Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HI got a big virus in system viles.. need help going over computers


  • Please log in to reply

#1
steveairway

steveairway

    Member

  • Member
  • PipPip
  • 54 posts

somebody please guide me

 

i got 3 computers and think they all got a system file root virus and i cant get rid of it 

 

thanks 

 

also this webpage says not secure up above... def hacked bigtime right ?


Edited by steveairway, 18 March 2020 - 06:18 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP

We haven't been hacked.  Just the forum software is so old that it can't do https.

 

We need to see your FRST logs in order to help you.  Just for one computer for now:

 


  • Get FRST from http://www.bleepingc...very-scan-tool/You need to download the appropriate tool for your PC.  If you don't know if you have a 32 or 64 bit system get them both.  Only one will work and that's the right one.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Check the Addition.txt box
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here.
  • It will generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.



 


  • 0

#3
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
 
 
IN OPPOSITE ORDER BUT OK THANK U 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-03-2020
Ran by Nathan (18-03-2020 23:20:27)
Running from C:\Users\Nathan\Downloads
Windows 7 Ultimate N Service Pack 1 (X64) (2018-10-25 16:04:51)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1270021460-4183227028-2917954802-500 - Administrator - Disabled)
Guest (S-1-5-21-1270021460-4183227028-2917954802-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1270021460-4183227028-2917954802-1002 - Limited - Enabled)
Nathan (S-1-5-21-1270021460-4183227028-2917954802-1000 - Administrator - Enabled) => C:\Users\Nathan
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 9.2 - Atheros)
Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 80.1.5.112 - Brave Software Inc)
CCleaner (HKLM\...\CCleaner) (Version: 5.52 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Defraggler (HKLM\...\Defraggler) (Version: 2.22 - Piriform)
Discord (HKU\S-1-5-21-1270021460-4183227028-2917954802-1000\...\Discord) (Version: 0.0.306 - Discord Inc.)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.99.0 - Google Inc.) Hidden
Greenshot 1.2.10.6 (HKLM\...\Greenshot_is1) (Version: 1.2.10.6 - Greenshot)
HP Support Assistant (HKLM-x32\...\{F322B446-B157-4257-B44F-4F22D41F8EDB}) (Version: 8.8.24.33 - HP Inc.)
HP Support Solutions Framework (HKLM-x32\...\{20907839-6188-46EF-8AE7-141C86EDE13F}) (Version: 12.14.49.15 - HP Inc.)
Ignition Casino Poker (HKLM-x32\...\{B63C2764-2878-40D2-A50E-B3BE6D5F122F}_is1) (Version: 4.0 - )
Microsoft .NET Framework 4.8 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.8.03761 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
NordVPN network TAP (HKLM-x32\...\{97DEC5D6-2BE9-45BB-BFC5-274B851B486B}) (Version: 1.0.1 - NordVPN)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.46.610.2011 - Realtek)
Revo Uninstaller 2.1.1 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.1.1 - VS Revo Group, Ltd.)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.3.8497 - TeamViewer)
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
XSplit Gamecaster (HKLM-x32\...\{7F0DC866-BE32-4AE8-8242-A1F5753176B8}) (Version: 3.4.1812.0304 - SplitmediaLabs)
 
==================== Custom CLSID (Whitelisted): ==============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
 
==================== Codecs (Whitelisted) ====================
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
 
==================== Loaded Modules (Whitelisted) =============
 
2018-10-21 17:47 - 2011-08-09 18:46 - 000443040 _____ (Atheros Communications Inc. -> Atheros) [File not signed] C:\Windows\system32\athihvs.dll
 
==================== Alternate Data Streams (Whitelisted) ========
 
==================== Safe Mode (Whitelisted) ==================
 
==================== Association (Whitelisted) =================
 
==================== Internet Explorer trusted/restricted ==========
 
==================== Hosts content: =========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2019-01-06 08:58 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts
 
==================== Other Areas ===========================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1270021460-4183227028-2917954802-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.254.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
==================== FirewallRules (Whitelisted) ================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{8D9928F9-C321-4824-AB48-FCB0551865A0}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File
FirewallRules: [{88EC0A08-4605-4907-97FD-3796912CAFC3}] => (Allow) C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster\XSplit.Gamecaster.exe (SplitmediaLabs Limited -> SplitmediaLabs)
FirewallRules: [{DADCBC27-FC13-43AF-A692-8B90C8411931}] => (Allow) C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster\XSplit.Gamecaster.exe (SplitmediaLabs Limited -> SplitmediaLabs)
FirewallRules: [{92B41091-B82B-4971-AB55-E73D00CF9A9A}] => (Allow) C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster\XSplit.cam.exe (SplitmediaLabs Limited -> SplitmediaLabs Limited)
FirewallRules: [{21925DB8-B724-4F3B-A002-82E09BA0D476}] => (Allow) C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster\XSplit.cam.exe (SplitmediaLabs Limited -> SplitmediaLabs Limited)
FirewallRules: [{DC47CD10-8468-43BF-9466-C6A4E04E2EDC}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{6C292E25-9923-4B2D-B85A-A70957C6E699}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{F90F108D-A7E4-4467-B420-60E72B530BE2}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{87344F7F-5DDF-4482-9CA0-A80FF621818D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{B3447847-D77A-4FCC-B361-520F08796E08}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{C6A88D84-F206-4CFD-9E33-02E530D86A42}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{96F8785E-DFD6-4EFF-8C0D-C57829220266}] => (Allow) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc. -> Brave Software, Inc.)
 
==================== Restore Points =========================
 
10-03-2020 23:47:28 Device Driver Package Install: TAP-NordVPN Windows Provider V9 Network adapters
11-03-2020 01:01:13 AdwCleaner_BeforeCleaning_11/03/2020_01:01:12
11-03-2020 01:10:41 AdwCleaner_BeforeCleaning_11/03/2020_01:10:31
11-03-2020 01:36:53 Windows Update
11-03-2020 01:57:58 JRT Pre-Junkware Removal
11-03-2020 02:29:19 Checkpoint by HitmanPro
11-03-2020 02:45:16 Windows Update
11-03-2020 03:10:49 Checkpoint by HitmanPro
11-03-2020 14:34:50 Windows Update
11-03-2020 22:41:47 Windows Update
13-03-2020 03:26:33 Removed XSplit Gamecaster
16-03-2020 23:56:10 Installed Windows 7 USB/DVD Download Tool
17-03-2020 02:14:11 Revo Uninstaller's restore point - Google Chrome
18-03-2020 04:57:16 Windows Update
18-03-2020 08:33:36 Removed Windows 7 USB/DVD Download Tool
18-03-2020 09:05:21 Removed HP Support Assistant.
18-03-2020 09:05:54 Removed HP Support Solutions Framework
18-03-2020 09:19:53 Restore Operation
18-03-2020 15:01:08 Removed XSplit Gamecaster
18-03-2020 17:48:07 Windows Update
18-03-2020 17:52:20 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123
18-03-2020 19:09:42 Restore Operation
 
==================== Faulty Device Manager Devices ============
 
Name: PCI Device
Description: PCI Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: ========================
 
Application errors:
==================
Error: (03/18/2020 11:09:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 724
 
Start Time: 01d5fd9b9678cbd2
 
Termination Time: 20
 
Application Path: C:\Windows\Explorer.EXE
 
Report Id: 065f06f2-698f-11ea-a854-74de2b1b95ef
 
Error: (03/18/2020 11:09:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (03/18/2020 08:33:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (03/18/2020 07:40:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (03/18/2020 06:21:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (03/18/2020 06:16:24 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17840 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: a28
 
Start Time: 01d5fd6d99d94b6f
 
Termination Time: 0
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
Error: (03/18/2020 05:42:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.
 
Error: (03/18/2020 05:42:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.
 
 
System errors:
=============
Error: (03/18/2020 11:07:44 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
Error: (03/18/2020 11:07:41 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:08:24 PM on ‎3/‎18/‎2020 was unexpected.
 
Error: (03/18/2020 11:07:22 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
Error: (03/18/2020 11:07:22 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
Error: (03/18/2020 09:07:42 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.
 
Error: (03/18/2020 09:07:42 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.
 
Error: (03/18/2020 08:58:12 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.
 
Error: (03/18/2020 08:31:40 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
 
Windows Defender:
===================================
Date: 2020-03-18 20:29:00.397
Description: 
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified. 
Signature version:0.0.0.0
Engine version:0.0.0.0
 
Date: 2020-03-18 10:54:53.385
Description: 
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified. 
Signature version:0.0.0.0
Engine version:0.0.0.0
 
Date: 2020-03-18 06:21:32.305
Description: 
Windows Defender has encountered an error trying to update the engine.
New Engine Version:1.1.16800.2
Previous Engine Version:1.1.6402.0
Update Source:User
Error Code:0x8050800c
Error description:An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. 
 
CodeIntegrity:
===================================
 
Date: 2020-03-18 18:19:49.104
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\athrx.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2020-03-18 18:19:48.979
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\athrx.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2020-03-18 18:14:46.171
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2020-03-18 18:14:45.999
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2020-03-18 18:14:45.827
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2020-03-18 18:14:45.640
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2020-03-18 18:09:52.514
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
Date: 2020-03-18 18:09:52.265
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\JitDriver.sys because the set of per-page image hashes could not be found on the system.
 
==================== Memory info =========================== 
 
BIOS: Hewlett-Packard F.45 01/17/2012
Motherboard: Hewlett-Packard 3568
Processor: AMD A6-3420M APU with Radeon™ HD Graphics
Percentage of memory in use: 87%
Total physical RAM: 3561.41 MB
Available physical RAM: 446.31 MB
Total Virtual: 7120.95 MB
Available Virtual: 3271.02 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:441.79 GB) (Free:341.62 GB) NTFS
Drive d: (Recovery) (Fixed) (Total:19.91 GB) (Free:2.16 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:3.96 GB) FAT32
Drive f: (GSP1RMCNULXFRER_EN_DVD) (CDROM) (Total:2.77 GB) (Free:0 GB) UDF
 
\\?\Volume{bb21917a-d887-11e8-afaf-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS
 
==================== MBR & Partition Table ====================
 
==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: DC9CC033)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=441.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=19.9 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)
 
==================== End of Addition.txt =======================
 
 
 
NEXT FILE NEXT FILE .. NEXT FILE 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 08-03-2020
Ran by Nathan (administrator) on NATHANWIN7 (Hewlett-Packard HP Pavilion g7 Notebook PC) (18-03-2020 23:17:35)
Running from C:\Users\Nathan\Downloads
Loaded Profiles: Nathan (Available Profiles: Nathan)
Platform: Windows 7 Ultimate N Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\AVAST Software\Avast\setup\instup.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
(HP Inc. -> HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Dynamic Code Publisher -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Dynamic Code Publisher -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Piriform Software Ltd -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
 
==================== Registry (Whitelisted) ===================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [527792 2017-08-09] (Open Source Developer, Robin Krom -> Greenshot)
HKU\S-1-5-21-1270021460-4183227028-2917954802-1000\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [19645800 2019-01-10] (Piriform Software Ltd -> Piriform Software Ltd)
HKU\S-1-5-21-1270021460-4183227028-2917954802-1000\...\Run: [Discord] => C:\Users\Nathan\AppData\Local\Discord\app-0.0.306\Discord.exe [90950968 2020-02-24] (Discord Inc. -> Discord Inc.)
HKU\S-1-5-21-1270021460-4183227028-2917954802-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\system32\StikyNot.exe [427520 2009-07-13] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\80.1.5.112\Installer\chrmstp.exe [2020-03-18] (Brave Software, Inc.) [File not signed]
BootExecute: dfboottime \??\C:\Windows\System32\dfboottime.cfgautocheck autochk * 
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
 
==================== Scheduled Tasks (Whitelisted) ============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0719FF8D-0A89-4578-8658-61AE239C4AB8} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [157320 2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {0E7373C6-4F35-4549-9E6A-927C29626523} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [1506680 2019-06-14] (HP Inc. -> HP Inc.)
Task: {36BB0B6E-1697-452B-9A3D-1F7403E29D7B} - System32\Tasks\Defraggler Volume C Task => C:\Program Files\Defraggler\df64.exe [1624120 2018-05-02] (Piriform Ltd -> Piriform Ltd)
Task: {3E0F3850-DFF6-44E5-A867-6D9170091CD8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [14679256 2019-01-10] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {48125E50-69C3-45BD-843B-49B59A42135E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [1506680 2019-06-14] (HP Inc. -> HP Inc.)
Task: {59B1E654-44AB-4647-B60C-3557AA506B57} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [157320 2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {6985298E-7D8C-44EF-8A45-DC23C29302CE} - System32\Tasks\HPCeeScheduleForNathan => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [99208 2016-06-24] (Hewlett-Packard Company -> HP Inc.)
Task: {6E29A70D-8034-4C0D-90D3-91C1434EF52E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [655736 2019-07-31] (HP Inc. -> HP Inc.)
Task: {6FDF364C-0157-4C38-8514-81DE24236994} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [1116024 2020-02-26] (HP Inc. -> HP Inc.)
Task: {7B3322F9-5CFC-45BB-9E4D-3AB6A87B54FE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [1116024 2020-02-26] (HP Inc. -> HP Inc.)
Task: {966AE572-BDDA-42A1-86C9-873AA86C33D8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Opt-in For HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF_Utils.exe [62840 2019-11-28] (HP Inc. -> HP Inc.)
Task: {AD91CC59-D672-4FEF-A0A6-887274D4E345} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Product Configurator => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\ProductConfig.exe [308088 2020-02-12] (HP Inc. -> HP Inc.)
Task: {B463FBA4-68FD-4542-9940-92B3577FEFE6} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [198696 2018-05-04] (HP Inc. -> HP Inc.)
Task: {C17982E4-54A5-40CE-A61A-D0363C25B18D} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [619416 2019-09-26] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {F7606D2D-496F-4763-B889-7923CE745878} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [136056 2019-01-02] (HP Inc. -> HP Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Defraggler Volume C Task.job => C:\Program Files\Defraggler\df64.exe
Task: C:\Windows\Tasks\HPCeeScheduleForNathan.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{733F7B85-7134-4C5A-A282-4AD8D3640DC2}: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{C6AE969C-B2FB-4128-AF00-1686FBD85C2C}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2017-10-27] (HP Inc. -> HP Inc.)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2017-10-27] (HP Inc. -> HP Inc.)
 
FireFox:
========
FF DefaultProfile: 4yhwfcfo.default-1569477086153
FF ProfilePath: C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\4yhwfcfo.default-1569477086153 [2020-03-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.brave.com/BraveSoftware Update;version=3 -> C:\Program Files (x86)\BraveSoftware\Update\1.3.99.0\npBraveUpdate3.dll [2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
FF Plugin-x32: @tools.brave.com/BraveSoftware Update;version=9 -> C:\Program Files (x86)\BraveSoftware\Update\1.3.99.0\npBraveUpdate3.dll [2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Nathan\AppData\Local\Google\Chrome\User Data\Default [2020-03-18]
 
==================== Services (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [157320 2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [157320 2020-03-16] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 hpqcaslwmiex; C:\Program Files (x86)\HP\Shared\hpqwmiex.exe [1031704 2016-06-03] (Hewlett-Packard Company -> HP)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [361848 2019-12-06] (HP Inc. -> HP Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [13206544 2020-03-09] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Windows -> Microsoft Corporation)
 
===================== Drivers (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\System32\DRIVERS\athrx.sys [2768384 2011-08-03] (Atheros Communications, Inc.) [File not signed]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One month (created) ===================
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2020-03-18 23:14 - 2020-03-18 23:14 - 002279936 _____ (Farbar) C:\Users\Nathan\Downloads\FRST64.exe
2020-03-18 21:04 - 2020-03-18 20:49 - 000368056 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2020-03-18 20:57 - 2020-03-18 21:05 - 000001963 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2020-03-18 20:57 - 2020-03-18 21:05 - 000001963 _____ C:\ProgramData\Desktop\Avast Free Antivirus.lnk
2020-03-18 20:57 - 2020-03-18 20:57 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\AVAST Software
2020-03-18 20:57 - 2020-03-18 20:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2020-03-18 20:50 - 2020-03-18 20:50 - 000458584 _____ (AVAST Software) C:\Windows\system32\Drivers\asw1bac43505ba7fd85.tmp
2020-03-18 20:50 - 2020-03-18 20:50 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2020-03-18 20:50 - 2020-03-18 20:49 - 000848672 _____ (AVAST Software) C:\Windows\system32\Drivers\asw90fca36ac84b4c92.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000316256 _____ (AVAST Software) C:\Windows\system32\Drivers\asw837b09b43a0fc9d2.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000279360 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8a8392e12cd5d2bf.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000271120 _____ (AVAST Software) C:\Windows\system32\Drivers\asw81e789a3a91d1461.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000235184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc7f3aa94bddb26ea.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000206608 _____ (AVAST Software) C:\Windows\system32\Drivers\asw3e84a11f540b00b7.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000205576 _____ (AVAST Software) C:\Windows\system32\Drivers\asw42ad984a01e969f9.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000175400 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc8e84b0b1d92a552.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000110560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe41b76c404c38f04.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000084056 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe2d0e0d32a927203.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000064272 _____ (AVAST Software) C:\Windows\system32\Drivers\asw6b4639d26b25bfa2.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000042976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswb2abe895d3d88bc1.tmp
2020-03-18 20:50 - 2020-03-18 20:49 - 000037864 _____ (AVAST Software) C:\Windows\system32\Drivers\asw18127936e9306c78.tmp
2020-03-18 20:47 - 2020-03-18 20:47 - 000002171 _____ C:\Users\Nathan\Desktop\Discord.lnk
2020-03-18 20:46 - 2020-03-18 20:47 - 000000000 ____D C:\Users\Nathan\AppData\Local\Discord
2020-03-18 20:45 - 2020-03-18 20:45 - 000000000 ____D C:\Program Files\AVAST Software
2020-03-18 20:42 - 2020-03-18 20:45 - 062620472 _____ (Discord Inc.) C:\Users\Nathan\Downloads\DiscordSetup.exe
2020-03-18 20:29 - 2020-03-18 20:29 - 000233080 _____ (AVAST Software) C:\Users\Nathan\Downloads\avast_premium_security_setup_online.exe
2020-03-18 19:53 - 2020-03-18 19:57 - 000000000 _____ C:\Windows\system32\last.dump
2020-03-18 18:09 - 2020-03-18 18:09 - 000000000 ____D C:\ProgramData\Driver Support
2020-03-18 17:52 - 2020-03-18 17:52 - 000000000 ____D C:\ProgramData\Package Cache
2020-03-18 17:43 - 2020-03-18 19:34 - 000000000 ____D C:\Program Files (x86)\Driver Support One
2020-03-18 17:22 - 2020-03-18 17:22 - 000000000 ____D C:\$WINDOWS.~LS
2020-03-18 17:16 - 2020-03-18 17:16 - 000000000 ____D C:\$UPGRADE.~OS
2020-03-18 17:15 - 2020-03-18 17:15 - 000000000 ____D C:\$WINDOWS.~BT
2020-03-18 15:20 - 2020-03-18 17:22 - 000000002 _____ C:\$UpgDrv$
2020-03-18 15:17 - 2020-03-18 17:11 - 000002602 _____ C:\Users\Nathan\Desktop\Windows Compatibility Report.htm
2020-03-18 15:07 - 2020-03-18 15:07 - 000000000 ____H C:\Users\Guest\Documents\Default.rdp
2020-03-18 15:04 - 2020-03-18 15:04 - 000000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2020-03-18 15:04 - 2020-03-18 15:04 - 000000000 ____D C:\Users\Guest\AppData\Local\Google
2020-03-18 15:03 - 2020-03-18 19:37 - 000000000 ____D C:\Users\Guest
2020-03-18 15:03 - 2020-03-18 15:03 - 000000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2020-03-18 07:13 - 2020-03-18 07:13 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Gyazo
2020-03-18 07:12 - 2020-03-18 09:42 - 000000000 ____D C:\Program Files (x86)\Gyazo
2020-03-18 05:53 - 2020-03-18 05:55 - 000043259 _____ C:\Users\Nathan\Downloads\MTB.txt
2020-03-17 02:28 - 2020-03-17 02:29 - 076223216 _____ (Lenovo Group Limited ) C:\Users\Nathan\Downloads\8awt16ww.exe
2020-03-17 02:28 - 2020-03-17 02:28 - 000000000 ____D C:\Users\Nathan\AppData\Local\Microsoft Games
2020-03-17 02:11 - 2020-03-17 02:11 - 000000000 ____D C:\Users\Nathan\AppData\Local\HP
2020-03-17 02:09 - 2020-03-17 02:09 - 013274912 _____ (Lenovo Group Limited ) C:\Users\Nathan\Downloads\83wo14ww.exe
2020-03-17 00:06 - 2020-03-17 00:06 - 007432520 _____ (VS Revo Group ) C:\Users\Nathan\Downloads\revosetup (1).exe
2020-03-16 23:59 - 2020-03-18 14:54 - 000000004 _____ C:\Users\Nathan\Documents\CCleanerFoundItems.txt
2020-03-16 23:57 - 2020-03-18 19:34 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 USB DVD Download Tool
2020-03-16 23:57 - 2020-03-18 19:34 - 000000000 ____D C:\Users\Nathan\AppData\Local\Apps\Windows 7 USB DVD Download Tool
2020-03-16 23:57 - 2020-03-16 23:57 - 000002529 _____ C:\Users\Nathan\Desktop\Windows 7 USB DVD Download Tool.lnk
2020-03-16 23:55 - 2020-03-18 20:00 - 000001908 _____ C:\Windows\diagwrn.xml
2020-03-16 23:55 - 2020-03-18 20:00 - 000001908 _____ C:\Windows\diagerr.xml
2020-03-16 23:54 - 2020-03-18 19:34 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Greenshot
2020-03-16 23:54 - 2020-03-16 23:54 - 002721168 _____ (Microsoft Corporation) C:\Users\Nathan\Downloads\Windows7-USB-DVD-Download-Tool-Installer-en-US.exe
2020-03-16 23:54 - 2020-03-16 23:54 - 000000000 ____D C:\Users\Nathan\AppData\Local\Greenshot
2020-03-16 23:31 - 2020-03-18 19:50 - 000000000 ____D C:\Program Files\Greenshot
2020-03-16 23:31 - 2020-03-18 19:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Greenshot
2020-03-16 23:30 - 2020-03-16 23:30 - 001783200 _____ (Greenshot ) C:\Users\Nathan\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE (1).exe
2020-03-16 23:26 - 2020-03-16 23:30 - 001783200 _____ (Greenshot ) C:\Users\Nathan\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
2020-03-16 22:53 - 2020-03-18 20:03 - 000002341 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2020-03-16 22:53 - 2020-03-18 20:03 - 000002300 _____ C:\Users\Public\Desktop\Brave.lnk
2020-03-16 22:53 - 2020-03-18 20:03 - 000002300 _____ C:\ProgramData\Desktop\Brave.lnk
2020-03-16 22:53 - 2020-03-18 19:19 - 000000000 ____D C:\Users\Nathan\AppData\Local\BraveSoftware
2020-03-16 22:51 - 2020-03-18 19:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2020-03-16 22:51 - 2020-03-18 19:34 - 000000000 ____D C:\Program Files\VS Revo Group
2020-03-16 22:51 - 2020-03-16 22:51 - 000000994 _____ C:\Users\Public\Desktop\Revo Uninstaller.lnk
2020-03-16 22:51 - 2020-03-16 22:51 - 000000994 _____ C:\ProgramData\Desktop\Revo Uninstaller.lnk
2020-03-16 22:47 - 2020-03-16 22:47 - 007432520 _____ (VS Revo Group ) C:\Users\Nathan\Downloads\revosetup.exe
2020-03-16 22:47 - 2020-03-16 22:47 - 000003336 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineUA
2020-03-16 22:47 - 2020-03-16 22:47 - 000003208 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineCore
2020-03-16 22:46 - 2020-03-18 19:12 - 000000000 ____D C:\Program Files (x86)\BraveSoftware
2020-03-16 22:44 - 2020-03-16 22:44 - 001298328 _____ (BraveSoftware Inc.) C:\Users\Nathan\Downloads\BraveBrowserSetup.exe
2020-03-16 22:33 - 2020-03-16 22:37 - 000000000 ____D C:\Users\Nathan\AppData\Local\TeamViewer
2020-03-16 22:27 - 2020-03-16 22:27 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\TeamViewer
2020-03-16 22:26 - 2020-03-16 22:26 - 000001047 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk
2020-03-16 22:26 - 2020-03-16 22:26 - 000001035 _____ C:\Users\Public\Desktop\TeamViewer.lnk
2020-03-16 22:26 - 2020-03-16 22:26 - 000001035 _____ C:\ProgramData\Desktop\TeamViewer.lnk
2020-03-16 22:24 - 2020-03-18 23:08 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2020-03-16 22:18 - 2020-03-16 22:19 - 026985448 _____ (TeamViewer Germany GmbH) C:\Users\Nathan\Downloads\TeamViewer_Setup.exe
2020-03-16 22:18 - 2020-03-16 22:18 - 000230080 _____ (AVAST Software) C:\Users\Nathan\Downloads\avast_free_antivirus_setup_online.exe
2020-03-15 23:53 - 2020-03-15 23:53 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Poker Mavens 6
2020-03-15 23:16 - 2020-03-15 23:16 - 000000000 ____D C:\Users\Nathan\AppData\Local\cache
2020-03-15 18:00 - 2020-03-15 18:00 - 000000000 ____D C:\Users\Nathan\AppData\Local\mbam
2020-03-15 16:34 - 2020-03-15 16:34 - 000000000 ____D C:\Users\Nathan\AppData\Local\mbamtray
2020-03-15 04:01 - 2020-03-17 21:16 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\slobs-client
2020-03-15 03:37 - 2020-03-15 03:37 - 000000000 ____D C:\ProgramData\Sophos
2020-03-15 03:27 - 2020-03-15 03:27 - 000000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2020-03-15 03:25 - 2020-03-15 03:25 - 000000000 ____D C:\Program Files\Malwarebytes
2020-03-13 20:03 - 2020-03-18 23:10 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\discord
2020-03-13 20:03 - 2020-03-18 20:47 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2020-03-13 20:02 - 2020-03-18 20:47 - 000000000 ____D C:\Users\Nathan\AppData\Local\SquirrelTemp
2020-03-13 03:01 - 2020-03-13 03:01 - 000233080 _____ (AVAST Software) C:\Users\Nathan\Downloads\Unconfirmed 346898.crdownload
2020-03-13 02:53 - 2020-03-13 02:53 - 000233080 _____ (AVAST Software) C:\Users\Nathan\Downloads\Unconfirmed 522862.crdownload
2020-03-12 20:24 - 2020-03-12 20:24 - 000000000 ____D C:\RegBackup
2020-03-12 18:28 - 2020-03-18 09:41 - 000000000 ____D C:\Windows\SysWOW64\tron
2020-03-12 18:28 - 2020-03-18 09:41 - 000000000 ____D C:\Windows\SysWOW64\integrity_verification
2020-03-12 18:24 - 2020-03-18 09:42 - 000000000 ____D C:\Users\Nathan\Downloads\tron
2020-03-12 18:24 - 2020-02-05 12:27 - 000000000 ____D C:\Users\Nathan\Downloads\integrity_verification
2020-03-12 17:48 - 2020-03-12 17:48 - 424800866 _____ (Igor Pavlov) C:\Users\Nathan\Downloads\Unconfirmed 396016.crdownload
2020-03-12 17:05 - 2020-03-12 17:23 - 626332736 _____ (Igor Pavlov) C:\Users\Nathan\Downloads\Unconfirmed 108130.crdownload
2020-03-12 04:49 - 2020-03-12 05:04 - 325188194 _____ (Igor Pavlov) C:\Users\Nathan\Downloads\Unconfirmed 707891.crdownload
2020-03-12 04:47 - 2020-03-12 04:47 - 000000000 ____D C:\Program Files (x86)\Tweaking.com
2020-03-12 04:27 - 2020-03-18 09:42 - 000000000 ____D C:\Users\Nathan\Downloads\ComputerRepairFree
2020-03-12 04:26 - 2020-03-12 04:26 - 000997714 _____ C:\Users\Nathan\Downloads\ComputerRepairFree.zip
2020-03-12 04:02 - 2020-03-16 02:26 - 000000000 ____D C:\Windows\system32\Tasks\Outbyte
2020-03-12 04:01 - 2020-03-16 02:26 - 000000000 ____D C:\ProgramData\Outbyte
2020-03-12 04:00 - 2020-03-16 02:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outbyte
2020-03-12 04:00 - 2020-03-16 02:26 - 000000000 ____D C:\Program Files (x86)\Outbyte
2020-03-12 03:35 - 2020-03-18 09:42 - 000000000 ____D C:\Users\Nathan\Desktop\Tor Browser
2020-03-12 03:22 - 2020-03-12 05:04 - 3973250207 _____ C:\Users\Nathan\Downloads\Qubes-R4.0.3-x86_64.iso.crdownload
2020-03-12 02:47 - 2020-03-12 03:29 - 1665965568 _____ C:\Users\Nathan\Downloads\Whonix-XFCE-15.0.0.8.9.ova
2020-03-12 01:26 - 2020-03-12 01:26 - 000370309 _____ C:\Users\Nathan\Downloads\wnetwatcher (1).zip
2020-03-12 01:23 - 2020-03-12 01:23 - 000370309 _____ C:\Users\Nathan\Downloads\wnetwatcher.zip
2020-03-11 22:57 - 2020-03-18 01:15 - 000000000 ____D C:\Users\Nathan\AppData\Local\ElevatedDiagnostics
2020-03-11 14:27 - 2020-03-11 14:27 - 000007614 _____ C:\Users\Nathan\AppData\Local\Resmon.ResmonCfg
2020-03-11 05:00 - 2020-03-13 03:28 - 000000000 ____D C:\Windows\system32\appmgmt
2020-03-11 02:48 - 2020-03-11 02:54 - 000000000 ____D C:\Windows\system32\MRT
2020-03-11 02:35 - 2020-03-13 03:13 - 000000000 ____D C:\Program Files (x86)\Zemana
2020-03-11 02:35 - 2020-03-11 02:35 - 000000000 ____D C:\Users\Nathan\AppData\Local\Zemana
2020-03-11 02:34 - 2020-03-13 03:13 - 000000000 ____D C:\Users\Nathan\AppData\Local\AMSDK
2020-03-11 02:13 - 2020-03-18 09:42 - 000000000 ____D C:\Program Files\HitmanPro
2020-03-11 02:12 - 2020-03-11 02:21 - 000000000 ____D C:\ProgramData\HitmanPro
2020-03-11 02:02 - 2020-03-11 02:02 - 000004575 _____ C:\Users\Nathan\Desktop\JRT.txt
2020-03-11 02:00 - 2020-03-11 02:00 - 005054744 _____ (AO Kaspersky Lab) C:\Users\Nathan\Downloads\c6e90dea-1893-4abe-8e1d-6b2049caadb6.tmp
2020-03-11 01:34 - 2020-03-11 01:34 - 000000000 ____H C:\Users\Nathan\Documents\Default.rdp
2020-03-11 00:58 - 2020-03-11 01:02 - 000008216 _____ C:\Users\Nathan\Downloads\Addition.txt
2020-03-11 00:56 - 2020-03-18 23:19 - 000012397 _____ C:\Users\Nathan\Downloads\FRST.txt
2020-03-11 00:56 - 2020-03-18 23:18 - 000000000 ____D C:\FRST
2020-03-11 00:56 - 2020-03-11 01:02 - 000000000 ____D C:\AdwCleaner
2020-03-11 00:11 - 2020-03-18 04:33 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-03-11 00:10 - 2020-03-11 02:31 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2020-03-10 23:59 - 2020-03-15 01:13 - 000002128 _____ C:\Users\Nathan\Desktop\Rkill.txt
2020-03-10 23:51 - 2020-03-10 23:51 - 000000000 ____D C:\ProgramData\Caphyon
2020-03-10 23:50 - 2020-03-18 09:42 - 000000000 ____D C:\Program Files (x86)\NordVPN
2020-03-10 23:50 - 2020-03-10 23:51 - 000000000 ____D C:\Users\Nathan\AppData\Local\NordVPN
2020-03-10 23:50 - 2020-03-10 23:50 - 000000000 ____D C:\ProgramData\NordVPN
2020-03-10 23:47 - 2020-03-18 19:34 - 000000000 ____D C:\Program Files (x86)\NordVPN network TAP
2020-03-10 23:27 - 2020-03-18 19:20 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\NordVPN
2020-03-10 23:25 - 2020-03-10 23:26 - 014075160 _____ (NordVPN) C:\Users\Nathan\Downloads\NordVPNSetup.exe
2020-03-10 23:02 - 2020-03-10 23:43 - 000000336 _____ C:\Windows\Tasks\HPCeeScheduleForNathan.job
2020-03-10 23:02 - 2020-03-10 23:02 - 000003192 _____ C:\Windows\system32\Tasks\HPCeeScheduleForNathan
 
==================== One month (modified) ==================
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2020-03-18 23:18 - 2009-07-14 00:50 - 000025184 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-03-18 23:18 - 2009-07-14 00:50 - 000025184 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-03-18 23:07 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-03-18 20:45 - 2018-10-25 23:02 - 000000000 ____D C:\ProgramData\AVAST Software
2020-03-18 19:50 - 2018-10-25 23:02 - 000058688 _____ C:\Users\Nathan\AppData\Local\GDIPFONTCACHEV1.DAT
2020-03-18 19:48 - 2018-10-25 12:04 - 000000000 ____D C:\Users\Nathan
2020-03-18 19:37 - 2019-11-21 06:55 - 000000000 ____D C:\Program Files (x86)\Ignition Casino Poker
2020-03-18 19:35 - 2018-10-21 17:47 - 000000000 ____D C:\Windows\system32\nn-NO
2020-03-18 19:35 - 2009-07-14 01:38 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2020-03-18 19:35 - 2009-07-14 01:38 - 000000000 ____D C:\Program Files\Windows Sidebar
2020-03-18 19:35 - 2009-07-14 01:38 - 000000000 ____D C:\Program Files (x86)\Windows Sidebar
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 __RSD C:\Windows\Media
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\SysWOW64\Dism
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\system32\Dism
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\servicing
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\rescache
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2020-03-18 19:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2020-03-18 19:34 - 2019-01-07 13:44 - 000000000 ____D C:\Users\Nathan\AppData\Local\HP_Inc
2020-03-18 19:34 - 2019-01-07 12:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2020-03-18 19:34 - 2019-01-07 12:56 - 000000000 ____D C:\Program Files\CCleaner
2020-03-18 19:34 - 2019-01-07 12:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XSplit
2020-03-18 19:34 - 2019-01-07 12:47 - 000000000 ____D C:\Program Files (x86)\SplitmediaLabs
2020-03-18 19:34 - 2019-01-02 13:12 - 000000000 ____D C:\Program Files (x86)\GUM9F6.tmp
2020-03-18 19:34 - 2018-10-25 23:10 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard
2020-03-18 19:34 - 2018-10-25 22:57 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2020-03-18 19:34 - 2018-10-25 22:56 - 000000000 ____D C:\sp55040
2020-03-18 19:34 - 2018-10-21 17:46 - 000000000 ____D C:\Program Files (x86)\Cisco
2020-03-18 19:34 - 2018-10-21 17:46 - 000000000 ____D C:\Program Files (x86)\Atheros
2020-03-18 19:34 - 2018-10-21 17:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2020-03-18 19:34 - 2018-10-21 17:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler
2020-03-18 19:34 - 2018-10-21 17:26 - 000000000 ____D C:\Program Files\Defraggler
2020-03-18 19:34 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\AppCompat
2020-03-18 19:32 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\registration
2020-03-18 19:20 - 2019-01-07 12:44 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\SplitmediaLabs
2020-03-18 19:19 - 2018-10-25 23:11 - 000000000 ____D C:\ProgramData\Hewlett-Packard
2020-03-18 19:13 - 2019-01-02 11:50 - 000000000 ____D C:\Program Files (x86)\Google
2020-03-18 14:59 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\system32\NDF
2020-03-18 10:52 - 2018-10-25 23:12 - 000000000 ____D C:\Users\Nathan\AppData\Local\Hewlett-Packard
2020-03-18 10:52 - 2018-10-21 17:41 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\Hewlett-Packard
2020-03-18 09:29 - 2019-01-02 12:07 - 000000000 ____D C:\Users\Nathan\AppData\Local\Google
2020-03-18 06:08 - 2018-10-25 23:10 - 000000000 ____D C:\Users\Nathan\AppData\Local\AVAST Software
2020-03-17 02:19 - 2018-10-25 22:40 - 000003938 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{0B5BC9E5-B145-413C-B7A7-F624C56450E1}
2020-03-17 01:48 - 2009-07-14 00:50 - 000271328 _____ C:\Windows\system32\FNTCACHE.DAT
2020-03-16 22:11 - 2018-10-21 17:27 - 000000410 _____ C:\Windows\Tasks\Defraggler Volume C Task.job
2020-03-11 22:41 - 2019-11-21 06:57 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\poker-client-electron-common
2020-03-11 22:03 - 2019-11-21 06:57 - 000000000 ____D C:\Users\Nathan\AppData\Roaming\ignitioncasino-eu-poker
2020-03-11 02:12 - 2018-10-25 15:56 - 000000000 ____D C:\Windows\Panther
2020-03-10 23:35 - 2018-10-21 17:29 - 000774004 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2020-03-10 23:35 - 2009-07-14 01:12 - 000774004 _____ C:\Windows\system32\PerfStringBackup.INI
 
==================== Files in the root of some directories ========
 
2020-03-11 14:27 - 2020-03-11 14:27 - 000007614 _____ () C:\Users\Nathan\AppData\Local\Resmon.ResmonCfg
 
==================== SigCheck ============================
 
(There is no automatic fix for files that do not pass verification.)
 
 
LastRegBack: 2020-03-18 15:43
==================== End of FRST.txt ========================

Edited by steveairway, 18 March 2020 - 09:26 PM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP

Why do you think it has a virus?

 

I assume you installed TeamViewer?

 

Get Process Explorer

https://live.sysinte...com/procexp.exe

Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

Wait a full minute then:

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.

Copy the next 2 lines:

TASKLIST /SVC  > \junk.txt
notepad \junk.txt

Open an Elevated Command Prompt:
Win 7: Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator
Win 8: http://www.eightforu...indows-8-a.html
win 10: http://www.howtogeek...-in-windows-10/

Right click and Paste (or Edit then Paste) and the copied lines should appear.
Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.


Get the free version of Speccy:

http://www.filehippo...ownload_speccy/ 

(Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  
Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving),
File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  
(It will be near the top,  10-20  lines down.) Save the file.  Attach the file to your next post.  Attaching the log is the best option as it is too big for the forum.  Attaching is a multi step process.

First click on More Reply Options
Then scroll down to where you see
Choose File and click on it.  Point it at the file and hit Open.
Now click on Attach this file.

 

 

Try running MBAR and see if it finds anything

https://www.malwareb...om/antirootkit/


  • 0

#5
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
why have virus i think... 1.. I"ve seen zeman do a a scan and say trojan win 32 system wow al 2180 virus.
Also tons of stuff in registry when i run cc cleaner.. missing dll files..
plus i think i'm being web filtered
also avast , never run and find anything.. pretty sure got virus
 
 
 
TASK MANAGER FILE COPY AND PASTE 
 
Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
audiodg.exe 15,716 K 15,520 K 5320 Windows Audio Device Graph Isolation Microsoft Corporation (Verified) Microsoft Windows
brave.exe 2,188 K 5,500 K 1104 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 26,908 K 37,028 K 2564 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 21,352 K 22,828 K 5672 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 6,956 K 12,684 K 4328 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 31,404 K 69,664 K 4072 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 24,740 K 32,880 K 2240 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 6,988 K 11,960 K 6080 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
conhost.exe 1,096 K 772 K 1156 Console Window Host Microsoft Corporation (Verified) Microsoft Windows
ctfmon.exe 2,096 K 980 K 2496 CTF Loader Microsoft Corporation (Verified) Microsoft Windows
dllhost.exe 1,676 K 1,608 K 2476 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
dwm.exe 1,792 K 1,624 K 1768 Desktop Window Manager Microsoft Corporation (Verified) Microsoft Windows
HPSupportSolutionsFrameworkService.exe 28,712 K 5,932 K 2724 HP Support Solutions Framework Service HP Inc. (Verified) HP Inc.
lsass.exe 6,096 K 8,508 K 560 Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows
lsm.exe 2,696 K 2,100 K 568 Local Session Manager Service Microsoft Corporation (Verified) Microsoft Windows
mscorsvw.exe 3,564 K 2,384 K 3944 .NET Runtime Optimization Service Microsoft Corporation (Verified) Microsoft Dynamic Code Publisher
procexp.exe 4,052 K 7,524 K 5360 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
services.exe 5,716 K 5,836 K 544 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows
smss.exe 588 K 600 K 344 Windows Session Manager Microsoft Corporation (Verified) Microsoft Windows
spoolsv.exe 6,796 K 3,884 K 1224 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 2,336 K 4,700 K 4988 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 13,120 K 9,992 K 1340 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 4,992 K 5,120 K 824 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 186,084 K 53,268 K 3716 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
taskhost.exe 3,708 K 2,120 K 5332 Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows
wininit.exe 1,948 K 544 K 488 Windows Start-Up Application Microsoft Corporation (Verified) Microsoft Windows
winlogon.exe 3,384 K 2,336 K 624 Windows Logon Application Microsoft Corporation (Verified) Microsoft Windows
wlanext.exe 2,516 K 3,120 K 1144 Windows Wireless LAN 802.11 Extensibility Framework Microsoft Corporation (Verified) Microsoft Windows
wuauclt.exe 2,108 K 1,924 K 4604 Windows Update Microsoft Corporation (Verified) Microsoft Windows
svchost.exe < 0.01 6,264 K 5,936 K 2028 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
brave.exe < 0.01 36,004 K 48,840 K 2892 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
CCleaner64.exe < 0.01 11,780 K 24,648 K 2912 CCleaner Piriform Software Ltd (Verified) Piriform Software Ltd
WmiPrvSE.exe < 0.01 19,760 K 24,636 K 3080 WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows
csrss.exe < 0.01 2,456 K 2,208 K 460 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows
StikyNot.exe < 0.01 5,164 K 5,188 K 3256 Sticky Notes Microsoft Corporation (Verified) Microsoft Windows
SearchIndexer.exe < 0.01 22,236 K 11,296 K 2728 Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows
svchost.exe < 0.01 12,068 K 11,476 K 3184 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
nordvpn-service.exe < 0.01 41,088 K 70,572 K 5908 nordvpn-service (Verified) TEFINCOM S.A.
svchost.exe < 0.01 15,680 K 12,204 K 656 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe < 0.01 34,584 K 40,484 K 1020 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe < 0.01 12,764 K 15,840 K 988 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
taskhost.exe < 0.01 12,932 K 7,048 K 1868 Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows
mscorsvw.exe 0.01 4,648 K 2,440 K 1140 .NET Runtime Optimization Service Microsoft Corporation (Verified) Microsoft Dynamic Code Publisher
TeamViewer_Service.exe 0.01 5,328 K 4,492 K 1244 TeamViewer TeamViewer Germany GmbH (Verified) TeamViewer Germany GmbH
CCleaner64.exe 0.01 13,272 K 7,288 K 2672 CCleaner Piriform Software Ltd (Verified) Piriform Software Ltd
svchost.exe 0.01 135,516 K 129,320 K 952 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 0.01 2,132 K 1,916 K 2196 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
NordVPN.exe 0.01 136,412 K 188,152 K 5768 NordVPN NordVPN (Verified) TEFINCOM S.A.
svchost.exe 0.02 21,412 K 16,272 K 920 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
brave.exe 0.04 44,608 K 52,676 K 1804 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 0.04 47,164 K 70,380 K 1288 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
svchost.exe 0.05 5,160 K 4,500 K 716 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
explorer.exe 0.07 42,784 K 42,988 K 3028 Windows Explorer Microsoft Corporation (Verified) Microsoft Windows
brave.exe 0.07 54,880 K 83,520 K 2572 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
System 0.08 844 K 6,192 K 4
brave.exe 0.11 15,300 K 31,196 K 6116 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 0.21 134,560 K 180,984 K 2388 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 0.33 142,224 K 185,124 K 4048 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
brave.exe 0.33 149,304 K 182,276 K 1444 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
taskmgr.exe 0.44 3,940 K 9,952 K 4572 Windows Task Manager Microsoft Corporation (Verified) Microsoft Windows
csrss.exe 0.52 3,132 K 4,220 K 508 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows
Interrupts 0.69 0 K 0 K n/a Hardware Interrupts and DPCs
procexp64.exe 1.57 26,724 K 44,472 K 4244 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
brave.exe 3.42 67,692 K 109,256 K 1588 Brave Browser Brave Software, Inc. (Verified) Brave Software, Inc.
System Idle Process 91.94 0 K 24 K 0
 
 
this is what pops UP AFTER RUNNING THE CMD COMMANDS
 

Image Name                     PID Services                                    
========================= ======== ============================================
System Idle Process              0 N/A                                         
System                           4 N/A                                         
smss.exe                       344 N/A                                         
csrss.exe                      460 N/A                                         
wininit.exe                    488 N/A                                         
csrss.exe                      508 N/A                                         
services.exe                   544 N/A                                         
lsass.exe                      560 KeyIso, SamSs                               
lsm.exe                        568 N/A                                         
winlogon.exe                   624 N/A                                         
svchost.exe                    716 DcomLaunch, PlugPlay, Power                 
svchost.exe                    824 RpcEptMapper, RpcSs                         
svchost.exe                    920 AudioSrv, Dhcp, eventlog,                   
                                   HomeGroupProvider, lmhosts, wscsvc          
svchost.exe                    952 AudioEndpointBuilder, CscService, hidserv,  
                                   HomeGroupListener, Netman, PcaSvc, SysMain, 
                                   TrkWks, UxSms, Wlansvc                      
svchost.exe                    988 EventSystem, fdPHost, FontCache, netprofm,  
                                   nsi, WdiServiceHost, WinHttpAutoProxySvc    
svchost.exe                   1020 AeLookupSvc, BITS, Browser, EapHost, gpsvc, 
                                   iphlpsvc, LanmanServer, MMCSS, ProfSvc,     
                                   Schedule, SENS, ShellHWDetection, Themes,   
                                   Winmgmt, wuauserv                           
svchost.exe                    656 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc                                      
wlanext.exe                   1144 N/A                                         
conhost.exe                   1156 N/A                                         
spoolsv.exe                   1224 Spooler                                     
svchost.exe                   1340 BFE, DPS, MpsSvc                            
dwm.exe                       1768 N/A                                         
taskhost.exe                  1868 N/A                                         
TeamViewer_Service.exe        1244 TeamViewer                                  
svchost.exe                   2196 bthserv                                     
CCleaner64.exe                2672 N/A                                         
SearchIndexer.exe             2728 WSearch                                     
explorer.exe                  3028 N/A                                         
svchost.exe                   2028 FDResPub, SSDPSRV                           
svchost.exe                   3184 p2pimsvc, p2psvc, PNRPsvc                   
StikyNot.exe                  3256 N/A                                         
mscorsvw.exe                  3944 clr_optimization_v4.0.30319_32              
mscorsvw.exe                  1140 clr_optimization_v4.0.30319_64              
HPSupportSolutionsFramewo     2724 HPSupportSolutionsFrameworkService          
dllhost.exe                   2476 N/A                                         
ctfmon.exe                    2496 N/A                                         
wuauclt.exe                   4604 N/A                                         
svchost.exe                   3716 WinDefend                                   
taskhost.exe                  5332 N/A                                         
nordvpn-service.exe           5908 nordvpn-service                             
NordVPN.exe                   5768 N/A                                         
svchost.exe                   4988 SDRSVC                                      
brave.exe                     2388 N/A                                         
brave.exe                     1104 N/A                                         
brave.exe                     4072 N/A                                         
brave.exe                     6116 N/A                                         
brave.exe                     4328 N/A                                         
brave.exe                     6080 N/A                                         
brave.exe                     1804 N/A                                         
brave.exe                     2892 N/A                                         
brave.exe                     1588 N/A                                         
brave.exe                     2240 N/A                                         
brave.exe                     2564 N/A                                         
brave.exe                     4048 N/A                                         
brave.exe                     1444 N/A                                         
brave.exe                     1288 N/A                                         
WmiPrvSE.exe                  3080 N/A                                         
brave.exe                     2572 N/A                                         
CCleaner64.exe                2912 N/A                                         
brave.exe                     5672 N/A                                         
WmiPrvSE.exe                  5280 N/A                                         
brave.exe                     2920 N/A                                         
brave.exe                     3100 N/A                                         
brave.exe                     6064 N/A                                         
brave.exe                     5392 N/A                                         
Speccy64.exe                  2644 N/A                                         
WmiApSrv.exe                  3676 wmiApSrv                                    
WmiPrvSE.exe                  2988 N/A                                         
audiodg.exe                   5636 N/A                                         
SearchProtocolHost.exe        5316 N/A                                         
SearchFilterHost.exe          4728 N/A                                         
cmd.exe                       2768 N/A                                         
conhost.exe                   5740 N/A                                         
tasklist.exe                  3228 N/A                                         
 
 
SPECCYT
  • 0

#6
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

I DONT SEE ATTACH BUTTON ON HERE FOR SPECCY LOG

WILL FIND SOON 


  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP

Click on the More Reply Options button

Then scroll down to where you see
Choose File and click on it.  Point it at the file and hit Open.
Now click on Attach this file.

 

Avast never installed.  Try the offline install:

 

https://www.avast.co...ST&locale=en-us

Save then right click and Run as Admin.  Uncheck any optional files like dropbox or chrome. Stick with the Basic (free) version.  Avoid the Quick Scan instead do the boot-time scan (May take hours)

Click on the Avast ball.  Then click on Protection, then on Antivirus, then on Other Scans then on Boot-time Scan.  Click on Install Special Definitions.  Click on Run on Next PC Reboot.

  Reboot and let it run a scan.  It may take hours.
Once it finishes it should load windows.   Mute your speakers so it doesn't wake you up when Windows boots.

When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:

http://www.howtogeek...-windows-vista/

Copy and paste the text from the log to a Reply when done.
 

 

Did you install teamviewer?

 


  • 0

#8
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

OK I ATTATCHED SPECCY LOG

 

 

Attached Files


  • 0

#9
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

ALSO JUST WANTED TO SHOW U HE ADDED THINGS LIKE THIS TO MY COMPUTER ... 

 

FILES TO MANIPULATE MY COMPUTER AND ALSO TO RELOAD IF I REINSTALL WINDOWS.

 

 

SEE I DID THAT.. I PUT A FRESH VERSION ON LAST WEEK But he i gueses

 

1.  Gets into my router / home ip network..

How can i get him out of my router ? I guess i need keyscrambler right?   so that way i can call ip and change to private/ new router name and pass..etc..

 

I attacted file which he put on my desktop.... u can see its all virus stuff i belive.

 

 


  • 0

#10
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

Yes i did install teamviewer..

 

I just deleted it though as i know it  can be used bigtime as spyware.

 

Also last night he was making new account names on my internet options/ network.. with the same name i use as my network etc

he did this becasue i wateched a show about how a phone will connect to any fraud network that has same name as one at home etc


  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP

Did you run MBAR yet?

 

So far all I can see is that Speccy says your PC is running a bit hot and your hard drive is about to crash on you.

 

Speccy sometimes reads a bit hot so let's get a second opinion:

 

http://www.filehippo...nload_speedfan/

Download, save and Install it (Win 7+ or Vista right click and Run As Admin.) then run it (Win 7+ or Vista right click and Run As Admin.).

It will tell you your temps in real time tho the default is to show the hard drive temp in the systray.  You can change it:  Hit Configure then click on the highest temp and check Show in tray.  With no other programs running what is the highest temp you see?  Run an anti-virus scan, play one of your games or watch a video for at least 5 minutes.  What is the highest temp now?
 

We don't really want it to go over about 65 under load.  If it does it usually means either the fan is defective (speedfan should tell you your fan speed so you can see if it is running) or (most likely) the interface between the fan and the heatsink is clogged with dust. The best fix for a clogged heatsink is to remove the fan (not the heatsink or heatpipe) and vacuum out the heatsink.  However on some PCs this is major surgery.  Sometimes you can blow air backwards through the exhaust vent while vacuuming at the input vent and if you are lucky it may clear the heatsink.  Don't do it too long as the fan may overrev.

 

If you think the router has been compromised you can reset it to factory then change the default password.  Tell me the make and model number and I will look up how to do that.

 


  • 0

#12
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

Thanks for info

 

About to run Mbar now..

 

Quick question though... Can all this be avoided if i dont mind just reloading a fresh windows version?

I mean that is so much easier than doing all this diagnosis stuff right?   

 

I JUST WANT TO DO A REBOOT AND HOPE HE HAS NOT SENT OVER HIS RAT/ HACKING FILES TO MY NEW VERSION. 

i have a disk and put on new version but AM PISSED to see the new download WENT OVER OLD FILES FROM LAST SYSTEM.. WHAT THE HECK!!

 

I have nothing on my computer i care about so to do fresh reboots is no big deal to me. 

 

 

 

 

I know for sure the guy is in my router though.. Last night he there was other networks somehow available under same name in networks available.   He put like 3 of them.. just to mess around with me .

 

I just installed ZEMANA ANTILOGGER/ KEYSCRAMBLER.. maybe this will help him from keylogging me with his rat?

 

Its just i think his viruses have disabled all my anti viruses to work.

i have avast and i paid for avast premium last week but when i punch in passoword to start  Avast premium/ paid it says NOT WORKING..  so he is somehow stopping me from logging in ..

 

I THINK FOR SURE I'M BEING WEB FILTERED.. MY CONNETION GOES FROM ME TO HIS COMPUTER THEN TO INTERNET..

 

if i look up thing.. like avast dot com . it wont take me there. etc 

 

Def hacked right?   and being ratted 

Btw 

 

THANKS.. WILL have mbar scan etc on next post and other stuff.


Edited by steveairway, 19 March 2020 - 04:55 PM.

  • 0

#13
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

https://gyazo.com/6f...f56c5833e1eee6e

 

Also got this when was about to run MBar on my computer.

 

thoughts?

 

also I THINK THIS GUY HAS MADE HIM ADMIN OF MY COMPUTERS

 

on this computer.. its my oldest of 3.. he has like full control

 

there is like 4 accounts on here..   Nathan/ admin me

 

then he made like 3 false ones

 

SYSTEM

ADMIN/ NATHAN/ ADMIM 

EVERYBODY 

 

SO U CAN SEE HE TOOK OVER ALL CONTROLS

 

I should prob just run refresh of fresh windows right?

 

i just want to make sure that no OLD files come to new install..   


Edited by steveairway, 19 March 2020 - 05:36 PM.

  • 0

#14
steveairway

steveairway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts

https://gyazo.com/c2...05b454059d70f97

 

AT END OF MBAR ROOT SCAN .. THIS HAPP

 

BASICALLY HE HAS A FILE ON COMPTUER NOT TO LET ME RUN THIS PROGRAM I THINK

 

u cant' see it in the photo but it says mbar could not be executed to mbar.exe .. his anti virus code he has on my computer stopping the scan 

 

there is all kinds of notepad stuff on my computer thats viruses.. code written to not let bank sites have cookies or whatever

i've seen .. Notepad stuff to not let anti virus progams work


Edited by steveairway, 19 March 2020 - 05:49 PM.

  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP

AppInit_DLL is a value in the registry that can be used to load a file when other files load. 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
There are two values in the registry.  One lists the file(s) that are to be loaded (AppInit_DLLs) and a second one enables the load (LoadAppInit_DLLs).  Often a program will be installed that uses the entry and enables the load.  Usually when they uninstall the program they forget to turn off the enable entry.  If there were files listed to be loaded they would have shown up in the FRST log.  Since they didn't I expect MBAR was just being careful and asking if it could turn off the enable.  This can be done with a registry merge:

 

Download the following wininit.reg file and save it then right click and MERGE.  Ignore the warning.

Attached File  wininit.reg   340bytes   92 downloads

This will not only turn off the enable but will remove any file lists.

 

MBAR is sensitive to the health of the hard drive.  As I mentioned earlier your hard drive is about to die so I expect that's why you got the error.  The drive needs to be replaced ASAP.  It's an old Seagate (known to be unreliable) and yours is a SATA-2 so rather slow compared to the newer SATA-3

 

The Avast install is hung.  It never completed.  Don't know why.  You can get a new copy of the version you paid for here:
https://www.avast.co...tallation-files

Choose the Offline installer.  Download, Save then right click and Run As Admin.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP