShellExtensionX64.dll [2021-10-02] (Takashi Sawanaka
-> hxxps://winmerge.org)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>
C:\Program Files\7-Zip\7-zip.dll [2021-11-24] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} =>
C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
[2022-09-07] (Adobe Inc. -> )
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} =>
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-12-05]
(Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B}
=> C:\Windows\system32\StartMenuHelper64.dll [2017-08-13] (Ivaylo Beltchev ->
IvoSoft) [File not signed]
ContextMenuHandlers6: [TeraCopy] -> {2386CB87-96FF-473D-A009-957E3BFE6F88} =>
C:\Program Files\TeraCopy\Context.dll [2021-04-21] (Code Sector -> Code Sector)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} =>
C:\Program Files\WinRAR\rarext.dll [2021-06-11] (win.rar GmbH -> Alexander
Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA}
=> C:\Program Files\WinRAR\rarext32.dll [2021-06-11] (win.rar GmbH -> Alexander
Roshal)
==================== Codecs (Whitelisted) ====================
==================== Shortcuts & WMI ========================
==================== Loaded Modules (Whitelisted) =============
2022-02-21 11:25 - 2022-02-21 11:25 - 000144896 _____ () [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\libssh2.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000077824 _____ () [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\zlib.dll
2021-12-05 03:51 - 2021-11-24 09:00 - 000093696 _____ (Igor Pavlov) [File not
signed] C:\Program Files\7-Zip\7-zip.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 003664184 _____ (Ivaylo Beltchev ->
IvoSoft) [File not signed] C:\Program Files\Classic
Shell\ClassicStartMenuDLL.dll
2017-08-13 09:49 - 2017-08-13 09:49 - 000291128 _____ (Ivaylo Beltchev ->
IvoSoft) [File not signed] C:\Windows\system32\StartMenuHelper64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation)
[simlink -> C:\Program Files\Common Files\Microsoft
Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program Files\Microsoft
Office\Root\Office16\AppVIsvSubsystems64.dll
2021-11-09 18:41 - 2021-11-09 18:41 - 000000000 ____L (Microsoft Corporation)
[simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll]
C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll
2022-01-07 10:41 - 2022-01-07 10:41 - 013733888 _____ (Phase Five Systems) [File
not signed] C:\Program Files (x86)\Phase Five Systems\Jump Desktop
Connect\6.7.69.0\JumpConnectCore.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000355840 _____ (The cURL library,
hxxp://curl.haxx.se/) [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBCURL.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 002286747 _____ (The OpenSSL Project,
hxxp://www.openssl.org/) [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\LIBEAY32.dll
2022-02-21 11:25 - 2022-02-21 11:25 - 000416627 _____ (The OpenSSL Project,
hxxp://www.openssl.org/) [File not signed]
C:\ProgramData\Logishrd\LogiOptions\Software\Current\laclient\SSLEAY32.dll
==================== Alternate Data Streams (Whitelisted) ========
==================== Safe Mode (Whitelisted) ==================
(If an entry is included in the fixlist, it will be removed from the registry.
The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled =>
"AlternateShell"="cmd.exe"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65395606.sys =>
""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService =>
""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\65395606.sys =>
""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService =>
""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
==================== Association (Whitelisted) =================
==================== Internet Explorer (Whitelisted) ==========
URLSearchHook: [S-1-5-21-1789883001-303321401-512692908-1001] ATTENTION =>
Default URLSearchHook is missing
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: Skype for Business Browser Helper ->
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft
Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll
[2022-08-16] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} -
C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08]
(Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} -
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft
Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program
Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft
Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program
Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft
Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program
Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft
Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} -
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft
Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program
Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-09-08] (Microsoft
Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program
Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft
Office\Office16\MSOSB.DLL [2022-09-08] (Microsoft Corporation -> Microsoft
Corporation)
==================== Hosts content: =========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2021-06-05 07:08 - 2021-10-11 02:45 - 000334861 _____
C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
0.0.0.0 fr.a2dfp.net
0.0.0.0 mfr.a2dfp.net
0.0.0.0 ad.a8.net
0.0.0.0 asy.a8ww.net
0.0.0.0 static.a-ads.com
0.0.0.0 abcstats.com
0.0.0.0 track.acclaimnetwork.com
0.0.0.0 csh.actiondesk.com
0.0.0.0 ads.activepower.net
0.0.0.0 app.activetrail.com
0.0.0.0 ad2games.com
0.0.0.0 adadvisor.net
0.0.0.0 www.adchimp.com
0.0.0.0 pixel.adcrowd.com
0.0.0.0 ct1.addthis.com
0.0.0.0 static.uk.addynamo.com
0.0.0.0 adexc.net
0.0.0.0 static.adfclick1.com
0.0.0.0 server.adformdsp.net
0.0.0.0 s.adframesrc.com
0.0.0.0 media.adfrontiers.com
0.0.0.0 www.adgitize.com
0.0.0.0 www.ad-groups.com #[Ban Man Pro Banner Code]
0.0.0.0 adgrx.com
0.0.0.0 adhall.com
0.0.0.0 adhitzads.com
0.0.0.0 aj.adjungle.com
0.0.0.0 adserver-e7.com
0.0.0.0 n.admagnet.net
There are 8702 more lines.
2022-01-20 10:16 - 2022-08-07 23:11 - 000000374 _____
C:\Windows\system32\drivers\etc\hosts.ics
==================== Other Areas ===========================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1789883001-303321401-512692908-1001\Control
Panel\Desktop\\Wallpaper ->
C:\Users\gngn1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
HKU\S-1-5-21-1789883001-303321401-512692908-1003\Control
Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 9.9.9.9 - 149.112.112.112
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System =>
(ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled:
)
Windows Firewall is enabled.
Network Binding:
=============
Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Bluetooth Network Connection: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP
(enabled)
Wi-Fi: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Wi-Fi: Npcap Packet Driver (NPCAP) (Wi-Fi) -> INSECURE_NPCAP_WIFI (enabled)
==================== MSCONFIG/TASK MANAGER disabled items ==
(If an entry is included in the fixlist, it will be removed.)
HKLM\...\StartupApproved\Run: => "Everything"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "Opera Browser Assistant"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Opera Browser Assistant"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\StartupFolder:
=> "Send to OneNote.lnk"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: =>
"MicrosoftEdgeAutoLaunch_C0A32B37347337D257B1541CA93F7472"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: =>
"Spotify"
HKU\S-1-5-21-1789883001-303321401-512692908-1001\...\StartupApproved\Run: =>
"Speech Recognition"
==================== FirewallRules (Whitelisted) ================
(If an entry is included in the fixlist, it will be removed from the registry.
The file will not be moved unless listed separately.)
FirewallRules: [Microsoft-Windows-Unified-Telemetry-Client] => (Block)
C:\Windows\system32\svchost.exe (Microsoft Windows Publisher -> Microsoft
Corporation)
FirewallRules: [{C2A5E20E-1F04-4D7D-ADAA-9026D35A3B26}] => (Allow) C:\Program
Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{027E032D-A7ED-45B3-AB1D-5C808C685D7A}] => (Allow) C:\Program
Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{4665FCD0-7E10-41E1-90FE-309580DEF7CD}] => (Allow) C:\Program
Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation ->
Microsoft Corporation)
FirewallRules: [{1E860482-8990-4E25-9246-9A99F50B6E0E}] => (Allow) C:\Program
Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe
(PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{380E5FDE-93A1-4238-BE5C-FEF5E36946D7}] => (Allow) C:\Program
Files (x86)\Phase Five Systems\Jump Desktop Connect\6.7.69.0\JumpConnect.exe
(PhaseFive Systems LLC -> Phase Five Systems)
FirewallRules: [{B5C81192-EC77-485C-99B4-B8AAB7195F28}] => (Allow)
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE
(Logitech Inc -> Logitech, Inc.)
FirewallRules: [{93AB2033-C6B3-4FC4-9928-E46BFC60D137}] => (Allow) C:\Program
Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe
(Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{97046305-7548-4DED-B501-487DBADD4D15}] => (Allow) C:\Program
Files\WindowsApps\MicrosoftTeams_22055.502.1226.2344_x64__8wekyb3d8bbwe\msteams.exe
(Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{EA21E87C-9F2A-4449-8408-C08AF06912CD}] => (Allow) C:\Program
Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{EF0DC3B7-2A94-41EF-9F5A-7678A08AD664}] => (Allow) C:\Program
Files\Bonjour\mDNSResponder.exe => No File
FirewallRules: [{2AE5D8DA-0340-43A6-A8DB-4DC1A0D30C42}] => (Allow) C:\Program
Files\Opera\90.0.4480.54\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{8FEE7E9A-04FF-4D4E-9C6E-0149217D6928}] => (Allow) C:\Program
Files\Opera\90.0.4480.84\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{BC39B814-683D-46EE-9ECB-9C7F751AA32E}] => (Allow) C:\Program
Files\LogiOptionsPlus\logioptionsplus_agent.exe (Logitech Inc -> Logitech, Inc.)
==================== Restore Points =========================
28-09-2022 23:00:02 Removed Bonjour
28-09-2022 23:01:27 Removed 7-Zip 19.00 (x64 edition)
==================== Faulty Device Manager Devices ============
Name: Realtek PCIe GbE Family Controller
Description: Realtek PCIe GbE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: rt640x64
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device".
This starts the Enable Device wizard. Follow the instructions.
==================== Event log errors: ========================
Application errors:
==================
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID
{4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started.
[0x8007045b, A system shutdown is in progress.
]
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.
Error: (09/28/2022 10:38:42 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID
{4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started.
[0x8007045b, A system shutdown is in progress.
]
Error: (09/28/2022 01:39:17 PM) (Source: Application Hang) (EventID: 1002)
(User: )
Description: The program explorer.exe version 10.0.22000.978 stopped interacting
with Windows and was closed. To see if more information about the problem is
available, check the problem history in the Security and Maintenance control
panel.
Process ID: 1e84
Start Time: 01d8d36839d9a69c
Termination Time: 20
Application Path: C:\Windows\explorer.exe
Report Id: 9e6212d3-1134-4a4f-b69b-c2ec549a2dbf
Faulting package full name:
Faulting package-relative application ID:
Hang type: Unknown
Error: (09/28/2022 01:38:56 PM) (Source: Windows Backup) (EventID: 4103) (User:
)
Description: The backup did not complete because of an error writing to the
backup location B:\. The error is: The backup location cannot be found or is not
valid. Review your backup settings and check the backup location. (0x81000006).
Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent)
(EventID: 12007) (User: )
Description: Event-ID 12007
Error: (09/28/2022 01:31:31 PM) (Source: Firefox Default Browser Agent)
(EventID: 0) (User: )
Description: Event-ID 0
System errors:
=============
Error: (09/28/2022 11:58:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 15420).
Error: (09/28/2022 11:28:54 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 11432).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16948).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16600).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16476).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 15328).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16400).
Error: (09/28/2022 11:08:48 PM) (Source: Schannel) (EventID: 4108) (User:
FAST-DELL)
Description: The certificate received from the remote server has not validated
correctly. The error code is 0x80092013. The TLS connection request has failed.
The attached data contains the server certificate.
The SSPI client process is LogiLuUpdater (PID: 16516).
Windows Defender:
================
Date: 2022-09-26 10:30:42
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted
software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS:
1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 10:30:30
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted
software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS:
1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 02:23:28
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted
software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\gngn1\Desktop\FRST64.exe
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS:
1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 01:58:41
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted
software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1016.0, AS: 1.375.1016.0, NIS:
1.375.1016.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Date: 2022-09-26 00:15:31
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted
software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=SettingsModifier:Win32/PossibleHostsFileHijack&threatid=14994&enterprise=0
Name: SettingsModifier:Win32/PossibleHostsFileHijack
Severity: Medium
Category: Settings Modifier
Path: file:_C:\Windows\System32\drivers\etc\hosts
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.375.1006.0, AS: 1.375.1006.0, NIS:
1.375.1006.0
Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3
Event[0]
Date: 2022-09-28 22:41:33
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an
error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware security intelligence has stopped functioning for an unknown
reason. In some instances, restarting the service may resolve the problem.
Date: 2022-09-28 22:37:32
Description:
Microsoft Defender Antivirus has encountered an error trying to update security
intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.375.1177.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19600.3
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates.
For information on installing or troubleshooting updates, see Help and Support.
Date: 2022-09-28 13:39:15
Description:
Microsoft Defender Antivirus has encountered an error trying to update security
intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.375.1134.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19600.3
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates.
For information on installing or troubleshooting updates, see Help and Support.
CodeIntegrity:
===============
Date: 2022-09-28 23:19:07
Description:
Code Integrity determined that a process
(\Device\HarddiskVolume8\ProgramData\Microsoft\Windows
Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load
\Device\HarddiskVolume8\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_9b8a04f8c64efd94\igd10iumd64.dll
that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2022-09-28 22:32:20
Description:
Code Integrity determined that a process
(\Device\HarddiskVolume8\Windows\System32\SIHClient.exe) attempted to load
\Device\HarddiskVolume8\Program Files\Bonjour\mdnsNSP.dll that did not meet the
Windows signing level requirements.
==================== Memory info ===========================
BIOS: Dell Inc. 1.5.0 02/11/2022
Motherboard: Dell Inc. 0YF8P5
Processor: Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
Percentage of memory in use: 41%
Total physical RAM: 12021.07 MB
Available physical RAM: 7019.64 MB
Total Virtual: 28838.92 MB
Available Virtual: 23710.69 MB
==================== Drives ================================
Drive a: (1TB-LT) (Fixed) (Total:917.04 GB) (Free:297.48 GB) (Model: TOSHIBA
MQ01ABD100) NTFS
Drive c: (OS) (Fixed) (Total:460.75 GB) (Free:50.22 GB) (Model: NVMe BC711 NVMe
SK hynix 512GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:13.24 GB) (Free:1.57 GB) (Model: TOSHIBA
MQ01ABD100) NTFS ==>[system with boot components (obtained from drive)]
\\?\Volume{8a3cbc66-ab72-496a-8c28-f1c9d89e1ff4}\ (Windows RE tools) (Fixed)
(Total:0.96 GB) (Free:0.36 GB) NTFS
\\?\Volume{e7899493-836e-40e2-a860-993bc8fe0b89}\ (WINRETOOLS) (Fixed)
(Total:0.97 GB) (Free:0.48 GB) NTFS
\\?\Volume{25391c42-c24a-4412-a42b-0763395eec6d}\ (Image) (Fixed) (Total:13.58
GB) (Free:0.15 GB) NTFS
\\?\Volume{7aa07a21-543e-4687-bcaf-54e5b284a176}\ (DELLSUPPORT) (Fixed)
(Total:1.36 GB) (Free:0.53 GB) NTFS
\\?\Volume{e3bd6638-6fd2-43f2-9f08-688f4c1389b4}\ () (Fixed) (Total:0.25 GB)
(Free:0.14 GB) FAT32
\\?\Volume{d88befe7-be9f-42cc-886d-d916edbba0ff}\ (ESP) (Fixed) (Total:0.14 GB)
(Free:0.07 GB) FAT32
==================== MBR & Partition Table ====================
==========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: A50E1C7D)
Partition: GPT.
==========================================================
Disk: 1 (Size: 476.9 GB) (Disk ID: 416A8FEC)
Partition: GPT.
==================== End of Addition.txt =======================
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted September 29, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1535849
* * Share
Posted September 29, 2022
Please ATTACH all logs unless otherwise requested, thank you @malwareismyfriend
Please run the following fix, once the fix has been completed, please attach the
FIXLOG.TXT file to your next reply. I will check back on you again some time
tomorrow.
Please download the attached fixlist.txt file and save it to the Desktop or
location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the
same location or the fix will not work.
Please make sure you disable any real-time antivirus or security software before
running this script. Once completed, make sure you re-enable it.
NOTICE: This script was written specifically for this user, for use on this
particular machine. Running this on another machine may cause damage to your
operating system that cannot be undone.
Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally
and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST
from. Please attach or post it to your next reply.
Note: If the tool warned you about an outdated version please download and run
the updated version.
NOTE-1: This fix will run a scan to check that all Microsoft operating system
files are valid and not corrupt and attempt to correct any invalid files. It
will also run a disk check on the restart to ensure disk integrity. Depending on
the speed of your computer this fix may take 30 minutes or more.
NOTE-2: As part of this fix all temporary files will be removed. If you have any
open web pages that have not been bookmarked please make sure you bookmark them
now as all open applications will be automatically closed. Also, make sure you
know the passwords for all websites as cookies will also be removed. The use of
an external password manager is highly recommended instead of using your browser
to store passwords.
NOTE-3: As part of this fix it will also reset the network to default settings
including the firewall. If you have custom firewall rules you need to save
please export or save them first before running this fix.
The following directories are emptied:
* Windows Temp
* Users Temp folders
* Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
* Recently opened files cache
* Discord cache
* Java cache
* Steam HTML cache
* Explorer thumbnail and icon cache
* BITS transfer queue (qmgr*.dat files)
* Recycle Bin
Important: items are permanently deleted. They are not moved to quarantine. If
you have any questions or concerns please ask before running this fix.
The system will be rebooted after the fix has run.
fixlist.txtFetching info...
Thanks
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted September 29, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1535855
* * Share
Posted September 29, 2022 (edited)
Fixlog.txtFetching info...
Edited September 29, 2022 by AdvancedSetup
Removed unwanted direct log posting
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted September 29, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1535905
* * Share
Posted September 29, 2022
Please stop posting logs directly. We only want or need the attachments. Thank
you @malwareismyfriend
Please download and run the following Kaspersky Virus Removal Tool 2020 and save
it to your Desktop.
(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9,
2021)
Download: Kaspersky Virus Removal Tool
How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674
How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680
How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681
Select the Windows Key and R Key together, the "Run" box should open.
Drag and Drop KVRT.exe into the Run Box.
C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.
add -dontencrypt Note the space between KVRT.exe and -dontencrypt
C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the
Run box.
That addendum to the run command is very important, when the scan does
eventually complete the resultant report is normally encrypted, with the extra
command it is saved as a readable file.
Reports are saved here C:\KVRT2020_Data\Reports and look similar to this
report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that
file and attach it to your reply.
To start the scan select OK in the "Run" box.
A EULA window will open, tick all confirmation boxes then select "Accept"
In the new window select "Change Parameters"
In the new window ensure all selection boxes are ticked, then select "OK" The
scan should now start...
When complete if entries are found there will be options, if "Cure" is offered
leave as is. For any other options change to "Delete" then select "Continue"
When complete, or if nothing was found select "Close"
Attach the report information as previously instructed...
Thank you
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted September 30, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1535991
* * Share
Posted September 30, 2022
it took over 6 hours to complete this scan, it didn't detect much of anything.
report_2022.09.29_14.42.09.klr.txtFetching info...
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted September 30, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1535994
* * Share
Posted September 30, 2022
That's a good thing.
Have you put it back on the network now? @malwareismyfriend
SecurityCheck by glax24
I would like you to run a tool named SecurityCheck to inquire about the current
security update status of some applications.
* Download SecurityCheck by glax24:
https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
* If Microsoft SmartScreen blocks the download, click through to save the file
* This tool is safe. Smartscreen is overly sensitive.
* If SmartScreen blocks the file from running click on More info and Run anyway
* Right-click with your mouse on the Securitycheck.exe and select "Run as
administrator" and reply YES to allow to run & go forward
* Wait for the scan to finish. It will open a text file named SecurityCheck.txt
Close the file. Attach it with your next reply.
* You can find this file in a folder called SecurityCheck,
C:\SecurityCheck\SecurityCheck.txt
Thank you
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted September 30, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1535999
* * Share
Posted September 30, 2022
SecurityCheck.txtFetching info...
'
I've had it on the network since I first msged you, but I block all outgoing and
incoming requests with TinyWall when I'm not using it to run these security
apps.
I've gone into process explorer and found a bunch of very odd looking processes,
further investigation in the properties that a lot of these processes have in
common. They all have administrator flagged for DENY. The owner is NT
AUTHORITY/LogonSessionID_0_1053163. Most run from
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\", and there is
about 30-40 processes using svchost. and some operating system files are not
signed. Looking at the TCP connections, there is a lot of SYSTEM connections
with "TIME WAIT" going to a random IP hosted by amazon or some other big
provider.
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted September 30, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1536003
* * Share
Posted September 30, 2022
You're running Torrent software on the system. @malwareismyfriend
Torrenting is the act of downloading and uploading files through the BitTorrent
network
The act of torrenting itself is not illegal. However, downloading and sharing
unsanctioned copyrighted material is illegal, and there is always a chance of
prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However,
be aware that we have seen increased malware bundled with software downloads
over P2P.
Recent Ransomware infections have been seen to encrypt user data so that no one
can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's
attack surface area, which can increase the risk of infection.
Scan all files before running them. https://www.virustotal.com
If you don't need or use the P2P software, you should uninstall it to improve
security of your system and data.
Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security
Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007
We're not done yet, but most processes are normal and have some very strange
names, but in most cases they're normal.
Please uninstall, update, or otherwise address the following as appropriate for
your system
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.4.11.149 v.4.4.11.149 Warning! Download Update
--------------------------- [ OtherUtilities ] ----------------------------
SumatraPDF v.3.3.3 Warning! Download Update
PuTTY release 0.76 (64-bit) v.0.76.0.0 Warning! Download Update
FileZilla Client 3.58.0 v.3.58.0 Warning! Download Update
TeamViewer v.15.24.5 Warning! Download Update
Wireshark 3.6.7 64-bit v.3.6.7 Warning! Download Update
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.06 (x64) v.21.06 Warning! Download Update
Uninstall old version and install new one.
WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update
7-Zip 19.00 (x64 edition) v.19.00.00.0 Warning! Download Update
Uninstall old version and install new one.
------------------------------- [ Imaging ] -------------------------------
FastStone Image Viewer 7.5 v.7.5 Warning! Download Update
XnView 2.50.4 v.2.50.4 Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------
Telegram Desktop version 4.1.1 v.4.1.1 Warning! Download Update
Zoom v.5.8.2048 Warning! Download Update
--------------------------------- [ P2P ] ---------------------------------
qBittorrent 4.3.9 v.4.3.9 Warning! Download Update
-------------------------------- [ Media ] --------------------------------
Audacity 3.1.2 v.3.1.2 Warning! Download Update
VLC media player v.3.0.16 Warning! Download Update
iTunes v.12.12.2.2 Warning! Download Update
^Please use Apple Software Update tool.^
Spotify v.1.1.94.870.gf994cb0b Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Opera Stable 90.0.4480.84 v.90.0.4480.84 Warning! Download Update
---------------------------- [ UnwantedApps ] -----------------------------
VdhCoApp 1.6.3 Warning! Application is distributed through the partnership
programs and bundle assemblies. Uninstallation recommended. Possible you became
a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
Then check for Windows Updates and install any found and restart the computer.
Once that has all been completed and the computer restarted, get me new, fresh
logs from the Farbar program.
FRST.TXT
ADDITION.TXT
Thank you
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted September 30, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1536011
* * Share
Posted September 30, 2022
I have never been on the TOR network, can you tell me how to uninstall whatever
you are talking about?
I have uninstalled VdhCoApp, don't even use it either. I also downloaded
qtorrent.I
I used a program called "Patch my PC updater" to update all the programs,
patchmypc.com
FRST.txtFetching info... Addition.txtFetching info...
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted September 30, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1536058
* * Share
Posted September 30, 2022
You're right about not having P2P bit torrent network software. Not sure why the
Security Scanner showed that.
You can delete the qbitorrent program download, not needed.
How is the computer running now?
Are you still having any alerts or issues? @malwareismyfriend
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* 2 weeks later...
MALWAREISMYFRIEND
Posted October 9, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1537123
* * Share
Posted October 9, 2022
yes still issues.
lots of TIME WAIT connections in my firewall with SYSTEM process 4 connecting to
masked IP addresses like
35.186.227.140
72.21.91.29
20.60.179.4
172.67.185.102
34.120.5.221
172.67.155.249
52.170.249.225
192.0.73.2
....and more, I can see usually see at least 10 or more more of them at a time
using netstat or simply looking at my firewall status.These are all on port 443
or 80, all in TIME WAIT status with SYSTEM as the PID. Other strange activity as
well.
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted October 10, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1537175
* * Share
Posted October 10, 2022
I'm sorry but we don't support router issues. Routers can have thousands of IP
listed and have nothing to do with what is going on with Windows.
We need to see alerts, blocks from onboard security software, event log entries,
obvious issues in Windows. We've now run a few different antivirus scanners and
Windows is looking clean at this point.
You can do a Factory Reset on your Router if you own it.
Please ensure that you have the user manual for your router. Then perform a
factory reset.
How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/
Depending on one's preferences and the Router's capabilities please consider the
following.
* Disable acceptance of ICMP Pings
* Change the Default Router password using a Strong Password
* Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it
is an option.
* Disable Remote Management
* Create separate WiFi networks for groups of devices with similar purposes to
prevent an entire network of devices from being compromised if a malicious
actor is able to gain unauthorized access to one device or network. Example:
Keep IoT devices on one network and mobile devices on another.
* Change the network name (SSID). Do not use your; Name, Postal address, or
other personal information. Make it unique or whimsical and known to your
family/group.
* Is the Router Firmware up-to-date? Updating the firmware mitigates
exploitable vulnerabilities.
* Specifically set Firewall rules to BLOCK; TCP and UDP ports 135 ~ 139, 445,
1234, 3389 and 5555
* Document passwords created and store them in a safe but accessible location.
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted October 10, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1537182
* * Share
Posted October 10, 2022
These are connections that are made to PID 4 which is a process that runs in
Windows 11. This has nothing to do with my router. The firewall is a software
based firewall called Tinywall, which is how I am able to see where these
connections are being made.
Is the PID 4 SYSTEM even supposed to have any external based TCP connections?
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted October 10, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1537184
* * Share
Posted October 10, 2022
Absolutely, quite a few in fact.
Open an elevated admin command prompt and then copy and paste the following into
the Window and press the Enter key.
You'll see a ton of programs that run under SVCHOST.EXE and most of them have
access to the Internet
tasklist /svc /fi "IMAGENAME eq svchost.exe"
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
MALWAREISMYFRIEND
Posted October 14, 2022
MALWAREISMYFRIEND
*
* Members
* * 9
* Author
ID:1537895
* * Share
Posted October 14, 2022
Right I know about svchost, and the dozens of services that run that as a parent
process. But I am specifically talking about the system process with PID 4.
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* Root Admin
ADVANCEDSETUP
Posted October 14, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1537946
* * Share
Posted October 14, 2022 (edited)
That is a kernel level part of the system
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
It's the Windows Kernel. A system virtual process
This virtual process contains all running kernel-mode drivers. This also
includes Windows File Sharing, HTTP.SYS SMB to name a few.
Without writing your own driver to access this process I'm not aware of any
means to monitor it's processes from User Mode level.
You can run the following from a command prompt, which should show what
connections are made under PID 4
netstat -aon
Edited October 14, 2022 by AdvancedSetup
Updated information
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
* 1 month later...
* Root Admin
ADVANCEDSETUP
Posted December 14, 2022
ADVANCEDSETUP
*
* Root Admin
*
* * 104.8k
* 295
* Location: The United Federation of Planets
* Root Admin
ID:1545496
* * Share
Posted December 14, 2022
Due to the lack of feedback, this topic is closed to prevent others from posting
here.
If you need this topic reopened, please send a Private Message to any one of the
moderating team members. Please include a link to this topic with your request.
This applies only to the originator of this topic. Other members who need
assistance please start your own topic in a new thread.
Tips to help protect from infection
Thanks
LINK TO POST
SHARE ON OTHER SITES
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
This topic is now closed to further replies.
Share
*
*
*
*
*
--------------------------------------------------------------------------------
More sharing options...
Followers 2
Go to topic listing
* RECENTLY BROWSING 0 MEMBERS
* No registered users viewing this page.
* Malwarebytes Product updates
* All Activity
* Home
* Malware Removal Help
* Windows Malware Removal Help & Support
* Resolved Malware Removal Logs
* malware infected from USB drive
Back to top
*
*
*
*
*
*
*
*
* Theme
* Light (Default)
* Dark
* Night
* Cosmos
* Crimson
* Legacy Dark
* IPS Default
* Privacy Policy
Back to Top
Malwarebytes Powered by Invision Community
×
* Existing user? Sign In
* Sign Up
* BROWSE
* Back
* Forums
* Guidelines
* Staff
* Online Users
* Members
* Leaderboard
* ACTIVITY
* Back
* All Activity
* My Activity Streams
* Unread Content
* Content I Started
* Search
* PERSONAL
* Back
* Personal
* Malwarebytes for Windows
* Malwarebytes for Mac
* Malwarebytes Privacy VPN
* Malwarebytes Browser Guard
* Malwarebtyes AdwCleaner
* Malwarebytes for Chromebook
* Malwarebytes for Android
* Malwarebytes for iOS
* BUSINESS
* Back
* Business
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Protection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Endpoint Security
* BUSINESS MODULES
* Back
* Business Modules
* DNS Filtering
* Vulnerability & Patch Management
* Remediation for CrowdStrike®
* PARTNERS
* Back
* Partners
* Managed Service Providers
* Computer Repair
* Resellers
* Technology Partners
* LEARN
* Back
* START HERE
* Back
* VPN
* Antivirus
* Malware
* Android Antivirus
* Mac Antivirus
* Hacker
* Cybersecurity
* Identity Theft
* Password Manager
* TYPE OF MALWARE/ATTACKS
* Back
* Ransomware
* Keylogger
* Adware
* Spyware
* SQL Injection
* DDoS
* Cryptojacking
* Data Breach
* Computer Virus
* Social Engineering
* HOW DOES IT GET ON MY COMPUTER?
* Back
* Malvertising
* Emotet
* Trojan
* Exploit
* Backdoor
* SCAMS AND GRIFTS
* Back
* Scam Call
* Spam
* Phishing
* Spoofing
* Blog
* SUPPORT
* Back
* Personal Support
* Business Support
* Vulnerability Disclosure
×
* Create New...
IMPORTANT INFORMATION
This site uses cookies - We have placed cookies on your device to help make this
website better. You can adjust your cookie settings, otherwise we'll assume
you're okay to continue.
I accept
IPS spam blocked by CleanTalk.