Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I could use some help. I think I'm dealing with a rootkit.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I could use some help. I think I'm dealing with a rootkit.

Unread postby Norhand » October 11th, 2022, 6:30 pm

Hello,

I did something dumb. I spent the last 2 days trying to fix what I can only assume is a rootkit. Not going to lie, I'm in a bad way here and could really use some help. I somehow managed to reset my computer back to a point before my computer starts to implode. I'm not sure why, but things go south whenever I try to restart my computer from here.


Things I've noticed that started to happen the few times I restarted my machine:


Start menu gets disabled.
Registry values get tampered with.
Lots of weird stuff happening in temporary files, IExplorer, and appdata. I can't quite remember exactly, but I believe it was a bunch of .dll files.
Firewall gets turned off.
I noticed a few apps (Phone Link, Calculator, and two or three more that I can't remember) were suspended when I was trying to diagnose the problem myself using process explorer and autoruns.
Can't search for anything on the internet because my keyboard will just spam "d."
Redirects like crazy.
There are a couple stubborn files that I absolutely cannot touch under temp files. And the one's that I did delete just populated elsewhere.
Right clicking the desktop will open up my monitor display settings and the like.
When I somehow managed to download anti-rootkit software, like GMER, the thing holding my computer hostage did not like it.
The .exe file gets deleted, and the stupid thing just gets even more aggressive.
My machine becomes unresponsive to the point where all I can do is reset my computer back to where I'm at now.
If I do manage to download something like GMER, windows defender will see it as a threat and delete it instantly.


Well, that's about the gist of it. Here are the logs:





FRST.txt



Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-10-2022
Ran by bird4 (administrator) on GIGARIG (11-10-2022 14:43:41)
Running from C:\Users\bird4\Desktop
Loaded Profiles: bird4
Platform: Microsoft Windows 10 Home Version 21H2 19044.2075 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MpCopyAccelerator.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe <18>
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <15>
(Open Source Developer, Robin Krom -> Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\NisSrv.exe
(services.exe ->) (Nvidia Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_47917a79b8c7fd22\Display.NvContainer\NVDisplay.Container.exe <2>
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Users\bird4\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [527792 2017-08-09] (Open Source Developer, Robin Krom -> Greenshot)
HKU\S-1-5-21-1589133460-2440353720-3213826699-1001\...\Run: [MicrosoftEdgeAutoLaunch_AAD6B18524648DB7FBEB8BD365727FB6] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [3852232 2022-10-10] (Microsoft Corporation -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files\Google\Chrome\Application\106.0.5249.103\Installer\chrmstp.exe [2022-10-11] (Google LLC -> Google LLC)
HKLM\Software\...\Authentication\Credential Providers: [{f64945df-4fa9-4068-a2fb-61af319edd33}] -> C:\WINDOWS\system32\rdpcredentialprovider.dll [2022-10-11] (Microsoft Windows -> Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {21491297-C31B-4F0E-9C63-073C73665ED6} - System32\Tasks\GoogleUpdateTaskMachineCore{AC45E3E1-7F89-46E9-8C0C-C80DD1997B77} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [171480 2022-10-11] (Google LLC -> Google LLC)
Task: {5295B9E0-F89F-4F4B-8F14-192E4B360CF9} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {616124C7-DAA7-43AE-82AF-BD64850A090E} - System32\Tasks\GoogleUpdateTaskMachineUA{BBCE9EBD-1B9B-4235-B946-6F00053C93A4} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [171480 2022-10-11] (Google LLC -> Google LLC)
Task: {81C45C15-C2DB-4C7C-9570-C5FBBC70E036} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {9FA29C04-5274-4D64-A9ED-EF794C5F2534} - System32\Tasks\Avast Software\Overseer => C:\Windows\OEM\CustomizationFiles\Overseer.exe [2250576 2022-10-11] (Avast Software s.r.o. -> Avast Software)
Task: {AD01D2A1-27E1-4364-B61B-E096CAFED996} - System32\Tasks\Microsoft\Windows\SysResetDelayedCleanup => C:\WINDOWS\system32\ResetEngine.exe [21360 2022-10-11] (Microsoft Windows -> Microsoft Corporation)
Task: {F566AFAE-B7CD-4ACE-A369-BE65D3663E29} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {F830B9C1-E03A-4DA9-AE3C-AA601D11015A} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\MpCmdRun.exe [1335960 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{4958a6ca-ed04-4cee-b170-9abfae114ab4}: [DhcpNameServer] 192.168.1.254

Edge:
=======
Edge Profile: C:\Users\bird4\AppData\Local\Microsoft\Edge\User Data\Default [2022-10-11]

Chrome:
=======
CHR Profile: C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default [2022-10-11]
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Session Restore: Default -> is enabled.
CHR Extension: (BetterTTV) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2022-10-11]
CHR Extension: (7TV) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ammjkodgmmoknidbanneddgankgfejfh [2022-10-11]
CHR Extension: (Slinky Elegant) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmanlajnpdncmhfkiccmbgeocgbncfln [2022-10-11]
CHR Extension: (uBlock Origin) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2022-10-11]
CHR Extension: (Dark Reader) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\eimadpbcbfnmbkopoojfekhnkhdbieeh [2022-10-11]
CHR Extension: (Qualys BrowserCheck for Windows) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\foklmnihmhdobgonljkdamiiohnobkff [2022-10-11]
CHR Extension: (Google Docs Offline) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2022-10-11]
CHR Extension: (Decentraleyes) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpochfccmkkmhdbclfhpagapcfdljkj [2022-10-11]
CHR Extension: (Twitch Adblock) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljhnljhabgjcihjoihakgdiicdjncpkd [2022-10-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2022-10-11]
CHR Extension: (ColorPick Eyedropper) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohcpnigalekghcmgcdcenkpelffpdolg [2022-10-11]
CHR Extension: (Privacy Badger) - C:\Users\bird4\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2022-10-11]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\NisSrv.exe [3125112 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2207.7-0\MsMpEng.exe [133560 2022-10-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_47917a79b8c7fd22\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_47917a79b8c7fd22\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 goxlr_audio; C:\WINDOWS\System32\drivers\goxlr_audio.sys [374768 2019-06-28] (Microsoft Windows Hardware Compatibility Publisher -> )
R3 goxlr_audioks; C:\WINDOWS\System32\drivers\goxlr_audioks.sys [53744 2019-06-28] (Microsoft Windows Hardware Compatibility Publisher -> )
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [49576 2022-10-11] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [453904 2022-10-11] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [94480 2022-10-11] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-10-11 15:11 - 2022-10-11 15:11 - 000000000 ____D C:\WINDOWS\OEM
2022-10-11 15:10 - 2022-10-11 14:42 - 000000865 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2022-10-11 15:10 - 2022-10-11 13:31 - 000002323 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2022-10-11 15:10 - 2022-10-11 12:20 - 000000000 ____D C:\WINDOWS\Panther
2022-10-11 15:10 - 2022-10-11 12:20 - 000000000 ____D C:\Windows.old
2022-10-11 15:10 - 2022-10-11 12:17 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2022-10-11 15:10 - 2022-10-11 03:38 - 000002033 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2022-10-11 15:10 - 2022-10-11 03:28 - 000001146 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk
2022-10-11 15:09 - 2022-10-11 15:10 - 000000000 ____D C:\WINDOWS\ServiceProfiles
2022-10-11 15:08 - 2022-10-11 15:08 - 000000000 ____D C:\WINDOWS\SystemTemp
2022-10-11 15:08 - 2022-10-11 15:08 - 000000000 ____D C:\ProgramData\ssh
2022-10-11 15:05 - 2022-10-11 15:05 - 003860832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rtmpltfm.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 002371072 _____ C:\WINDOWS\system32\rdpnano.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 002111488 _____ (Digimarc) C:\WINDOWS\SysWOW64\DMRCDecoder.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 001864192 _____ (The ICU Project) C:\WINDOWS\SysWOW64\icu.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 001687040 _____ C:\WINDOWS\system32\libcrypto.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 001333760 _____ C:\WINDOWS\SysWOW64\TextInputMethodFormatter.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 001164288 _____ C:\WINDOWS\system32\MBR2GPT.EXE
2022-10-11 15:05 - 2022-10-11 15:05 - 000980320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rtmpal.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000915296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rtmcodecs.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000732000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ortcengine.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000693248 _____ C:\WINDOWS\system32\FsNVSDeviceSource.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000611960 _____ C:\WINDOWS\SysWOW64\TextShaping.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000581120 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhotoScreensaver.scr
2022-10-11 15:05 - 2022-10-11 15:05 - 000530944 _____ (curl, hxxps://curl.se/) C:\WINDOWS\system32\curl.exe
2022-10-11 15:05 - 2022-10-11 15:05 - 000499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhotoScreensaver.scr
2022-10-11 15:05 - 2022-10-11 15:05 - 000470528 _____ (curl, hxxps://curl.se/) C:\WINDOWS\SysWOW64\curl.exe
2022-10-11 15:05 - 2022-10-11 15:05 - 000468440 _____ C:\WINDOWS\SysWOW64\WindowManagementAPI.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000363520 _____ C:\WINDOWS\system32\Windows.Internal.UI.Shell.WindowTabManager.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000330752 _____ C:\WINDOWS\SysWOW64\ssdm.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000270848 _____ C:\WINDOWS\system32\EsclScan.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000266240 _____ C:\WINDOWS\SysWOW64\Windows.Internal.UI.Shell.WindowTabManager.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000240640 _____ C:\WINDOWS\SysWOW64\CoreMas.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000235520 _____ C:\WINDOWS\SysWOW64\HeatCore.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000223744 _____ C:\WINDOWS\SysWOW64\TpmTool.exe
2022-10-11 15:05 - 2022-10-11 15:05 - 000152064 _____ C:\WINDOWS\system32\EsclProtocol.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000104448 _____ C:\WINDOWS\system32\nettraceex.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000095744 _____ C:\WINDOWS\system32\VirtualMonitorManager.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000067072 _____ C:\WINDOWS\system32\BWContextHandler.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000061952 _____ C:\WINDOWS\system32\printticketvalidation.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000057344 _____ C:\WINDOWS\system32\APMonUI.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000055376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rtmmvrortc.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000053760 _____ C:\WINDOWS\SysWOW64\BWContextHandler.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000047472 _____ C:\WINDOWS\SysWOW64\umpdc.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000045880 _____ C:\WINDOWS\system32\HvSocket.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000039936 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000033280 _____ (Microsoft Corporation) C:\WINDOWS\system32\mode.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000026624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mode.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000020992 _____ (Microsoft Corporation) C:\WINDOWS\system32\tree.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000018944 _____ C:\WINDOWS\SysWOW64\WsdProviderUtil.dll
2022-10-11 15:05 - 2022-10-11 15:05 - 000017920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tree.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000014848 _____ (Microsoft Corporation) C:\WINDOWS\system32\chcp.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000012800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\chcp.com
2022-10-11 15:05 - 2022-10-11 15:05 - 000012251 _____ C:\WINDOWS\system32\DrtmAuthTxt.wim
2022-10-11 15:05 - 2022-10-11 15:05 - 000010752 _____ C:\WINDOWS\SysWOW64\agentactivationruntimestarter.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 004898144 _____ (Microsoft Corporation) C:\WINDOWS\system32\rtmpltfm.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 004227116 _____ C:\WINDOWS\system32\DefaultHrtfs.bin
2022-10-11 15:04 - 2022-10-11 15:04 - 002295296 _____ (Digimarc) C:\WINDOWS\system32\DMRCDecoder.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 002260480 _____ C:\WINDOWS\system32\TextInputMethodFormatter.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 002260480 _____ (The ICU Project) C:\WINDOWS\system32\icu.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 002254336 _____ C:\WINDOWS\system32\dwmscene.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 001354080 _____ (Microsoft Corporation) C:\WINDOWS\system32\rtmpal.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 001091936 _____ (Microsoft Corporation) C:\WINDOWS\system32\rtmcodecs.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 001032544 _____ (Microsoft Corporation) C:\WINDOWS\system32\ortcengine.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000706536 _____ C:\WINDOWS\system32\TextShaping.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000657464 _____ C:\WINDOWS\system32\WindowManagementAPI.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000640512 _____ C:\WINDOWS\system32\SettingSyncDownloadHelper.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000455168 _____ C:\WINDOWS\system32\ssdm.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000413696 _____ C:\WINDOWS\system32\AzureCheck.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000306688 _____ C:\WINDOWS\system32\HeatCore.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000288768 _____ C:\WINDOWS\system32\Windows.Management.InprocObjects.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000287232 _____ C:\WINDOWS\system32\CoreMas.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000272896 _____ C:\WINDOWS\system32\TpmTool.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 000232288 _____ C:\WINDOWS\system32\containerdevicemanagement.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000197632 _____ C:\WINDOWS\system32\IHDS.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000190976 _____ C:\WINDOWS\system32\BthpanContextHandler.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000162304 _____ C:\WINDOWS\system32\DataStoreCacheDumpTool.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 000152064 _____ C:\WINDOWS\system32\EoAExperiences.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 000098816 _____ C:\WINDOWS\system32\Drivers\cimfs.sys
2022-10-11 15:04 - 2022-10-11 15:04 - 000089088 _____ C:\WINDOWS\system32\windows.applicationmodel.conversationalagent.proxystub.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000074240 _____ C:\WINDOWS\system32\rdsxvmaudio.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000073216 _____ C:\WINDOWS\system32\windows.applicationmodel.conversationalagent.internal.proxystub.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000064552 _____ C:\WINDOWS\system32\umpdc.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000060928 _____ C:\WINDOWS\system32\runexehelper.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 000056672 _____ (Microsoft Corporation) C:\WINDOWS\system32\rtmmvrortc.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000048640 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000029696 _____ (The ICU Project) C:\WINDOWS\system32\icuuc.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000025088 _____ (The ICU Project) C:\WINDOWS\system32\icuin.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000024576 _____ C:\WINDOWS\system32\WsdProviderUtil.dll
2022-10-11 15:04 - 2022-10-11 15:04 - 000013312 _____ C:\WINDOWS\system32\agentactivationruntimestarter.exe
2022-10-11 15:04 - 2022-10-11 15:04 - 000001370 _____ C:\WINDOWS\system32\ThirdPartyNoticesBySHS.txt
2022-10-11 14:58 - 2019-10-15 16:50 - 000002060 _____ C:\WINDOWS\system32\noise.jpn
2022-10-11 14:57 - 2022-10-11 14:57 - 000144624 _____ C:\WINDOWS\system32\perfi011.dat
2022-10-11 14:57 - 2022-10-11 14:57 - 000033402 _____ C:\WINDOWS\system32\perfd011.dat
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\WINDOWS\SysWOW64\XPSViewer
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\WINDOWS\SysWOW64\ja
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\WINDOWS\system32\ja
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\Program Files\Reference Assemblies
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\Program Files\MSBuild
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2022-10-11 14:57 - 2022-10-11 14:57 - 000000000 ____D C:\Program Files (x86)\MSBuild
2022-10-11 14:57 - 2022-10-11 12:22 - 000486904 _____ C:\WINDOWS\system32\perfh011.dat
2022-10-11 14:57 - 2022-10-11 12:22 - 000132632 _____ C:\WINDOWS\system32\perfc011.dat
2022-10-11 14:55 - 2022-10-11 14:55 - 000008192 _____ C:\WINDOWS\system32\config\userdiff
2022-10-11 14:55 - 2022-10-11 12:20 - 000000000 ____D C:\Program Files (x86)\Razer
2022-10-11 14:50 - 2022-10-11 12:17 - 000000000 ___HD C:\$SysReset
2022-10-11 14:43 - 2022-10-11 14:44 - 000010119 _____ C:\Users\bird4\Desktop\FRST.txt
2022-10-11 14:42 - 2022-10-11 14:42 - 000000853 _____ C:\Users\Public\Desktop\Audacity.lnk
2022-10-11 14:42 - 2022-10-11 14:42 - 000000000 ____D C:\Program Files\Audacity
2022-10-11 14:29 - 2022-10-11 13:47 - 014178840 _____ (Malwarebytes Corp.) C:\Users\bird4\Desktop\mbar-1.10.3.1001.exe
2022-10-11 14:25 - 2022-10-11 14:25 - 000000000 ___HD C:\$WinREAgent
2022-10-11 13:48 - 2022-10-11 13:48 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\6313420A.sys
2022-10-11 13:48 - 2022-10-11 13:48 - 000000000 ____D C:\ProgramData\Malwarebytes
2022-10-11 13:47 - 2022-10-11 13:56 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2022-10-11 13:47 - 2022-10-11 13:47 - 014178840 _____ (Malwarebytes Corp.) C:\Users\bird4\Downloads\mbar-1.10.3.1001.exe
2022-10-11 13:47 - 2022-10-11 13:47 - 000192952 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2022-10-11 13:34 - 2022-10-11 13:34 - 002373120 _____ (Farbar) C:\Users\bird4\Desktop\FRST64.exe
2022-10-11 13:31 - 2022-10-11 14:36 - 000000000 ____D C:\Program Files (x86)\Google
2022-10-11 13:31 - 2022-10-11 13:35 - 000000000 ____D C:\Users\bird4\AppData\Local\Google
2022-10-11 13:31 - 2022-10-11 13:31 - 000003496 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA{BBCE9EBD-1B9B-4235-B946-6F00053C93A4}
2022-10-11 13:31 - 2022-10-11 13:31 - 000003372 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore{AC45E3E1-7F89-46E9-8C0C-C80DD1997B77}
2022-10-11 13:31 - 2022-10-11 13:31 - 000002282 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2022-10-11 13:31 - 2022-10-11 13:31 - 000000000 ____D C:\Program Files\Google
2022-10-11 13:02 - 2022-10-11 14:43 - 000000000 ____D C:\FRST
2022-10-11 13:02 - 2022-10-11 13:02 - 002373120 _____ (Farbar) C:\Users\bird4\Downloads\FRST64.exe
2022-10-11 12:38 - 2022-10-11 12:38 - 000000000 ____D C:\Users\bird4\AppData\Local\Comms
2022-10-11 12:35 - 2022-10-11 12:35 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Greenshot
2022-10-11 12:35 - 2022-10-11 12:35 - 000000000 ____D C:\Users\bird4\AppData\Local\Greenshot
2022-10-11 12:32 - 2022-10-11 12:32 - 000000000 ____D C:\Users\bird4\AppData\Local\OneDrive
2022-10-11 12:26 - 2022-10-11 12:26 - 000000000 ____D C:\Program Files\Greenshot
2022-10-11 12:22 - 2022-10-11 14:20 - 000000000 ____D C:\Users\bird4\AppData\Local\PlaceholderTileLogoFolder
2022-10-11 12:22 - 2022-10-11 13:33 - 000000000 ____D C:\Users\bird4\AppData\Local\D3DSCache
2022-10-11 12:22 - 2022-10-11 12:22 - 001451302 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2022-10-11 12:22 - 2022-10-11 12:22 - 000003592 _____ C:\WINDOWS\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1589133460-2440353720-3213826699-1001
2022-10-11 12:22 - 2022-10-11 12:22 - 000003364 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1589133460-2440353720-3213826699-1001
2022-10-11 12:22 - 2022-10-11 12:22 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2022-10-11 12:21 - 2022-10-11 12:21 - 000000000 ____D C:\Users\bird4\AppData\Local\DBG
2022-10-11 12:20 - 2022-10-11 14:20 - 000000000 ____D C:\Users\bird4\AppData\Local\Packages
2022-10-11 12:20 - 2022-10-11 13:08 - 000000000 ____D C:\ProgramData\Packages
2022-10-11 12:20 - 2022-10-11 12:20 - 000000020 ___SH C:\Users\bird4\ntuser.ini
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\WINDOWS\system32\Tasks\Avast Software
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Adobe
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4\AppData\Local\VirtualStore
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4\AppData\Local\Publishers
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4\AppData\Local\NVIDIA
2022-10-11 12:20 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4\AppData\Local\ConnectedDevicesPlatform
2022-10-11 12:14 - 2022-10-11 12:22 - 000002367 _____ C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2022-10-11 12:14 - 2022-10-11 12:20 - 000000000 ____D C:\Users\bird4
2022-10-11 12:12 - 2022-10-11 14:21 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2022-10-11 12:12 - 2022-10-11 14:20 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2022-10-11 12:12 - 2022-10-11 12:20 - 000000000 ____D C:\ProgramData\NVIDIA
2022-10-11 12:12 - 2022-10-11 12:17 - 000002276 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2022-10-11 12:12 - 2022-10-11 12:15 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2022-10-11 12:12 - 2022-10-11 12:12 - 000003536 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2022-10-11 12:12 - 2022-10-11 12:12 - 000003412 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2022-10-11 12:12 - 2022-10-11 12:12 - 000000000 ____D C:\WINDOWS\system32\lxss
2022-10-11 12:12 - 2022-10-11 12:12 - 000000000 ____D C:\WINDOWS\system32\Drivers\NVIDIA Corporation
2022-10-11 12:12 - 2022-10-11 12:12 - 000000000 ____D C:\ProgramData\Razer
2022-10-11 12:11 - 2022-10-11 12:12 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2022-10-11 12:11 - 2022-10-11 12:11 - 000316752 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2022-10-11 09:30 - 2022-10-11 15:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Reflector
2022-10-11 02:19 - 2022-10-11 12:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Greenshot
2022-10-11 00:37 - 2022-10-11 15:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2022-10-11 00:33 - 2022-10-11 00:47 - 000002166 _____ C:\XoristDecryptor.2.5.4.3_11.10.2022_00.33.24_log.txt
2022-10-11 00:30 - 2022-10-11 00:30 - 000001972 _____ C:\XoristDecryptor.2.5.4.3_11.10.2022_00.30.38_log.txt
2022-10-11 00:29 - 2022-10-11 00:30 - 000284786 _____ C:\TDSSKiller.3.1.0.28_11.10.2022_00.29.45_log.txt
2022-10-11 00:20 - 2022-10-11 00:23 - 000002042 _____ C:\CoinVaultDecryptor.1.0.0.6_11.10.2022_00.20.39_log.txt
2022-10-11 00:06 - 2022-10-11 12:22 - 000000000 ___RD C:\Users\bird4\OneDrive
2022-10-11 00:05 - 2022-10-11 00:07 - 000283168 _____ C:\TDSSKiller.3.1.0.28_11.10.2022_00.05.39_log.txt
2022-10-11 00:04 - 2022-10-11 00:05 - 000006440 _____ C:\TDSSKiller.3.1.0.28_11.10.2022_00.04.43_log.txt
2022-10-10 23:51 - 2022-10-10 23:51 - 000006440 _____ C:\TDSSKiller.3.1.0.28_10.10.2022_23.51.09_log.txt
2022-10-10 12:41 - 2022-10-11 15:10 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IIS
2022-10-09 08:24 - 2022-10-11 00:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoXLR App
2022-10-09 08:23 - 2022-10-11 15:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TC-Helicon
2022-10-09 08:23 - 2019-06-28 02:22 - 000374768 _____ () C:\WINDOWS\system32\Drivers\goxlr_audio.sys
2022-10-09 08:23 - 2019-06-28 02:22 - 000053744 _____ () C:\WINDOWS\system32\Drivers\goxlr_audioks.sys
2022-10-08 08:22 - 2022-10-11 15:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GPSoftware
2022-10-07 00:02 - 2022-10-09 05:55 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GitHub, Inc
2022-09-29 02:41 - 2022-09-29 02:41 - 1277442307 ____H C:\Users\bird4\java_error_in_pycharm64.hprof
2022-09-26 21:23 - 2022-10-11 09:55 - 000000000 ___HD C:\OneDriveTemp
2022-09-20 15:29 - 2022-09-20 15:31 - 000000000 ___HD C:\Users\bird4\build
2022-09-20 15:29 - 2022-09-20 15:29 - 000000000 ___HD C:\Users\bird4\dist
2022-09-17 17:26 - 2016-04-26 21:32 - 000150272 _____ (ASMedia Technology Inc) C:\WINDOWS\system32\Drivers\asmthub3.sys
2022-09-16 14:25 - 2022-09-16 14:25 - 000000000 ___HD C:\Users\bird4\Jedi
2022-09-15 17:49 - 2022-09-15 17:49 - 000000025 ____H C:\Users\bird4\.condarc
2022-09-15 17:41 - 2022-09-15 17:41 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Python 3.10
2022-09-15 17:30 - 2022-10-10 08:54 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Anaconda3 (64-bit)
2022-09-11 12:00 - 2022-10-11 00:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-10-11 15:10 - 2022-02-25 05:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2022-10-11 15:10 - 2022-01-08 22:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2022-10-11 15:10 - 2021-12-07 16:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2022-10-11 15:10 - 2021-11-16 15:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Endgame Gear
2022-10-11 15:10 - 2021-11-16 15:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickCPU64
2022-10-11 15:10 - 2021-11-16 12:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2022-10-11 15:10 - 2019-12-07 04:14 - 000028672 _____ C:\WINDOWS\system32\config\BCD-Template
2022-10-11 15:10 - 2019-12-07 04:14 - 000000000 __RHD C:\Users\Public\Libraries
2022-10-11 15:10 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\SysWOW64\F12
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\SysWOW64\DiagSvcs
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\WinMetadata
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\setup
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\PerceptionSimulation
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\oobe
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\migwiz
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\lv-LV
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\lt-LT
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\Keywords
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\et-EE
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\es-MX
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\Com
2022-10-11 15:09 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\AdvancedInstallers
2022-10-11 15:08 - 2019-12-07 04:52 - 000023552 _____ (Microsoft Corporation) C:\WINDOWS\system32\OEMDefaultAssociations.dll
2022-10-11 15:08 - 2019-12-07 04:52 - 000020908 _____ C:\WINDOWS\system32\OEMDefaultAssociations.xml
2022-10-11 15:08 - 2019-12-07 04:52 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2022-10-11 15:08 - 2019-12-07 04:52 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2022-10-11 15:08 - 2019-12-07 04:50 - 000000000 ____D C:\WINDOWS\system32\OpenSSH
2022-10-11 15:08 - 2019-12-07 04:15 - 000208384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msclmd.dll
2022-10-11 15:08 - 2019-12-07 04:14 - 000232448 _____ (Microsoft Corporation) C:\WINDOWS\system32\msclmd.dll
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\system32\UNP
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\system32\F12
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\system32\DiagSvcs
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SystemResources
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\WinMetadata
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\Sysprep
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\ShellExperiences
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\setup
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\PerceptionSimulation
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\migwiz
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\lv-LV
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\lt-LT
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\Keywords
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\et-EE
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\es-MX
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\Dism
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\DDFs
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\Com
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\appraiser
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\ShellExperiences
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\ShellComponents
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\Provisioning
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\IME
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\DiagTrack
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\bcastdvr
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\Program Files\Common Files\System
2022-10-11 15:08 - 2019-12-07 04:14 - 000000000 ____D C:\Program Files (x86)\Windows Defender
2022-10-11 15:08 - 2019-12-07 04:03 - 000000000 ____D C:\WINDOWS\servicing
2022-10-11 14:59 - 2019-12-07 04:51 - 000000000 ____D C:\WINDOWS\OCR
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\SysWOW64\winrm
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\SysWOW64\WCN
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\SysWOW64\slmgr
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\system32\winrm
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\system32\WCN
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\system32\slmgr
2022-10-11 14:57 - 2019-12-07 04:49 - 000000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2022-10-11 14:57 - 2019-12-07 04:14 - 000000000 ___SD C:\WINDOWS\system32\dsc
2022-10-11 14:57 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\SysWOW64\MUI
2022-10-11 14:57 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\MUI
2022-10-11 14:30 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\AppReadiness
2022-10-11 14:21 - 2019-12-07 04:14 - 000000000 ____D C:\Program Files\Windows Defender
2022-10-11 14:20 - 2019-12-07 04:14 - 000000000 ___HD C:\Program Files\WindowsApps
2022-10-11 14:20 - 2019-12-07 04:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2022-10-11 12:36 - 2019-12-07 04:14 - 000000000 ___RD C:\WINDOWS\PrintDialog
2022-10-11 12:36 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\ServiceState
2022-10-11 12:22 - 2019-12-07 04:13 - 000000000 ____D C:\WINDOWS\INF
2022-10-11 12:20 - 2021-11-16 08:56 - 000000000 __RHD C:\Users\Public\AccountPictures
2022-10-11 12:20 - 2021-11-16 08:56 - 000000000 ___RD C:\Users\bird4\3D Objects
2022-10-11 12:20 - 2019-12-07 04:50 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2022-10-11 12:20 - 2019-12-07 04:14 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2022-10-11 12:20 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\spool
2022-10-11 12:20 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\system32\oobe
2022-10-11 12:20 - 2019-12-07 04:14 - 000000000 ____D C:\ProgramData\USOPrivate
2022-10-11 12:20 - 2019-12-07 04:03 - 000000000 ____D C:\WINDOWS\CbsTemp
2022-10-11 12:17 - 2021-11-16 14:06 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MSI Afterburner
2022-10-11 12:14 - 2021-11-16 10:49 - 000008192 ___SH C:\DumpStack.log.tmp
2022-10-11 12:14 - 2019-12-07 04:03 - 000262144 _____ C:\WINDOWS\system32\config\BBI
2022-10-11 12:12 - 2019-12-07 04:14 - 000000000 ____D C:\WINDOWS\appcompat
2022-10-11 12:12 - 2019-12-07 04:03 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2022-10-11 00:42 - 2022-08-23 15:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2022-10-11 00:42 - 2022-03-07 03:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RazerCentral
2022-10-11 00:42 - 2022-02-13 20:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBS Studio
2022-10-11 00:12 - 2022-09-07 01:14 - 000000000 ___RD C:\Users\bird4\My Drive
2022-10-10 09:00 - 2021-11-25 08:01 - 000000000 ____D C:\Users\bird4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2022-10-09 21:48 - 2022-02-12 11:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Razer

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-10-2022
Ran by bird4 (11-10-2022 14:46:45)
Running from C:\Users\bird4\Desktop
Microsoft Windows 10 Home Version 21H2 19044.2075 (X64) (2022-10-11 17:20:11)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-1589133460-2440353720-3213826699-500 - Administrator - Disabled)
bird4 (S-1-5-21-1589133460-2440353720-3213826699-1001 - Administrator - Enabled) => C:\Users\bird4
DefaultAccount (S-1-5-21-1589133460-2440353720-3213826699-503 - Limited - Disabled)
Guest (S-1-5-21-1589133460-2440353720-3213826699-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1589133460-2440353720-3213826699-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Audacity 3.2.1 (HKLM\...\Audacity_is1) (Version: 3.2.1 - Audacity Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 106.0.5249.103 - Google LLC)
Greenshot 1.2.10.6 (HKLM\...\Greenshot_is1) (Version: 1.2.10.6 - Greenshot)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 106.0.1370.42 - Microsoft Corporation)
Microsoft Edge WebView2 Runtime (HKLM-x32\...\Microsoft EdgeWebView) (Version: 106.0.1370.37 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1589133460-2440353720-3213826699-1001\...\OneDriveSetup.exe) (Version: 21.220.1024.0005 - Microsoft Corporation)

Packages:
=========
Disney+ -> C:\Program Files\WindowsApps\Disney.37853FC22B2CE_1.39.3.0_x64__6rarf9sa4v8jt [2022-10-11] (Disney)
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.14.9130.0_x64__8wekyb3d8bbwe [2022-10-11] (Microsoft Studios) [MS Ad]
NVIDIA Control Panel -> C:\Program Files\WindowsApps\nvidiacorp.nvidiacontrolpanel_8.1.962.0_x64__56jybvy8sckqj [2022-10-11] (NVIDIA Corp.)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0 [2022-10-11] (Spotify AB) [Startup Task]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_47917a79b8c7fd22\nvshext.dll [2022-07-27] (Nvidia Corporation -> NVIDIA Corporation)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\bird4\Downloads:OpusMetaInformation [74]
AlternateDataStreams: C:\Users\bird4\My Drive:OpusMetaInformation [74]

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========


==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 04:14 - 2019-12-07 04:12 - 000000824 _____ C:\WINDOWS\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1589133460-2440353720-3213826699-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\bird4\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\wallpaperflare.com_wallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{5B0B55A1-875D-443D-B62A-556584BDC899}] => (Allow) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\106.0.1370.37\msedgewebview2.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{FC1C150F-D0C2-4B46-AD7C-9EF8F6794051}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{34699BD6-0C39-4D13-AF90-31AE119E4E98}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{E3EDF3D1-AF22-4C21-B06D-72FB9FB23DAC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{BC28F555-97C5-487F-A8C5-921AC64FDBA2}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{9423D94D-C429-48A9-88C1-9D8A87B3DF0E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{0A5A683A-0BF5-45B3-9B2F-C40BC3F08424}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{22636EE4-277F-49DF-97B1-D94018C1ABCC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{EFEF33D2-AE6D-4A8B-8851-F588F5FA0ED3}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.195.893.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{D9E58032-9CF8-4AE0-88AF-BE23ADE744A9}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:465.21 GB) (Free:380.26 GB) (82%)

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (10/11/2022 12:17:21 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON.

Error: (10/11/2022 12:12:06 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 257) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1409.


System errors:
=============
Error: (10/11/2022 12:17:29 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} did not register with DCOM within the required timeout.

Error: (10/11/2022 12:14:04 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The Printer Extensions and Notifications service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (10/11/2022 12:14:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
The device is not ready.

Error: (10/11/2022 12:14:03 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {A47979D2-C419-11D9-A5B4-001185AD2B89} did not register with DCOM within the required timeout.

Error: (10/11/2022 12:12:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The netprofm service terminated with the following error:
The device is not ready.


==================== Memory info ===========================

BIOS: American Megatrends Inc. 5603 07/28/2020
Motherboard: ASUSTeK COMPUTER INC. ROG STRIX X370-F GAMING
Processor: AMD Ryzen 7 1700X Eight-Core Processor
Percentage of memory in use: 19%
Total physical RAM: 32701.88 MB
Available physical RAM: 26479.95 MB
Total Virtual: 37821.88 MB
Available Virtual: 29986.58 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.21 GB) (Free:380.26 GB) (Model: Samsung SSD 850 EVO 500GB) NTFS
Drive d: (WDC1TB) (Fixed) (Total:931.51 GB) (Free:56.9 GB) (Model: WDC WD10EZEX-60WN4A0) NTFS
Drive e: (Seagate2TB) (Fixed) (Total:1863.01 GB) (Free:989.55 GB) (Model: ST2000DM008-2FR102) NTFS

\\?\Volume{c6553dcf-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.05 GB) (Free:0.02 GB) NTFS
\\?\Volume{c6553dcf-0000-0000-0000-d05074000000}\ () (Fixed) (Total:0.5 GB) (Free:0.08 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 1863 GB) (Disk ID: B0782641)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 12360A27)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: C6553DCF)
Partition 1: (Active) - (Size=50 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=509 MB) - (Type=27)

==================== End of Addition.txt =======================

For the volunteer who picks this up, thank you so much for helping me out. Let me know if you ever need anything.
Norhand
Active Member
 
Posts: 1
Joined: October 11th, 2022, 6:18 pm
Location: Ponchatoula, LA
Advertisement
Register to Remove

Re: I could use some help. I think I'm dealing with a rootki

Unread postby Gary R » October 13th, 2022, 1:23 am

No signs of infection in the logs you've supplied. Disk formatting suggests that this is an old machine that has been upgraded to W10. Modern machines do not tend to be MBR formatted.

Your symptoms are not those typical of an infected machine, but are more symptomatic of either a corrupted OS, or faulting hardware.

So what I recommend you do first is to perform a repair install of W10 using Media Creation Tool (see attached instructions written by BriTechGuy) if that is unsuccessful, then you're going to have to perform a clean install of W10.

If neither of those are effective, then I'm afraid your hardware is the problem, and that is beyond the scope of this forum.
You do not have the required permissions to view the files attached to this post.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25696
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware