Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hacker(?). I believe my router has been accessed / pc remotely viewed


  • Please log in to reply

#1
jhormaneedshelp

jhormaneedshelp

    New Member

  • Member
  • Pip
  • 4 posts

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-02-2021
Ran by joppe (12-02-2021 23:42:14)
Running from C:\Users\joppe\Downloads
Windows 10 Home Version 20H2 19042.631 (X64) (2021-02-11 19:08:20)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2652230216-8729904-3138564411-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2652230216-8729904-3138564411-503 - Limited - Disabled)
Guest (S-1-5-21-2652230216-8729904-3138564411-501 - Limited - Disabled)
joppe (S-1-5-21-2652230216-8729904-3138564411-1001 - Administrator - Enabled) => C:\Users\joppe
WDAGUtilityAccount (S-1-5-21-2652230216-8729904-3138564411-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
ExpressVPN (HKLM-x32\...\{57e033a5-c75e-4823-83af-c1b6b3b759ab}) (Version: 10.0.9.2 - ExpressVPN)
ExpressVPN (HKLM-x32\...\{E5B9C3E5-889C-4F22-A959-F4B876CD0833}) (Version: 10.0.9.2 - ExpressVPN) Hidden
GlassWire 2.2 (remove only) (HKLM-x32\...\GlassWire 2.2) (Version: 2.2.291 - SecureMix LLC)
Malwarebytes Windows Firewall Control (HKLM\...\Windows Firewall Control) (Version: 6.4.0.0 - BiniSoft.org)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 88.0.705.63 - Microsoft Corporation)
Microsoft Edge Update (HKLM-x32\...\Microsoft Edge Update) (Version: 1.3.141.59 - )
Microsoft OneDrive (HKU\S-1-5-21-2652230216-8729904-3138564411-1001\...\OneDriveSetup.exe) (Version: 21.002.0104.0005 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29334 (HKLM-x32\...\{a9cfe9c7-e54f-46cd-9c5c-542ff8e3e8c4}) (Version: 14.28.29334.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127 (HKLM-x32\...\{e31cb1a4-76b5-46a5-a084-3fa419e82201}) (Version: 14.24.28127.4 - Microsoft Corporation)
Mozilla Firefox 85.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 85.0.2 (x64 en-US)) (Version: 85.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 85.0.2 - Mozilla)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.10 - Nmap Project)
NVIDIA Graphics Driver 456.71 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 456.71 - NVIDIA Corporation)
RogueKiller version 14.8.4.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 14.8.4.0 - Adlice Software)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.5.6 - TeamSpeak Systems GmbH)
Wireshark 3.4.3 64-bit (HKLM-x32\...\Wireshark) (Version: 3.4.3 - The Wireshark developer community, hxxps://www.wireshark.org)

Packages:
=========
Cortana -> C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation)
Intel® Graphics Command Center -> C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.3282.0_x64__8j3eq9eme6ctt [2021-02-12] (INTEL CORP) [Startup Task]
Mail and Calendar -> C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Studios) [MS Ad]
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.960.0_x64__56jybvy8sckqj [2021-02-11] (NVIDIA Corp.)
Skype -> C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c [2019-12-07] (Skype)
Your Phone -> C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} =>  -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvshext.dll [2020-10-07] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2019-04-09 10:21 - 2019-04-09 10:21 - 000018432 _____ () [File not signed] C:\Program Files\TeamSpeak 3 Client\libEGL.DLL
2019-04-09 10:21 - 2019-04-09 10:21 - 003572224 _____ () [File not signed] C:\Program Files\TeamSpeak 3 Client\libGLESv2.dll
2021-02-12 12:20 - 2021-02-12 12:20 - 000157696 _____ () [File not signed] C:\Users\joppe\AppData\Roaming\TS3Client\plugins\gamepad_joystick_win64.dll
2021-02-12 12:06 - 2014-05-15 22:21 - 000028672 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Users\joppe\Desktop\mbar\imageformats\qico4.dll
2021-02-12 12:06 - 2014-05-15 22:21 - 002578432 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Users\joppe\Desktop\mbar\QtCore4.dll
2021-02-12 12:06 - 2014-05-15 22:21 - 008406528 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Users\joppe\Desktop\mbar\QtGui4.dll
2021-02-12 23:02 - 2021-02-12 23:02 - 001195008 _____ (ESET) [File not signed] C:\Users\joppe\AppData\Local\ESET\ESETOnlineScanner\esets_apiW_a.DLL
2019-04-10 18:30 - 2019-04-10 18:30 - 000035328 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\iconengines\qsvgicon.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 000031744 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qgif.dll
2019-04-09 10:29 - 2019-04-09 10:29 - 000397312 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qjpeg.dll
2019-04-10 18:29 - 2019-04-10 18:29 - 000025600 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qsvg.dll
2019-04-09 10:30 - 2019-04-09 10:30 - 001453568 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\platforms\qwindows.dll
2019-05-31 13:05 - 2019-05-31 13:05 - 006130176 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Core.dll
2019-04-09 10:25 - 2019-04-09 10:25 - 006470656 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Gui.dll
2019-04-09 10:24 - 2019-04-09 10:24 - 001314816 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Network.dll
2019-04-10 19:31 - 2019-04-10 19:31 - 000317440 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Positioning.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 000318464 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5PrintSupport.dll
2019-04-10 18:55 - 2019-04-10 18:55 - 004001792 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Qml.dll
2019-04-10 18:48 - 2019-04-10 18:48 - 003776000 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Quick.dll
2019-04-10 18:50 - 2019-04-10 18:50 - 000072704 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5QuickWidgets.dll
2019-04-09 10:23 - 2019-04-09 10:23 - 000205312 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Sql.dll
2019-04-10 18:29 - 2019-04-10 18:29 - 000332288 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Svg.dll
2019-04-10 19:40 - 2019-04-10 19:40 - 000113664 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebChannel.dll
2019-04-11 03:37 - 2019-04-11 03:37 - 079989760 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebEngineCore.dll
2019-04-11 03:54 - 2019-04-11 03:54 - 000228864 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebEngineWidgets.dll
2019-04-09 10:27 - 2019-04-09 10:27 - 005580800 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Widgets.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 001151488 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\sqldrivers\qsqlite.dll
2019-04-09 10:29 - 2019-04-09 10:29 - 000137216 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\styles\qwindowsvistastyle.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

SearchScopes: HKU\S-1-5-21-2652230216-8729904-3138564411-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 11:14 - 2019-12-07 11:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2652230216-8729904-3138564411-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 10.120.0.1 - 192.168.1.9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{A94C2BD9-2E61-43A8-9BDF-C6F388A9BF08}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{D8B8372F-DB51-4D8A-B5D4-ABF72060FF31}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{BEC55E94-C8D4-4026-B104-BC9E42FA43A3}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{8EA43025-C40A-4AA4-BAD6-659E6B41BA3B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{1489B6A4-A080-44EF-BCB8-F3366DF7E678}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{26EA697F-0201-47C8-9953-160971B4B603}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{1E758833-0F0F-4340-81A7-90E8B38009C7}] => (Allow) C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe (Malwarebytes Inc -> Malwarebytes)
FirewallRules: [{956158C5-E157-4921-AE8F-E88FEB3DE02C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Apex Legends\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [{819BD8B2-3534-4259-A948-2198C9FF0B63}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Apex Legends\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [{F7D5FBAA-14B0-4F8E-AA25-3C7502607726}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe (Valve -> )
FirewallRules: [{947B6B0A-0C95-4D77-B10E-06BA09E22406}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe (Valve -> )
FirewallRules: [{9F63ECE7-3BDC-4D7E-ACBA-7C89B62D2676}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe (GlassWire -> SecureMix LLC)
FirewallRules: [{0817D391-7405-4269-AD14-48242FAB8D84}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe (GlassWire -> SecureMix LLC)
FirewallRules: [{BB329C78-FC59-4F49-B1A6-C59BBE5BE9C9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 3\OakGame\Binaries\Win64\Borderlands3.exe (Gearbox Software, L.L.C. -> Gearbox Software)
FirewallRules: [{61EB08C4-1C76-478B-80BE-5B7943CB42C0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 3\OakGame\Binaries\Win64\Borderlands3.exe (Gearbox Software, L.L.C. -> Gearbox Software)
FirewallRules: [{D7732F20-0E6E-4317-A782-107F09E755AD}] => (Allow) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{802B7AD0-3CD0-46E7-8B24-0ACFDB2901FC}] => (Allow) C:\program files (x86)\steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{BA569683-A3F5-4620-8682-FE8C570B10CA}] => (Allow) C:\programdata\battle.net\agent\agent.7269\agent.exe (Blizzard Entertainment, Inc. -> Blizzard Entertainment)
FirewallRules: [{D070CAB5-E87A-40BD-837D-4EF420924C73}] => (Allow) C:\program files (x86)\steam\steam.exe (Valve -> Valve Corporation)
FirewallRules: [{8BAE805C-3032-4F32-9D05-2E4B297A30FC}] => (Allow) C:\program files (x86)\battle.net\battle.net.exe (Blizzard Entertainment, Inc. -> Blizzard Entertainment)

==================== Restore Points =========================

Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: ========================

Application errors:
==================
Error: (02/12/2021 11:42:47 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (02/12/2021 11:42:47 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (02/12/2021 08:33:44 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program steamwebhelper.exe version 6.35.59.24 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 219c

Start Time: 01d7015c6a9a2aac

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe

Report Id: c962dc44-3e40-4d5e-88a6-fcedfb157ccc

Faulting package full name:

Faulting package-relative application ID:

Hang type: Top level window is idle

Error: (02/12/2021 08:33:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 10.0.19041.329 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 28fc

Start Time: 01d7016d1febd429

Termination Time: 4294967295

Application Path: C:\Windows\System32\mmc.exe

Report Id: cbe8f4d2-fb75-4be8-859c-6babc5d54c0f

Faulting package full name:

Faulting package-relative application ID:

Hang type: Top level window is idle

Error: (02/12/2021 06:24:16 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\joppe\AppData\Local\Temp\{A9900077-80C1-4EB7-898E-30C5958794F7}\.be\ExpressVPN_10.0.9.2_release.exe -q -burn.elevated BurnPipe.{EEEC8156-968E-4E2F-9951-BBA4460E425B} {F6463CD3-693F-4A5C-B945-2F4CA4670342} 11700; Description = ExpressVPN; Error = 0x80042302).

Error: (02/12/2021 06:24:16 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (02/12/2021 06:24:16 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (02/12/2021 06:22:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mmc.exe, version: 10.0.19041.329, time stamp: 0x2ede9d07
Faulting module name: ntdll.dll, version: 10.0.19041.610, time stamp: 0xe5d7ed5c
Exception code: 0xc0000374
Fault offset: 0x00000000000fed29
Faulting process id: 0x170c
Faulting application start time: 0x01d7014b7dece409
Faulting application path: C:\Windows\system32\mmc.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 7f653db6-5069-40ba-888e-bbfbb9c4b588
Faulting package full name:
Faulting package-relative application ID:


System errors:
=============
Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Windows Defender:
=================

Date: 2021-02-12 21:35:04.0990000Z
Description:
C:\Users\joppe\Desktop\mbar\mbar.exe has been blocked from modifying %system%\drivers\ by Controlled Folder Access.
Detection time: 2021-02-12T19:35:04.099Z
Path: %system%\drivers\
Process Name: C:\Users\joppe\Desktop\mbar\mbar.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 21:28:32.4540000Z
Description:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has been blocked from modifying %system%\CatRoot by Controlled Folder Access.
Detection time: 2021-02-12T19:28:32.454Z
Path: %system%\CatRoot
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 18:21:04.5810000Z
Description:
C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe has been blocked from modifying %windir%\INF\ by Controlled Folder Access.
Detection time: 2021-02-12T16:21:04.581Z
Path: %windir%\INF\
Process Name: C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 18:21:04.5810000Z
Description:
C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe has been blocked from modifying %windir%\INF\ by Controlled Folder Access.
Detection time: 2021-02-12T16:21:04.581Z
Path: %windir%\INF\
Process Name: C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 18:20:33.6270000Z
Description:
C:\Windows\SysWOW64\rundll32.exe has been blocked from modifying %windir%\Installer\MSIC9AD.tmp- by Controlled Folder Access.
Detection time: 2021-02-12T16:20:33.626Z
Path: %windir%\Installer\MSIC9AD.tmp-
Process Name: C:\Windows\SysWOW64\rundll32.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9
CodeIntegrity:
=================

==================== Memory info ===========================

BIOS: American Megatrends Inc. P4.20 10/31/2019
Motherboard: ASRock Z370 Taichi
Processor: Intel® Core™ i7-8700K CPU @ 3.70GHz
Percentage of memory in use: 95%
Total physical RAM: 8078.87 MB
Available physical RAM: 335.39 MB
Total Virtual: 16113.09 MB
Available Virtual: 2139.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.28 GB) (Free:22.09 GB) NTFS

\\?\Volume{3a6c2849-1e16-4dbe-96e3-abf1bca8eb23}\ () (Fixed) (Total:0.49 GB) (Free:0.08 GB) NTFS
\\?\Volume{db7d008b-f5b9-4895-9432-54afa5525b8d}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 21ED1CEC)

Partition: GPT.

==================== End of Addition.txt =======================


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Can you post the FRST.txt file? 

 

Did you install Wireshark?


  • 0

#3
jhormaneedshelp

jhormaneedshelp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

OpenVPN Daemon (im using ExpressVPN) = https://i.imgur.com/ksJGbEY.png

 

FRST.EXE

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-02-2021
Ran by joppe (administrator) on DESKTOP-3TUV7SN (13-02-2021 16:53:12)
Running from C:\Users\joppe\Downloads
Loaded Profiles: joppe
Platform: Windows 10 Home Version 20H2 19042.804 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Express Vpn LLC -> ExpressVPN) C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe
(Express Vpn LLC -> ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpnd\expressvpnd.exe
(Express Vpn LLC -> ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
(Express Vpn LLC -> ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
(Express Vpn LLC -> The OpenVPN Project) C:\Program Files (x86)\ExpressVPN\expressvpnd\windows\openvpn.exe
(GlassWire -> SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(GlassWire -> SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(GlassWire -> SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Windows Firewall Control\wfcs.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\mspaint.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2101.9-0\MsMpEng.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2101.9-0\NisSrv.exe
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe <13>
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\Display.NvContainer\NVDisplay.Container.exe <2>
(TeamSpeak Systems GmbH -> TeamSpeak Systems GmbH) C:\Program Files\TeamSpeak 3 Client\ts3client_win64.exe
(Valve -> Valve Corporation) C:\Program Files (x86)\Common Files\Steam\steamservice.exe
(Valve -> Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe <9>
(Valve -> Valve Corporation) C:\Program Files (x86)\Steam\steam.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes Windows Firewall Control] => C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe [644784 2021-02-11] (Malwarebytes Inc -> Malwarebytes)
HKLM-x32\...\Run: [ExpressVPNNotificationService] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationServiceStarter.exe [373600 2021-01-18] (Express Vpn LLC -> ExpressVPN)
HKU\S-1-5-21-2652230216-8729904-3138564411-1001\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [8853400 2021-01-22] (GlassWire -> SecureMix LLC)
HKU\S-1-5-21-2652230216-8729904-3138564411-1001\...\Run: [ExpressVPN4] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe [850272 2021-01-18] (Express Vpn LLC -> ExpressVPN)

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1140CF5E-53DD-489F-AD84-1E18144AA744} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\MpCmdRun.exe [562240 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {147E1FDB-0174-4CEB-BF1C-19B47739438A} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [677344 2021-02-08] (Mozilla Corporation -> Mozilla Foundation)
Task: {19DA76C6-D9E6-4C6F-AA5F-3C33A03FF31B} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [1145 2020-12-04] () [File not signed]
Task: {206E8576-B90E-4E71-BF7C-C24430B89C0B} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\MpCmdRun.exe [562240 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {2302266A-60DC-46B3-8AD4-ECE5C8A82BB0} - System32\Tasks\Intel PTT EK Recertification => C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe [918288 2020-04-22] (Intel® Trust Services -> Intel® Corporation)
Task: {361D6428-2451-4FCA-9F9A-2B39A7D878E7} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\MpCmdRun.exe [562240 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {763B8725-6C6C-4110-9F52-516EC0F7E422} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\MpCmdRun.exe [562240 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.9
Tcpip\..\Interfaces\{6e995402-3b04-497d-b820-b746e9717bdf}: [DhcpNameServer] 10.45.0.1
Tcpip\..\Interfaces\{c06c3bd8-4bb9-4650-a91d-d4290c01f62f}: [DhcpNameServer] 192.168.1.9

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\joppe\AppData\Local\Microsoft\Edge\User Data\Default [2021-02-13]

FireFox:
========
FF DefaultProfile: 97arsw6u.default
FF ProfilePath: C:\Users\joppe\AppData\Roaming\Mozilla\Firefox\Profiles\97arsw6u.default [2021-02-11]
FF ProfilePath: C:\Users\joppe\AppData\Roaming\Mozilla\Firefox\Profiles\isz77wii.default-release [2021-02-13]
FF Extension: (Reset Search Defaults) - C:\Users\joppe\AppData\Roaming\Mozilla\Firefox\Profiles\isz77wii.default-release\features\{ea2f2ae9-23d8-4f8a-a3d5-85546f58a8c4}\[email protected] [2021-02-12]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [805488 2021-02-11] (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
R2 ExpressVPNService; C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe [437088 2021-01-18] (Express Vpn LLC -> ExpressVPN)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6426008 2021-01-22] (GlassWire -> SecureMix LLC)
S2 rkrtservice; C:\Program Files\RogueKiller\RogueKillerSvc.exe [13686080 2021-01-13] (Adlice -> )
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\NisSrv.exe [2462960 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 wfcs; C:\Program Files\Malwarebytes\Windows Firewall Control\wfcs.exe [125104 2021-02-11] (Malwarebytes Inc -> Malwarebytes)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0\MsMpEng.exe [128376 2021-02-12] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f %ProgramData%\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 56329680; C:\Windows\system32\drivers\56329680.sys [255928 2021-02-12] (Malwarebytes Corporation -> Malwarebytes)
S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
S3 expressvpnsplittunnel; C:\Program Files (x86)\ExpressVPN\splittunnel\expressvpnsplittunnel.sys [37024 2021-01-18] (ExprsVPN LLC -> ExpressVPN)
R3 expressvpnwintun; C:\Windows\System32\drivers\expressvpn-wintun.sys [46824 2021-01-18] (Express VPN International Ltd. -> ExpressVPN)
R1 gwdrv; C:\Windows\system32\DRIVERS\gwdrv.sys [33152 2015-05-29] (GlassWire -> SecureMix LLC)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [192952 2021-02-12] (Malwarebytes Corporation -> Malwarebytes)
R3 MpKsladb6801b; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75E51994-88B6-4795-9CA0-9DE52BCC708E}\MpKslDrv.sys [47344 2021-02-13] (Microsoft Windows -> Microsoft Corporation)
R3 tapexpressvpn; C:\Windows\System32\drivers\tapexpressvpn.sys [52904 2021-01-18] (ExprsVPN LLC -> The OpenVPN Project)
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49552 2021-02-12] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [419040 2021-02-12] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [71912 2021-02-12] (Microsoft Windows -> Microsoft Corporation)
U4 npcap_wifi; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three months (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-02-13 16:52 - 2021-02-13 16:52 - 000000000 ____D C:\Users\joppe\Downloads\FRST-OlderVersion
2021-02-13 03:55 - 2021-02-13 03:55 - 002755584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2021-02-13 03:55 - 2021-02-13 03:55 - 002755584 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2021-02-13 03:55 - 2021-02-13 03:55 - 002260992 _____ C:\Windows\system32\TextInputMethodFormatter.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 002254336 _____ C:\Windows\system32\dwmscene.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 001822272 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2021-02-13 03:55 - 2021-02-13 03:55 - 001393496 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2021-02-13 03:55 - 2021-02-13 03:55 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 001314112 _____ (Microsoft Corporation) C:\Windows\system32\SecConfig.efi
2021-02-13 03:55 - 2021-02-13 03:55 - 001162240 _____ C:\Windows\system32\MBR2GPT.EXE
2021-02-13 03:55 - 2021-02-13 03:55 - 000729600 _____ (Microsoft Corporation) C:\Windows\system32\hhctrl.ocx
2021-02-13 03:55 - 2021-02-13 03:55 - 000643072 _____ C:\Windows\system32\WindowManagementAPI.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000595968 _____ (Microsoft Corporation) C:\Windows\system32\appwiz.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000581120 _____ (Microsoft Corporation) C:\Windows\system32\PhotoScreensaver.scr
2021-02-13 03:55 - 2021-02-13 03:55 - 000575488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hhctrl.ocx
2021-02-13 03:55 - 2021-02-13 03:55 - 000544768 _____ (Microsoft Corporation) C:\Windows\system32\mmsys.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PhotoScreensaver.scr
2021-02-13 03:55 - 2021-02-13 03:55 - 000469504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appwiz.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000455680 _____ C:\Windows\SysWOW64\WindowManagementAPI.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000446976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mmsys.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000422912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winspool.drv
2021-02-13 03:55 - 2021-02-13 03:55 - 000330752 _____ C:\Windows\SysWOW64\ssdm.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000306688 _____ C:\Windows\system32\HeatCore.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000304128 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax
2021-02-13 03:55 - 2021-02-13 03:55 - 000266240 _____ C:\Windows\SysWOW64\Windows.Internal.UI.Shell.WindowTabManager.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000240640 _____ C:\Windows\SysWOW64\CoreMas.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000238592 _____ (Microsoft Corporation) C:\Windows\system32\intl.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000235520 _____ C:\Windows\SysWOW64\HeatCore.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000234496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ksproxy.ax
2021-02-13 03:55 - 2021-02-13 03:55 - 000231232 _____ C:\Windows\system32\containerdevicemanagement.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000190976 _____ C:\Windows\system32\BthpanContextHandler.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000178688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\intl.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000170496 _____ (Microsoft Corporation) C:\Windows\system32\VBICodec.ax
2021-02-13 03:55 - 2021-02-13 03:55 - 000152064 _____ C:\Windows\system32\EoAExperiences.exe
2021-02-13 03:55 - 2021-02-13 03:55 - 000135168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VBICodec.ax
2021-02-13 03:55 - 2021-02-13 03:55 - 000102912 _____ (Microsoft Corporation) C:\Windows\system32\ncpa.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000100864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncpa.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000095744 _____ C:\Windows\system32\VirtualMonitorManager.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2021-02-13 03:55 - 2021-02-13 03:55 - 000084992 _____ (Microsoft Corporation) C:\Windows\system32\wscui.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000072704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2021-02-13 03:55 - 2021-02-13 03:55 - 000067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscui.cpl
2021-02-13 03:55 - 2021-02-13 03:55 - 000067072 _____ C:\Windows\system32\BWContextHandler.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000060928 _____ C:\Windows\system32\runexehelper.exe
2021-02-13 03:55 - 2021-02-13 03:55 - 000053760 _____ C:\Windows\SysWOW64\BWContextHandler.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000048640 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000039936 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2021-02-13 03:55 - 2021-02-13 03:55 - 000010892 _____ C:\Windows\system32\DrtmAuthTxt.wim
2021-02-13 03:55 - 2021-02-13 03:55 - 000010752 _____ C:\Windows\SysWOW64\agentactivationruntimestarter.exe
2021-02-13 03:55 - 2021-02-13 03:55 - 000001370 _____ C:\Windows\system32\ThirdPartyNoticesBySHS.txt
2021-02-13 03:54 - 2021-02-13 03:54 - 000562688 _____ (Microsoft Corporation) C:\Windows\system32\winspool.drv
2021-02-13 03:54 - 2021-02-13 03:54 - 000455168 _____ C:\Windows\system32\ssdm.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000363520 _____ C:\Windows\system32\Windows.Internal.UI.Shell.WindowTabManager.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000287232 _____ C:\Windows\system32\CoreMas.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\timedate.cpl
2021-02-13 03:54 - 2021-02-13 03:54 - 000165888 _____ C:\Windows\system32\DataStoreCacheDumpTool.exe
2021-02-13 03:54 - 2021-02-13 03:54 - 000089088 _____ C:\Windows\system32\windows.applicationmodel.conversationalagent.proxystub.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000074240 _____ C:\Windows\system32\rdsxvmaudio.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000073216 _____ C:\Windows\system32\windows.applicationmodel.conversationalagent.internal.proxystub.dll
2021-02-13 03:54 - 2021-02-13 03:54 - 000013312 _____ C:\Windows\system32\agentactivationruntimestarter.exe
2021-02-12 23:42 - 2021-02-13 00:02 - 000021209 _____ C:\Users\joppe\Downloads\Addition.txt
2021-02-12 23:42 - 2021-02-12 23:42 - 000029449 _____ C:\Users\joppe\Downloads\Shortcut.txt
2021-02-12 23:40 - 2021-02-13 16:53 - 000010321 _____ C:\Users\joppe\Downloads\FRST.txt
2021-02-12 23:40 - 2021-02-13 16:53 - 000000000 ____D C:\FRST
2021-02-12 23:37 - 2021-02-13 16:52 - 002297344 _____ (Farbar) C:\Users\joppe\Downloads\FRST64.exe
2021-02-12 23:31 - 2021-02-12 23:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2021-02-12 23:31 - 2021-02-12 23:31 - 000000000 ____D C:\Program Files\RogueKiller
2021-02-12 23:30 - 2021-02-12 23:36 - 000000000 ____D C:\ProgramData\RogueKiller
2021-02-12 23:30 - 2021-02-12 23:30 - 040487584 _____ (Adlice Software ) C:\Users\joppe\Downloads\RogueKiller_setup.exe
2021-02-12 23:28 - 2021-02-12 23:28 - 000000782 _____ C:\Users\joppe\Documents\eeset.txt
2021-02-12 23:26 - 2021-02-12 23:26 - 000000782 _____ C:\Users\joppe\Documents\ers.txt
2021-02-12 23:19 - 2021-02-12 23:30 - 000290262 _____ C:\TDSSKiller.3.1.0.28_12.02.2021_23.19.51_log.txt
2021-02-12 23:19 - 2021-02-12 23:19 - 005054744 _____ (AO Kaspersky Lab) C:\Users\joppe\Downloads\tdsskiller.exe
2021-02-12 23:18 - 2021-02-12 23:18 - 000003030 _____ C:\Users\joppe\file.txt
2021-02-12 23:03 - 2021-02-12 23:03 - 000021426 _____ C:\Users\joppe\Documents\yyes.txt
2021-02-12 23:02 - 2021-02-12 23:02 - 000755576 _____ (Sysinternals - www.sysinternals.com) C:\Users\joppe\Downloads\autoruns.exe
2021-02-12 23:01 - 2021-02-12 23:01 - 015019488 _____ (ESET spol. s r.o.) C:\Users\joppe\Downloads\esetonlinescanner.exe
2021-02-12 23:01 - 2021-02-12 23:01 - 000000778 _____ C:\Users\joppe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2021-02-12 23:01 - 2021-02-12 23:01 - 000000650 _____ C:\Users\joppe\Desktop\ESET Online Scanner.lnk
2021-02-12 23:01 - 2021-02-12 23:01 - 000000000 ____D C:\Users\joppe\AppData\Local\ESET
2021-02-12 21:42 - 2021-02-12 21:42 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\56329680.sys
2021-02-12 18:24 - 2021-02-12 18:26 - 000000000 ____D C:\Users\joppe\AppData\Local\ExpressVPN
2021-02-12 18:24 - 2021-02-12 18:24 - 000002330 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk
2021-02-12 18:24 - 2021-02-12 18:24 - 000000000 ____D C:\ProgramData\ExpressVPN
2021-02-12 18:24 - 2021-02-12 18:24 - 000000000 ____D C:\Program Files (x86)\ExpressVPN
2021-02-12 18:22 - 2021-02-12 23:57 - 000000000 ____D C:\Users\joppe\AppData\Local\CrashDumps
2021-02-12 18:19 - 2021-02-12 18:20 - 038594856 _____ (ExpressVPN) C:\Users\joppe\Downloads\expressvpn_windows_10.0.9.2_release.exe
2021-02-12 16:29 - 2021-02-12 16:29 - 003017720 _____ C:\Users\joppe\Documents\yus.pcapng
2021-02-12 16:18 - 2021-02-12 16:18 - 000000000 ____D C:\ProgramData\Intel
2021-02-12 15:56 - 2021-02-12 15:56 - 142545924 _____ C:\Users\joppe\Documents\yes.pcapng
2021-02-12 15:38 - 2021-02-12 15:38 - 000000000 ____D C:\Windows\SysWOW64\NV
2021-02-12 15:38 - 2021-02-12 15:38 - 000000000 ____D C:\Windows\system32\NV
2021-02-12 15:30 - 2021-02-12 15:30 - 000000000 ____D C:\Users\joppe\AppData\LocalLow\Intel
2021-02-12 15:26 - 2021-02-12 22:57 - 000000000 ____D C:\Users\joppe\Desktop\yeeeees
2021-02-12 15:26 - 2021-02-12 15:26 - 000000000 ____D C:\Intel
2021-02-12 15:26 - 2021-02-12 15:26 - 000000000 _____ C:\Windows\system32\GfxValDisplayLog.bin
2021-02-12 15:25 - 2020-09-11 11:36 - 000305992 _____ C:\Windows\system32\libmfxhw64.dll
2021-02-12 15:25 - 2020-09-11 11:36 - 000254520 _____ C:\Windows\SysWOW64\libmfxhw32.dll
2021-02-12 15:25 - 2020-09-11 11:36 - 000171472 _____ (Intel Corporation) C:\Windows\system32\intel_gfx_api-x64.dll
2021-02-12 15:25 - 2020-09-11 11:36 - 000146752 _____ (Intel Corporation) C:\Windows\SysWOW64\intel_gfx_api-x86.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 026676016 _____ (Intel Corporation) C:\Windows\system32\mfxplugin64_hw.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 013519664 _____ (Intel Corporation) C:\Windows\SysWOW64\mfxplugin32_hw.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 001790192 _____ C:\Windows\system32\vulkaninfo-1-999-0-0-0.exe
2021-02-12 15:25 - 2020-09-11 11:35 - 001790192 _____ C:\Windows\system32\vulkaninfo.exe
2021-02-12 15:25 - 2020-09-11 11:35 - 001386224 _____ C:\Windows\SysWOW64\vulkaninfo-1-999-0-0-0.exe
2021-02-12 15:25 - 2020-09-11 11:35 - 001386224 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2021-02-12 15:25 - 2020-09-11 11:35 - 001096800 _____ C:\Windows\system32\vulkan-1-999-0-0-0.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 001096800 _____ C:\Windows\system32\vulkan-1.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000949856 _____ C:\Windows\SysWOW64\vulkan-1-999-0-0-0.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000949856 _____ C:\Windows\SysWOW64\vulkan-1.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000507696 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000462640 _____ C:\Windows\system32\ze_loader.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000370480 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2021-02-12 15:25 - 2020-09-11 11:35 - 000148784 _____ C:\Windows\system32\ze_validation_layer.dll
2021-02-12 14:54 - 2021-02-12 14:54 - 000178164 _____ C:\Users\joppe\Documents\dafuqq.pcapng
2021-02-12 14:47 - 2021-02-12 14:47 - 000241972 _____ C:\Users\joppe\Documents\dafuq.pcapng
2021-02-12 13:59 - 2021-02-12 13:59 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\43761732.sys
2021-02-12 13:18 - 2021-02-12 13:18 - 000003840 _____ C:\Windows\system32\Tasks\Intel PTT EK Recertification
2021-02-12 13:11 - 2021-02-12 13:12 - 000000000 ____D C:\Users\joppe\AppData\Roaming\Wireshark
2021-02-12 13:05 - 2021-02-12 13:05 - 000001827 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2021-02-12 13:04 - 2021-02-12 13:04 - 000003190 _____ C:\Windows\system32\Tasks\npcapwatchdog
2021-02-12 13:04 - 2021-02-12 13:04 - 000000000 ____D C:\Windows\SysWOW64\Npcap
2021-02-12 13:04 - 2021-02-12 13:04 - 000000000 ____D C:\Windows\system32\Npcap
2021-02-12 13:04 - 2021-02-12 13:04 - 000000000 ____D C:\Program Files\Npcap
2021-02-12 13:03 - 2021-02-12 13:05 - 000000000 ____D C:\Program Files\Wireshark
2021-02-12 12:59 - 2021-02-12 12:59 - 061482312 _____ (Wireshark development team) C:\Users\joppe\Downloads\Wireshark-win64-3.4.3.exe
2021-02-12 12:20 - 2021-02-13 16:53 - 000000000 ____D C:\Users\joppe\AppData\Roaming\TS3Client
2021-02-12 12:20 - 2021-02-12 12:20 - 000000970 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client.lnk
2021-02-12 12:20 - 2021-02-12 12:20 - 000000000 ____D C:\Users\joppe\AppData\Local\TeamSpeak 3
2021-02-12 12:20 - 2021-02-12 12:20 - 000000000 ____D C:\Program Files\TeamSpeak 3 Client
2021-02-12 12:18 - 2021-02-12 12:18 - 090699776 _____ (TeamSpeak Systems GmbH) C:\Users\joppe\Downloads\TeamSpeak3-Client-win64-3.5.6(1).exe
2021-02-12 12:15 - 2021-02-12 12:15 - 000007617 _____ C:\Users\joppe\AppData\Local\Resmon.ResmonCfg
2021-02-12 12:14 - 2021-02-12 12:14 - 090699776 _____ (TeamSpeak Systems GmbH) C:\Users\joppe\Downloads\TeamSpeak3-Client-win64-3.5.6.exe
2021-02-12 12:07 - 2021-02-12 12:07 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\5151A26A.sys
2021-02-12 12:07 - 2021-02-12 12:07 - 000000000 ____D C:\ProgramData\Malwarebytes
2021-02-12 12:06 - 2021-02-12 21:45 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2021-02-12 12:06 - 2021-02-12 21:34 - 000000000 ____D C:\Users\joppe\Desktop\mbar
2021-02-12 12:06 - 2021-02-12 13:59 - 000192952 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2021-02-12 12:03 - 2021-02-12 12:03 - 014178840 _____ (Malwarebytes Corp.) C:\Users\joppe\Downloads\mbar-1.10.3.1001.exe
2021-02-12 12:00 - 2021-02-12 12:16 - 000000000 ____D C:\Users\joppe\Desktop\yes
2021-02-12 11:25 - 2021-02-12 11:25 - 000000000 ____D C:\Users\joppe\AppData\Local\D3DSCache
2021-02-12 11:21 - 2021-02-12 11:21 - 000000000 ____D C:\Users\joppe\AppData\Local\cache
2021-02-12 11:20 - 2021-02-12 11:29 - 000000000 ____D C:\Program Files (x86)\Overwatch
2021-02-12 11:20 - 2021-02-12 11:20 - 000000000 ____D C:\ProgramData\Blizzard Entertainment
2021-02-12 11:19 - 2021-02-12 12:20 - 000000000 ____D C:\Users\joppe\AppData\Local\Battle.net
2021-02-12 11:19 - 2021-02-12 11:21 - 000000000 ____D C:\Users\joppe\AppData\Roaming\Battle.net
2021-02-12 11:19 - 2021-02-12 11:20 - 000000000 ____D C:\Program Files (x86)\Battle.net
2021-02-12 11:19 - 2021-02-12 11:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net
2021-02-12 11:18 - 2021-02-12 11:20 - 000000000 ____D C:\Users\joppe\AppData\Local\Blizzard Entertainment
2021-02-12 11:17 - 2021-02-12 11:17 - 005011952 _____ (Blizzard Entertainment) C:\Users\joppe\Downloads\Overwatch-Setup.exe
2021-02-12 11:17 - 2021-02-12 11:17 - 000000000 ____D C:\ProgramData\Battle.net
2021-02-12 10:54 - 2021-02-12 10:54 - 000000000 ____D C:\Users\joppe\AppData\Local\glasswire
2021-02-12 10:54 - 2021-02-12 10:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire
2021-02-12 10:53 - 2021-02-12 10:54 - 000000000 ____D C:\ProgramData\GlassWire
2021-02-12 10:53 - 2021-02-12 10:54 - 000000000 ____D C:\Program Files (x86)\GlassWire
2021-02-12 10:53 - 2015-05-29 09:30 - 000008392 _____ C:\Windows\system32\Drivers\gwdrv.cat
2021-02-12 10:53 - 2015-05-29 09:15 - 000033152 _____ (SecureMix LLC) C:\Windows\system32\Drivers\gwdrv.sys
2021-02-12 10:45 - 2021-02-12 10:47 - 055652664 _____ (SecureMix LLC) C:\Users\joppe\Downloads\GlassWireSetup.exe
2021-02-12 10:20 - 2021-02-12 18:24 - 000000000 ____D C:\ProgramData\Package Cache
2021-02-12 10:20 - 2021-02-12 10:20 - 000000000 ____D C:\Users\joppe\AppData\Roaming\EasyAntiCheat
2021-02-12 10:20 - 2021-02-12 10:20 - 000000000 ____D C:\Program Files (x86)\EasyAntiCheat
2021-02-12 09:27 - 2021-02-12 09:27 - 000000219 _____ C:\Users\joppe\Desktop\Counter-Strike Global Offensive.url
2021-02-12 08:26 - 2021-02-12 08:26 - 000000000 ____D C:\Users\joppe\AppData\Local\Comms
2021-02-12 07:06 - 2021-02-11 21:07 - 000000000 ____D C:\Windows\Panther
2021-02-11 23:14 - 2021-02-11 23:14 - 000000000 ___HD C:\$WinREAgent
2021-02-11 21:22 - 2021-02-11 21:22 - 000000000 ____D C:\Users\joppe\AppData\Local\OneDrive
2021-02-11 21:21 - 2021-02-11 21:21 - 000001364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Malwarebytes Windows Firewall Control.lnk
2021-02-11 21:21 - 2021-02-11 21:21 - 000000000 ____D C:\Program Files\Malwarebytes
2021-02-11 21:19 - 2021-02-11 21:20 - 002818224 _____ (Malwarebytes) C:\Users\joppe\Downloads\wfc6setup.exe
2021-02-11 21:19 - 2021-02-11 21:19 - 000000222 _____ C:\Users\joppe\Desktop\Borderlands 3.url
2021-02-11 21:18 - 2021-02-13 04:13 - 000000000 ____D C:\ProgramData\NVIDIA
2021-02-11 21:15 - 2021-02-12 09:27 - 000000000 ____D C:\Users\joppe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2021-02-11 21:15 - 2021-02-11 21:15 - 000000223 _____ C:\Users\joppe\Desktop\Apex Legends.url
2021-02-11 21:14 - 2021-02-11 23:14 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2021-02-11 21:14 - 2021-02-11 21:14 - 000000000 ____D C:\Windows\system32\Drivers\NVIDIA Corporation
2021-02-11 21:14 - 2021-02-11 21:14 - 000000000 ____D C:\Users\joppe\AppData\Local\Steam
2021-02-11 21:14 - 2021-02-11 21:14 - 000000000 ____D C:\Users\joppe\AppData\Local\CEF
2021-02-11 21:14 - 2021-02-11 21:14 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2021-02-11 21:14 - 2020-10-07 13:34 - 001023216 _____ (NVIDIA Corporation) C:\Windows\system32\nvml.dll
2021-02-11 21:14 - 2020-10-07 13:34 - 000816368 _____ (NVIDIA Corporation) C:\Windows\system32\nvmcumd.dll
2021-02-11 21:14 - 2020-10-07 13:34 - 000673520 _____ C:\Windows\system32\nvofapi64.dll
2021-02-11 21:14 - 2020-10-07 13:34 - 000670616 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2021-02-11 21:14 - 2020-10-07 13:34 - 000555248 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2021-02-11 21:14 - 2020-10-07 13:34 - 000543128 _____ C:\Windows\SysWOW64\nvofapi.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 007707544 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 006860184 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 004174064 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 002508528 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 002098072 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 001585560 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 001507224 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 001161112 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 000813464 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 000657304 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2021-02-11 21:14 - 2020-10-07 13:33 - 000589208 _____ (NVIDIA Corporation) C:\Windows\system32\nvidia-smi.exe
2021-02-11 21:14 - 2020-10-07 13:33 - 000445848 _____ (NVIDIA Corporation) C:\Windows\system32\nvdebugdump.exe
2021-02-11 21:14 - 2020-10-07 13:33 - 000230720 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2021-02-11 21:14 - 2020-10-07 13:33 - 000047232 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhdap64.dll
2021-02-11 21:14 - 2020-10-07 13:32 - 005519600 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2021-02-11 21:14 - 2020-10-07 13:32 - 000849648 _____ (NVIDIA Corporation) C:\Windows\system32\MCU.exe
2021-02-11 21:14 - 2020-10-07 13:29 - 007001536 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2021-02-11 21:14 - 2020-10-07 13:29 - 005972824 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2021-02-11 21:14 - 2020-10-07 13:11 - 000080930 _____ C:\Windows\system32\nvinfo.pb
2021-02-11 21:13 - 2021-02-13 16:13 - 000000000 ____D C:\Program Files (x86)\Steam
2021-02-11 21:13 - 2021-02-13 04:20 - 000795738 _____ C:\Windows\system32\PerfStringBackup.INI
2021-02-11 21:13 - 2021-02-11 21:13 - 001770744 _____ C:\Users\joppe\Downloads\SteamSetup.exe
2021-02-11 21:13 - 2021-02-11 21:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
2021-02-11 21:12 - 2021-02-13 04:15 - 000000000 ____D C:\ProgramData\Mozilla
2021-02-11 21:12 - 2021-02-13 04:14 - 000000000 ____D C:\Users\joppe\AppData\LocalLow\Mozilla
2021-02-11 21:12 - 2021-02-11 21:12 - 000333040 _____ (Mozilla) C:\Users\joppe\Downloads\Firefox Installer.exe
2021-02-11 21:12 - 2021-02-11 21:12 - 000001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2021-02-11 21:12 - 2021-02-11 21:12 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2021-02-11 21:12 - 2021-02-11 21:12 - 000000000 ____D C:\Users\joppe\AppData\Roaming\Mozilla
2021-02-11 21:12 - 2021-02-11 21:12 - 000000000 ____D C:\Users\joppe\AppData\Local\Mozilla
2021-02-11 21:12 - 2021-02-11 21:12 - 000000000 ____D C:\Program Files\Mozilla Firefox
2021-02-11 21:12 - 2021-02-11 21:12 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2021-02-11 21:11 - 2021-02-11 21:11 - 000003374 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2652230216-8729904-3138564411-1001
2021-02-11 21:11 - 2021-02-11 21:11 - 000000000 ___RD C:\Users\joppe\OneDrive
2021-02-11 21:11 - 2021-02-11 21:11 - 000000000 ____D C:\Users\joppe\AppData\Local\PlaceholderTileLogoFolder
2021-02-11 21:10 - 2021-02-13 03:56 - 000000000 ____D C:\Users\joppe\AppData\Local\Packages
2021-02-11 21:10 - 2021-02-12 15:27 - 000000000 ____D C:\Users\joppe\AppData\Local\Publishers
2021-02-11 21:10 - 2021-02-11 21:10 - 000000000 ___RD C:\Users\joppe\3D Objects
2021-02-11 21:10 - 2021-02-11 21:10 - 000000000 ____D C:\Users\joppe\AppData\Roaming\Adobe
2021-02-11 21:10 - 2021-02-11 21:10 - 000000000 ____D C:\Users\joppe\AppData\Local\VirtualStore
2021-02-11 21:09 - 2021-02-12 23:18 - 000000000 ____D C:\Users\joppe
2021-02-11 21:09 - 2021-02-11 21:11 - 000002359 _____ C:\Users\joppe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2021-02-11 21:09 - 2021-02-11 21:10 - 000000000 ____D C:\Users\joppe\AppData\Local\ConnectedDevicesPlatform
2021-02-11 21:09 - 2021-02-11 21:09 - 000000020 ___SH C:\Users\joppe\ntuser.ini
2021-02-11 21:08 - 2021-02-11 21:08 - 000000000 _SHDL C:\Documents and Settings
2021-02-11 21:07 - 2021-02-11 21:07 - 000002846 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2652230216-8729904-3138564411-500
2021-02-11 21:07 - 2021-02-11 21:07 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2021-02-11 21:06 - 2021-02-13 04:13 - 000008192 ___SH C:\DumpStack.log.tmp
2021-01-18 11:26 - 2021-01-18 11:26 - 000052904 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\tapexpressvpn.sys
2021-01-18 11:26 - 2021-01-18 11:26 - 000046824 _____ (ExpressVPN) C:\Windows\system32\Drivers\expressvpn-wintun.sys
2020-12-11 23:40 - 2020-12-11 23:40 - 000074616 _____ (Insecure.Com LLC.) C:\Windows\system32\Drivers\npcap.sys
2020-11-19 09:38 - 2020-11-19 09:38 - 000003394 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3538912014-3826891016-3662973680-500
2020-11-19 09:34 - 2020-11-19 09:34 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2020-11-19 09:33 - 2021-02-13 03:56 - 000000000 ____D C:\ProgramData\Packages
2020-11-19 09:32 - 2021-02-13 04:15 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2020-11-19 09:32 - 2021-02-11 21:10 - 000003480 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2020-11-19 09:32 - 2021-02-11 21:10 - 000003356 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2020-11-19 09:30 - 2021-02-13 16:12 - 000000000 ____D C:\Windows\system32\SleepStudy
2020-11-19 09:30 - 2021-02-13 04:13 - 000257824 _____ C:\Windows\system32\FNTCACHE.DAT
2020-11-19 09:30 - 2021-02-13 04:13 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-11-19 09:30 - 2021-02-12 11:26 - 000000000 ____D C:\Windows\system32\Drivers\wd
2020-11-19 09:30 - 2020-11-19 09:30 - 000000000 ____D C:\Windows\ServiceProfiles
2020-11-19 04:53 - 2020-11-19 04:53 - 000000000 ____D C:\ProgramData\ssh
2020-11-19 04:49 - 2020-11-19 04:49 - 004898144 _____ (Microsoft Corporation) C:\Windows\system32\rtmpltfm.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 003860832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtmpltfm.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 001354080 _____ (Microsoft Corporation) C:\Windows\system32\rtmpal.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 001091936 _____ (Microsoft Corporation) C:\Windows\system32\rtmcodecs.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 001032544 _____ (Microsoft Corporation) C:\Windows\system32\ortcengine.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000980320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtmpal.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000915296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtmcodecs.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000732000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ortcengine.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000611952 _____ C:\Windows\SysWOW64\TextShaping.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000266752 _____ (Microsoft Corporation) C:\Windows\system32\bthprops.cpl
2020-11-19 04:49 - 2020-11-19 04:49 - 000266240 _____ (Microsoft Corporation) C:\Windows\system32\mpg2splt.ax
2020-11-19 04:49 - 2020-11-19 04:49 - 000221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bthprops.cpl
2020-11-19 04:49 - 2020-11-19 04:49 - 000204800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mpg2splt.ax
2020-11-19 04:49 - 2020-11-19 04:49 - 000112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\activeds.tlb
2020-11-19 04:49 - 2020-11-19 04:49 - 000112128 _____ (Microsoft Corporation) C:\Windows\system32\activeds.tlb
2020-11-19 04:49 - 2020-11-19 04:49 - 000056672 _____ (Microsoft Corporation) C:\Windows\system32\rtmmvrortc.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000055376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtmmvrortc.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000047472 _____ C:\Windows\SysWOW64\umpdc.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000045880 _____ C:\Windows\system32\HvSocket.dll
2020-11-19 04:49 - 2020-11-19 04:49 - 000023552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msacm32.drv
2020-11-19 04:48 - 2020-11-19 04:48 - 004227116 _____ C:\Windows\system32\DefaultHrtfs.bin
2020-11-19 04:48 - 2020-11-19 04:48 - 002260480 _____ (The ICU Project) C:\Windows\system32\icu.dll
2020-11-19 04:48 - 2020-11-19 04:48 - 000707544 _____ C:\Windows\system32\TextShaping.dll
2020-11-19 04:48 - 2020-11-19 04:48 - 000197632 _____ C:\Windows\system32\IHDS.dll
2020-11-19 04:48 - 2020-11-19 04:48 - 000064552 _____ C:\Windows\system32\umpdc.dll
2020-11-19 04:48 - 2020-11-19 04:48 - 000030208 _____ (Microsoft Corporation) C:\Windows\system32\msacm32.drv
2020-11-19 04:48 - 2020-11-19 04:48 - 000029696 _____ (The ICU Project) C:\Windows\system32\icuuc.dll
2020-11-19 04:48 - 2020-11-19 04:48 - 000025088 _____ (The ICU Project) C:\Windows\system32\icuin.dll
2020-11-19 01:14 - 2019-12-07 11:08 - 000413738 __RSH C:\bootmgr
2020-11-19 01:14 - 2019-12-07 11:08 - 000000001 ___SH C:\BOOTNXT

==================== Three months (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-02-13 16:32 - 2019-12-07 11:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-02-13 04:20 - 2019-12-07 11:13 - 000000000 ____D C:\Windows\INF
2021-02-13 04:15 - 2019-12-07 11:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-02-13 04:15 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\AppReadiness
2021-02-13 04:13 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\ServiceState
2021-02-13 04:12 - 2019-12-07 11:52 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2021-02-13 04:12 - 2019-12-07 11:52 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___SD C:\Windows\SysWOW64\F12
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___SD C:\Windows\system32\UNP
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___SD C:\Windows\system32\F12
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___SD C:\Windows\system32\DiagSvcs
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___RD C:\Windows\PrintDialog
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\setup
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\PerceptionSimulation
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\oobe
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\Keywords
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\Dism
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\Com
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\SystemResources
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\WinBioPlugIns
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\SystemResetPlatform
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\Sysprep
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\setup
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\PerceptionSimulation
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\oobe
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\migwiz
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\Keywords
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\es-MX
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\Dism
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\Com
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\system32\AdvancedInstallers
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\ShellExperiences
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\ShellComponents
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\Provisioning
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\PolicyDefinitions
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\IME
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\bcastdvr
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files\Windows Defender
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files\Common Files\System
2021-02-13 04:12 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files (x86)\Windows Defender
2021-02-13 04:12 - 2019-12-07 11:03 - 000262144 _____ C:\Windows\system32\config\BBI
2021-02-13 04:12 - 2019-12-07 11:03 - 000000000 ____D C:\Windows\servicing
2021-02-13 03:57 - 2019-12-07 11:03 - 000000000 ____D C:\Windows\CbsTemp
2021-02-12 10:20 - 2019-12-07 11:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2021-02-12 07:06 - 2019-12-07 11:14 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2021-02-12 04:26 - 2019-12-07 11:14 - 000000000 ____D C:\Windows\appcompat
2021-02-11 21:27 - 2019-12-07 11:51 - 000000000 ____D C:\Windows\OCR
2021-02-11 21:10 - 2019-12-07 11:50 - 000000000 ____D C:\Windows\system32\FxsTmp
2021-02-11 21:09 - 2019-12-07 11:14 - 000000000 ____D C:\ProgramData\USOPrivate

==================== Files in the root of some directories ========

2021-02-12 12:15 - 2021-02-12 12:15 - 000007617 _____ () C:\Users\joppe\AppData\Local\Resmon.ResmonCfg

==================== SigCheckExt =========================

2021-02-12 23:37 - 2021-02-13 16:52 - 002297344 _____ (Farbar) C:\Users\joppe\Downloads\FRST64.exe

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


==================== BCD ================================

Firmware Boot Manager
---------------------
identifier              {fwbootmgr}
displayorder            {bootmgr}
timeout                 1

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
path                    \EFI\MICROSOFT\BOOT\BOOTMGFW.EFI
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {8e7c0347-6cef-11eb-82da-f1e30c47839b}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.efi
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {8e7c0349-6cef-11eb-82da-f1e30c47839b}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8e7c0347-6cef-11eb-82da-f1e30c47839b}
nx                      OptIn
bootmenupolicy          Standard

Windows Boot Loader
-------------------
identifier              {8e7c0349-6cef-11eb-82da-f1e30c47839b}
device                  ramdisk=[\Device\HarddiskVolume4]\Recovery\WindowsRE\Winre.wim,{8e7c034a-6cef-11eb-82da-f1e30c47839b}
path                    \windows\system32\winload.efi
description             Windows Recovery Environment
locale                  en-us
inherit                 {bootloadersettings}
displaymessage          Recovery
osdevice                ramdisk=[\Device\HarddiskVolume4]\Recovery\WindowsRE\Winre.wim,{8e7c034a-6cef-11eb-82da-f1e30c47839b}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {8e7c0347-6cef-11eb-82da-f1e30c47839b}
device                  partition=C:
path                    \Windows\system32\winresume.efi
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {8e7c0349-6cef-11eb-82da-f1e30c47839b}
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \EFI\Microsoft\Boot\memtest.efi
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 No

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Local

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {8e7c034a-6cef-11eb-82da-f1e30c47839b}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume4
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

==================== End of FRST.txt ========================

 

 

Addition.exe

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-02-2021
Ran by joppe (13-02-2021 16:54:54)
Running from C:\Users\joppe\Downloads
Windows 10 Home Version 20H2 19042.804 (X64) (2021-02-11 19:08:20)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2652230216-8729904-3138564411-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2652230216-8729904-3138564411-503 - Limited - Disabled)
Guest (S-1-5-21-2652230216-8729904-3138564411-501 - Limited - Disabled)
joppe (S-1-5-21-2652230216-8729904-3138564411-1001 - Administrator - Enabled) => C:\Users\joppe
WDAGUtilityAccount (S-1-5-21-2652230216-8729904-3138564411-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
ExpressVPN (HKLM-x32\...\{57e033a5-c75e-4823-83af-c1b6b3b759ab}) (Version: 10.0.9.2 - ExpressVPN)
ExpressVPN (HKLM-x32\...\{E5B9C3E5-889C-4F22-A959-F4B876CD0833}) (Version: 10.0.9.2 - ExpressVPN) Hidden
GlassWire 2.2 (remove only) (HKLM-x32\...\GlassWire 2.2) (Version: 2.2.291 - SecureMix LLC)
Malwarebytes Windows Firewall Control (HKLM\...\Windows Firewall Control) (Version: 6.4.0.0 - BiniSoft.org)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 88.0.705.68 - Microsoft Corporation)
Microsoft Edge Update (HKLM-x32\...\Microsoft Edge Update) (Version: 1.3.141.59 - )
Microsoft OneDrive (HKU\S-1-5-21-2652230216-8729904-3138564411-1001\...\OneDriveSetup.exe) (Version: 21.002.0104.0005 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29334 (HKLM-x32\...\{a9cfe9c7-e54f-46cd-9c5c-542ff8e3e8c4}) (Version: 14.28.29334.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127 (HKLM-x32\...\{e31cb1a4-76b5-46a5-a084-3fa419e82201}) (Version: 14.24.28127.4 - Microsoft Corporation)
Mozilla Firefox 85.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 85.0.2 (x64 en-US)) (Version: 85.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 85.0.2 - Mozilla)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.10 - Nmap Project)
NVIDIA Graphics Driver 456.71 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 456.71 - NVIDIA Corporation)
RogueKiller version 14.8.4.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 14.8.4.0 - Adlice Software)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.5.6 - TeamSpeak Systems GmbH)
Wireshark 3.4.3 64-bit (HKLM-x32\...\Wireshark) (Version: 3.4.3 - The Wireshark developer community, hxxps://www.wireshark.org)

Packages:
=========
Cortana -> C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation)
Intel® Graphics Command Center -> C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.3282.0_x64__8j3eq9eme6ctt [2021-02-12] (INTEL CORP) [Startup Task]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.9.1252.0_x64__8wekyb3d8bbwe [2021-02-13] (Microsoft Studios) [MS Ad]
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
NVIDIA Control Panel -> C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.960.0_x64__56jybvy8sckqj [2021-02-11] (NVIDIA Corp.)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} =>  -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvshext.dll [2020-10-07] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2019-04-09 10:21 - 2019-04-09 10:21 - 000018432 _____ () [File not signed] C:\Program Files\TeamSpeak 3 Client\libEGL.DLL
2019-04-09 10:21 - 2019-04-09 10:21 - 003572224 _____ () [File not signed] C:\Program Files\TeamSpeak 3 Client\libGLESv2.dll
2021-02-12 12:20 - 2021-02-12 12:20 - 000157696 _____ () [File not signed] C:\Users\joppe\AppData\Roaming\TS3Client\plugins\gamepad_joystick_win64.dll
2019-04-10 18:30 - 2019-04-10 18:30 - 000035328 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\iconengines\qsvgicon.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 000031744 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qgif.dll
2019-04-09 10:29 - 2019-04-09 10:29 - 000397312 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qjpeg.dll
2019-04-10 18:29 - 2019-04-10 18:29 - 000025600 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\imageformats\qsvg.dll
2019-04-09 10:30 - 2019-04-09 10:30 - 001453568 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\platforms\qwindows.dll
2019-05-31 13:05 - 2019-05-31 13:05 - 006130176 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Core.dll
2019-04-09 10:25 - 2019-04-09 10:25 - 006470656 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Gui.dll
2019-04-09 10:24 - 2019-04-09 10:24 - 001314816 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Network.dll
2019-04-10 19:31 - 2019-04-10 19:31 - 000317440 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Positioning.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 000318464 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5PrintSupport.dll
2019-04-10 18:55 - 2019-04-10 18:55 - 004001792 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Qml.dll
2019-04-10 18:48 - 2019-04-10 18:48 - 003776000 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Quick.dll
2019-04-10 18:50 - 2019-04-10 18:50 - 000072704 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5QuickWidgets.dll
2019-04-09 10:23 - 2019-04-09 10:23 - 000205312 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Sql.dll
2019-04-10 18:29 - 2019-04-10 18:29 - 000332288 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Svg.dll
2019-04-10 19:40 - 2019-04-10 19:40 - 000113664 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebChannel.dll
2019-04-11 03:37 - 2019-04-11 03:37 - 079989760 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebEngineCore.dll
2019-04-11 03:54 - 2019-04-11 03:54 - 000228864 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5WebEngineWidgets.dll
2019-04-09 10:27 - 2019-04-09 10:27 - 005580800 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\Qt5Widgets.dll
2019-04-09 10:28 - 2019-04-09 10:28 - 001151488 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\sqldrivers\qsqlite.dll
2019-04-09 10:29 - 2019-04-09 10:29 - 000137216 _____ (The Qt Company Ltd.) [File not signed] C:\Program Files\TeamSpeak 3 Client\styles\qwindowsvistastyle.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

SearchScopes: HKU\S-1-5-21-2652230216-8729904-3138564411-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 11:14 - 2019-12-07 11:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2652230216-8729904-3138564411-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 10.45.0.1 - 192.168.1.9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{A94C2BD9-2E61-43A8-9BDF-C6F388A9BF08}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{D8B8372F-DB51-4D8A-B5D4-ABF72060FF31}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{BEC55E94-C8D4-4026-B104-BC9E42FA43A3}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{8EA43025-C40A-4AA4-BAD6-659E6B41BA3B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{1489B6A4-A080-44EF-BCB8-F3366DF7E678}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{26EA697F-0201-47C8-9953-160971B4B603}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{1E758833-0F0F-4340-81A7-90E8B38009C7}] => (Allow) C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe (Malwarebytes Inc -> Malwarebytes)
FirewallRules: [{956158C5-E157-4921-AE8F-E88FEB3DE02C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Apex Legends\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [{819BD8B2-3534-4259-A948-2198C9FF0B63}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Apex Legends\EasyAntiCheat_launcher.exe (EasyAntiCheat Oy -> EasyAntiCheat Ltd)
FirewallRules: [{F7D5FBAA-14B0-4F8E-AA25-3C7502607726}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe (Valve -> )
FirewallRules: [{947B6B0A-0C95-4D77-B10E-06BA09E22406}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe (Valve -> )
FirewallRules: [{9F63ECE7-3BDC-4D7E-ACBA-7C89B62D2676}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe (GlassWire -> SecureMix LLC)
FirewallRules: [{0817D391-7405-4269-AD14-48242FAB8D84}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe (GlassWire -> SecureMix LLC)
FirewallRules: [{BB329C78-FC59-4F49-B1A6-C59BBE5BE9C9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 3\OakGame\Binaries\Win64\Borderlands3.exe (Gearbox Software, L.L.C. -> Gearbox Software)
FirewallRules: [{61EB08C4-1C76-478B-80BE-5B7943CB42C0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 3\OakGame\Binaries\Win64\Borderlands3.exe (Gearbox Software, L.L.C. -> Gearbox Software)
FirewallRules: [{D7732F20-0E6E-4317-A782-107F09E755AD}] => (Allow) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{802B7AD0-3CD0-46E7-8B24-0ACFDB2901FC}] => (Allow) C:\program files (x86)\steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{BA569683-A3F5-4620-8682-FE8C570B10CA}] => (Allow) C:\programdata\battle.net\agent\agent.7269\agent.exe (Blizzard Entertainment, Inc. -> Blizzard Entertainment)
FirewallRules: [{D070CAB5-E87A-40BD-837D-4EF420924C73}] => (Allow) C:\program files (x86)\steam\steam.exe (Valve -> Valve Corporation)
FirewallRules: [{8BAE805C-3032-4F32-9D05-2E4B297A30FC}] => (Allow) C:\program files (x86)\battle.net\battle.net.exe (Blizzard Entertainment, Inc. -> Blizzard Entertainment)
FirewallRules: [{445CAA23-5C69-4617-A509-1B2C05DF0206}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{D762484E-BBB7-4A88-90E0-46B3211D9DB5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{AADDE67B-D7BB-483E-8FA0-182E6A6B89B9}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{9A75D06A-8931-4A86-9119-1BE2C7DE0BFC}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)

==================== Restore Points =========================

Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: ========================

Application errors:
==================
Error: (02/13/2021 04:55:23 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (02/13/2021 04:55:23 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (02/13/2021 03:51:58 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.740_none_e752aa59261f271f\TiWorker.exe -Embedding; Description = Windows Modules Installer; Error = 0x80042302).

Error: (02/13/2021 03:51:58 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (02/13/2021 03:51:58 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (02/13/2021 03:51:49 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.621_none_e7694895260e0b6d\TiWorker.exe -Embedding; Description = Windows Modules Installer; Error = 0x80042302).

Error: (02/13/2021 03:51:49 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (02/13/2021 03:51:49 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server


System errors:
=============
Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Error: (02/12/2021 11:03:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/12/2021 11:03:08 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\joppe\AppData\Local\Temp\ehdrv.sys

Windows Defender:
================
Date: 2021-02-13 01:25:49
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-02-12 21:35:04
Description:
C:\Users\joppe\Desktop\mbar\mbar.exe has been blocked from modifying %system%\drivers\ by Controlled Folder Access.
Detection time: 2021-02-12T19:35:04.099Z
Path: %system%\drivers\
Process Name: C:\Users\joppe\Desktop\mbar\mbar.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 21:28:32
Description:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has been blocked from modifying %system%\CatRoot by Controlled Folder Access.
Detection time: 2021-02-12T19:28:32.454Z
Path: %system%\CatRoot
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 18:21:04
Description:
C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe has been blocked from modifying %windir%\INF\ by Controlled Folder Access.
Detection time: 2021-02-12T16:21:04.581Z
Path: %windir%\INF\
Process Name: C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

Date: 2021-02-12 18:21:04
Description:
C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe has been blocked from modifying %windir%\INF\ by Controlled Folder Access.
Detection time: 2021-02-12T16:21:04.581Z
Path: %windir%\INF\
Process Name: C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

CodeIntegrity:
===============

==================== Memory info ===========================

BIOS: American Megatrends Inc. P4.20 10/31/2019
Motherboard: ASRock Z370 Taichi
Processor: Intel® Core™ i7-8700K CPU @ 3.70GHz
Percentage of memory in use: 67%
Total physical RAM: 8078.87 MB
Available physical RAM: 2598.03 MB
Total Virtual: 9998.87 MB
Available Virtual: 1403.75 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.28 GB) (Free:23.16 GB) NTFS

\\?\Volume{3a6c2849-1e16-4dbe-96e3-abf1bca8eb23}\ () (Fixed) (Total:0.49 GB) (Free:0.08 GB) NTFS
\\?\Volume{db7d008b-f5b9-4895-9432-54afa5525b8d}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 21ED1CEC)

Partition: GPT.

==================== End of Addition.txt =======================


  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Multiple replies are OK.  Best to post a log as you get it.

Get Process Explorer

https://live.sysinte...com/procexp.exe

Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

Wait a full minute then:

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.


Copy the next 2 lines:

TASKLIST /SVC  > \junk.txt
notepad \junk.txt

Open an Elevated Command Prompt:
Win 7: Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator
Win 8: http://www.eightforu...indows-8-a.html
win 10: http://www.howtogeek...-in-windows-10/

Right click and Paste (or Edit then Paste) and the copied lines should appear.
Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.


Get the free version of Speccy:

http://www.filehippo...ownload_speccy/ 

(Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  
Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving),
File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  
(It will be near the top,  10-20  lines down.) Save the file.  Attach the file to your next post.  Attaching the log is the best option as it is too big for the forum.  Attaching is a multi step process.

First click on More Reply Options
Then scroll down to where you see
Choose File and click on it.  Point it at the file and hit Open.
Now click on Attach this file.


Latency Monitor:

Go to

http://www.resplendence.com/downloads

Scroll down to

System Monitoring Tools

and then find

LatencyMon 6.70 (or it may be a higher number if they update)

Click on Download free home edition

Save it then right click and Run As Admin.  It will install and then start the program.  
It will tell you to click on the Start button but there isn't one.  
Instead click on the green arrowhead (looks like a Play button).   Let it run for at least 20 seconds.  Then hit the red box to stop it.

Edit, Copy Report text to Clipboard then move to a REPLY and Ctrl + v to paste the text into a reply.  


Click on the Drivers Tab.  Click on the column header for "Total execution (ms)" once or twice until the biggest numbers are at the top of the column then take a screen shot (save as type jpg) and attach it.  
Click on the Processes tab then click on the  "Hard Pagefaults" column header once or twice until the big numbers are at the top of the column.  Take a screen shot (save as type jpg) and attach it.

 

Also try and run MBAR:

 

https://www.malwareb...om/antirootkit/

 

I don't see any infection but sometimes they can hide from FRST.


  • 0

#5
jhormaneedshelp

jhormaneedshelp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

I've attached files from Process Explorer / Speccy. Gonna run LatencyMon later when i get back. Ty for help :)


  • 0

#6
jhormaneedshelp

jhormaneedshelp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

I've attached files from Process Explorer / Speccy / LatencyMon. Ty for help ;)

 

Attached Thumbnails

  • latencymon1.jpg
  • latencymon2.jpg

Attached Files


  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Not seeing much.  Why do you think you have been hacked?  Is Glasswire showing suspicious activity?  Have you seen suspicious traffic with Wireshark?

 

Your VPN is probably not working as it should since you have  Controlled Folder Access blocking its access to the INF folder:
 

Date: 2021-02-12 18:21:04
Description:
C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe has been blocked from modifying %windir%\INF\ by Controlled Folder Access.
Detection time: 2021-02-12T16:21:04.581Z
Path: %windir%\INF\
Process Name: C:\Program Files (x86)\ExpressVPN\tap\tapinstall\amd64\tapinstall.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

 

 

 

If you trust it you can allow it access: https://support.micr...31-7e51e912b034

 

MBAR was also blocked by Controlled Folder Access so you might want to unblock it and try the scan again.

 

Date: 2021-02-12 21:35:04
Description:
C:\Users\joppe\Desktop\mbar\mbar.exe has been blocked from modifying %system%\drivers\ by Controlled Folder Access.
Detection time: 2021-02-12T19:35:04.099Z
Path: %system%\drivers\
Process Name: C:\Users\joppe\Desktop\mbar\mbar.exe
Security intelligence Version: 1.331.830.0
Engine Version: 1.1.17800.5
Product Version: 4.18.2101.9

 

You are missing some drivers. 

Search for

device manager

 

Hit Enter

then View, Show Hidden Devices.  
Now look  for yellow flagged devices.  Right click on one and select properties then click on the Details tab.  
Change Property to Hardware IDs.  Click on the top one then right click and copy.  Paste that into a reply.  Repeat for all yellow flagged devices.

 

 

Appears that you may have two firewalls:

Glasswire & Malwarebytes Windows Firewall Control

Normally one is all you want.

 

Please download [url=https://www.bleepingcomputer.com/download/minitoolbox/[/url], save it to your desktop and run it.

Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer Errors
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

 

 

I can offer a bit of a performance improvement:

 

Search for

task scheduler

hit Enter

Click on the arrow in front of Task Scheduler Library then

Click on the arrow in front of Microsoft

Click on the arrow in front of Windows

Click on Application Experience.  In the next pane to the right, right click on each Task and Disable.  Should be three tasks.

Click on Customer Experience Improvement Program.  In the next pane to the right, right click on each Task and Disable.  Should be two tasks.

Download OOSU10.exe:

https://www.oo-software.com/en/shutup10

Download and Save it (You will get a popup while it's downloading.  You can X out of it)
then Right click and Run As Admin.
Allow it to make a System Restore Point.
Click on Actions then on Apply Recommended Settings.

Close the program and reboot.

Rerun Latency Monitor and post the summary.



 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP