Operating System
Windows 10
Infection date and initial symptoms
It's all in the Initial greeting
Current issues and symptoms
It's not just malware. It's repeated attacks by hackers and they are of course using malware to do what is being done. However. It's mostlikely malware that's unknown.
Steps taken in order to remove the infection
I have the instructions. I will get you the reports as soon as I can get home and sort it all out.
System logs
I did not upload the FRST.txt logs

Dcroft39

New Member
Where do I start.. ok, I downloaded a copy of tumblr from play store. It was a brand-new phone.and the only anti anything software was lookout. I began getting weird activity from that day. The app was a tumblr app and I was blogging about sig sauer pistols. The hacker began to attach a porn a based page to my blog and made it available to all. This is when I knew I'd been hacked. I went into Google accounts and he followed me immiediatly. Began to become a race to keep him out. Long story short I lost and couldn't recover the account. Him/they kept changing my password and I couldn't get back in. Finally they communicated to me that they wanted to use lookout and other apps on the phone to commit fraud. So like a dumb ass I sat and watched him control and program the phone remotely. Finally I'd had enough and I called my provider told them and he began to sennd threats saying hang up now. With that operation foiled, all hell broke lose. I changed phones 4 times that month, all my accounts, passwords, etc. I used to use several password generators. Every time I'd get a new phone, bam! They get in as soon as I created a new Google account. So I switched to apple. I was told. No way I could be hacked by apple unless they had physical contact. Well, one morning I inadvertently answered a robo call and from that point they were in. They made widgets to follow all my moves, they turned Siri against me to report passwords to them. They even put an extra pin after mine on the phone so I could not reset it. I'm on phone four. This was a cheap motor 6 forge prepaid in another person's name and before I even had the effing number activated they hacked in as I was setting it up. It's the phone I'm on now. I have a firewall called internet guard that I can allow each app on the phone access or block to. The net. I also use a tool called IP tools to watch the activity, but it's not showing a lot. Seems to be disabled. I use Kaspersky antivirus and it always comes up clean. And I have a widget that blocks the camera and mic. Now to the PC. As soon as I got it and went online they hacked in. They shut down half the computer and locked the C:\ making it almost impossible to use. Finally I called Microsoft to get the info for recovery files. And did a new install. It will run ok as long as I don't spend more than a few minutes online. If I do, they get in. My passwords are like 36 character freaking sentences and my pin is about 12 chars. They walk right in like it's theirs. This tells me, rootkit, or some back door. Every device that hooks to our wifi gets hacked. You realize that all the info I'm giving you they can get so it's a catch 22. The reason I have to reinstall Windows so much is because after a cpl days it becomes unusable. All my files are being shared with good knows who, all the permissions are out of whack. Hell I can't even access or save to half my folders. So I copy the data in the event viewer, system and security and I save it on USB drives. Format, reinstall. I even diskpart and name the system partition and format that. Then as soon as I go online to get out of S mode it slowly happens again. I took the windows 10 PC in the living room. An isolated machine. I used it to download the new install files from MS. And they got in that one. They change the router logins and I can't update the firmware cause there isn't an update. I unplugged the router from the cable, hooked to it with an Ethernet cable so I'd have proprietary access. And as I'm re entering new passwords they begin to change on me!!! I've been told this was impossible. Generally they hear. Our conversations via my roommates phone and know what steps were gonna take. This time I did it on a whim. And as I'm changing passwords I get locked out. I reset it to factory, and none of the default passwords would work. I reset again. Nothing. Finally I input the last one I used and gained access and it was as if nothing had been reset. That computer sits unplugged in the living room. My laptop I use several antivirus. But mostly rootkit finders. I have installed McAfee, Kaspersky, eset, all to just uninstall because they find nothing. Once I found some malware in notepad++ a Trojans cleaned it and was informed by the company it was a false positive? I work very hard to make a living these days. I haven't shelled out any money to purchase an antivirus because I haven't found any that can find the rootkits or viri that must be there. My point is, how could they hack a 30+char password in seconds Everytime I change it without a keylogger, or a backdoor in? I've reported it to the cops, I've stacked evidence, but they won't stop. I'm positive there is some malware at work here. The phone, ****, it's gone. Nothing clean it. They obviously have done something to files I can't access to let them keep following me. Ppl think I have lost mind or I am making this up. I spend hours studying the ways malware works and I've been writing batch files to make quick work of all the tests I have to run all the time. I'm trying to learn python,but if I can't get this fixed. It's pointless. As I said. I had unknown code on my MBR. I managed to fix that. So that was a small win. But all I have to do is login and I'll be infected again.



As stated I will follow protocol as soon as I'm able to get online and download the requested antivirus and submit the reports. You must know that at this point, after months of these attacks. And after hours of work to get my MBR clean, I'm very hesitant about even hooking to wifi. Because true to form, as soon as I do they will walk in the back door and it's likely take the machine down and with all this info out there, they know what I'm going to download, and have the ability to render any software unusable. I'll be back in touch when I can get this done.
 
Last edited by a moderator:

Dcroft39

New Member
Sorry about all the header info that got posted. I copy and pasted and I am working and atm do not have time to clean it all up.
 

Dcroft39

New Member
downloaded both tools... FRST I got a warning after downloading saying it was uncommonly used and could harm my computer?.. curious is that normal?
 

Dcroft39

New Member
Here's the report from malwarebytes for windows. Found nothing but to no surprise. I believe that the group targeting me is writing their own malware. But maybe it will show you something. The reports I get from GMER are a bit more in depth. But I believe it's been disabled because like many others it crashes halfway through the scan.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/10/19
Scan Time: 10:39 PM
Log File: 40a0a15a-8c0b-11e9-800d-000000000000.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10988
License: Free

-System Information-
OS: Windows 10 (Build 17134.112)
CPU: x64
File System: NTFS
User: DESKTOP-74AI7HU\AdminR&D

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 256976
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 

Dcroft39

New Member
Here's a GMER report appended with extra info on how it reacts strangely

GMER 2.2.19882 - GMER - Rootkit Detector and Remover
3rd party scan 2019-06-10 02:27:29
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e VID:90 rev.0.1 58.24GB
Running: mytool.exe; Driver: C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys


---- Modules - GMER 2.2 ----

Module \SystemRoot\System32\drivers\RtsPer.sys (RTS PCIE READER Driver/Realsil Semiconductor Corporation SIGNED)(2018-06-22 23:03:24) fffff80501cc0000-fffff80501d9c000 (901120 bytes)
Module \SystemRoot\System32\Drivers\dump_dumpsd.sys fffff80503070000-fffff805030a3000 (208896 bytes)
Module \SystemRoot\System32\Drivers\dump_dumpfve.sys fffff805030d0000-fffff805030ed000 (118784 bytes)
---- Processes - GMER 2.2 ----

Process C:\windows\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe [3860] (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:03) 00007ffe0ba70000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System\f6e685fe963bccd90580ac7c199fa1f1\System.ni.dll (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:03) 00007ffe0ba70000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\c23304336821a0954144b446945aa7dd\System.ServiceProcess.ni.dll (.NET Framework/Microsoft Corporation)(2018-06-25 15:36:18) 00007ffe0b9e0000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Core\bc492a09fdac1f8f19ff8705de972bec\System.Core.ni.dll (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:24) 00007ffe06dd0000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Xml\94ccebb52471583c75bb4035c7eaefd3\System.Xml.ni.dll (.NET Framework/Microsoft Corporation)(2018-06-25 15:36:38) 00007ffe03050000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\c0f904109c6cca7fed5aa1bfd91298bf\System.Configuration.ni.dll (System.Configuration.dll/Microsoft Corporation)(2018-06-25 15:36:37) 00007ffe02e70000
Process C:\Users\AdminR&D\Desktop\mytool.exe [8128](2019-06-09 11:21:47) 0000000000400000

---- Services - GMER 2.2 ----

Service .NET CLR Data
Service .NET CLR Networking
Service .NET CLR Networking 4.0.0.0
Service .NET Data Provider for Oracle
Service .NET Data Provider for SqlServer
Service .NET Memory Cache 4.0
Service .NETFramework
Service ADOVMPPackage
Service BthA2DP
Service CoreUI
Service HomeGroupListener
Service HomeGroupProvider
Service MSDTC Bridge 4.0.0.0
Service napagent
Service NetbiosSmb
Service netvscvfpp
Service RDMANDK
Service RDPUDD
Service C:\windows\System32\drivers\RtsPer.sys (RTS PCIE READER Driver/Realsil Semiconductor Corporation SIGNED)(2018-06-22 23:03:24) [MANUAL] RTSPER
Service SMSvcHost 4.0.0.0
Service tiledatamodelsvc
Service Windows Workflow Foundation 4.0.0.0
Service workerdd
Service WSearchIdxPi
Service C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys (GMER Driver http://www.gmer.net/GMER)(2019-06-08 08:46:13) [MANUAL] pfrdipod

---- EOF - GMER 2.2 ----
everytime i run a scan this software starts up saying

"C\Windows\system32\config\system: The process cannot access the file because it is being used by another process."

If I try to run a scan with all boxes checked the driver that runs it always crashes. i can only get it to finish by selecting "3rd party" or by unchecking half the boxes. and then when it finishes I get that same error message above twice in a row, then it says scan fished succesfully.

This is the only software save a beta version of malwarebytes rootkit finder and mbrcheck that has ever yielded any results. And yes i know you do not install more than one antivirus at a time on your machine.
Ive always tried them out one at a time. Avast, mcafee, Defender, which never ever finds a thing, and Eset. I have only used the trial versions. I really dont know whom to put my money into. At this point in my life
im lucky if I have $40 left on payday so I dont have a lot to work with.

Also when Gmer starts this is always displayed:

GMER 2.2.19882 - GMER - Rootkit Detector and Remover
Rootkit scan 2019-06-10 02:37:38
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e VID:90 rev.0.1 58.24GB
Running: mytool.exe; Driver: C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys


---- Threads - GMER 2.2 ----

Thread C:\windows\system32\csrss.exe [700:756] fffffcc4b3a96840

---- EOF - GMER 2.2 ----

Sometimes itll disappear once the scan starts sometimes it stays. I have let windows update install all the updates in the past, firmware antivirus defs Windows 10 security patches. etc. But tbh. I cannot be perfectly sure these files are legit. the Hackers Ive been dealing with are extremely crafty and have on more than one occasion intercepted calls, webpages, etc. Ive grown wise to their tricks. The last one was in the windows OS saying there was a fix to my windows update problems and went through with it. then when the computer rebooted the update screen, progresss bar, all of it loooked really funky. Then i begam having problems with unknown mbr code. found a few trojans in the temp directory. I am in the process of developing a virus scanner that does not use definitions. Its all on paper now and the coding hasnt begun
for obvious reasons. but i believe i have figured out an algorythmn that will actually find rogue code in files with no need for prior notice of a virus. I dont want this stolen so I am not coding any of it until
i can find the malware, keyloggers, rootkits, and all the godamn backdoors they use to get into my PC and devices.
 

Dcroft39

New Member
I can't ever get a full scan to work and this is common with most antivirus. The driver for the antivirus always crashes halfway through. So this is the best scan I can get. Hope this helps and let me know ow if I need to run FRST as well. Might as well but the warning kind of bothers me.
 

Dcroft39

New Member
Ok, I figured as much. That's just the warning IExplorer gave me. Which is not my choice of browser. But right now I don't like staying online long enough to download Firefox. I stay away from Google products like the plaque. If you read the terms and agreements, they clearly state their products, most of them, chrome, drive, duo, etc maintain a solid data connection at all times. This creates a means for a man in the middle attack, not like that of a wifi cafe, rathe as a gateway for malicious users to access your device/data/PC. By agreeing to the terms, if you get malware or attacked via their software they cannot be held liable. So, no chrome, only Gmail, and that's only because the last phone I could afford was an Android and you are hog tied into using Google in one way or another to use an Android. Unless you crack the bootloader, and flash a rom that doesn't rely on Google. I've tried that but the only OS I could find was quirky at best. My problem is a focused attack. This is why idk if you guys can help. I did happen upon infected software, but it was basically a front with a gateway designed to let the Intruders in. They seem to have a hard on for me now and will not relent. These aren't 14 yr old kids playing pranks, from the Intel I've gathered since February, they run a cyber security business, and at least one works for Google. I believe the base of operations is on the west coast. I appreciate any help you guys can give it will add to the evidence I've accumulated thus far. My ultimate goal is to take it all to the FBI via my lawyer. I do indeed believe they custom write any malware they use. It will not be on any virus definitions list, at least I don't think. This is why I have been thrust into the desire to engineer an antivirus that doesn't rely on a list of known malware. I believe my algorithm is sound and once I rid myself of this infestation I can begin the coding. Things have been quite since contacting you guys. No random changes of wallpaper, no mysterious folders popping up, no unknown MBR code. But there are bots, software with backdoors, and other types of malware on this phone and my PC. As stated before. How else could anyone, or any computer for that matter consistently crack 30+ char passwords and access my PC in seconds? I'll run FRST and get back. Thank you for the help.
 

Dcroft39

New Member
Here is FRST. Text


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-06-2019 01
Ran by AdminR&D (administrator) on DESKTOP-74AI7HU (Microsoft Corporation Surface Go) (11-06-2019 13:30:23)
Running from C:\Users\AdminR&D\Desktop
Loaded Profiles: AdminR&D (Available Profiles: AdminR&D)
Platform: Windows 10 Home Version 1803 17134.765 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() [File not signed] C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\dptf_helper.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_base.inf_amd64_062d16984e6c0a6b\IntelCpHDCPSvc.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_base.inf_amd64_062d16984e6c0a6b\IntelCpHeciSvc.exe
(Malwarebytes Corporation -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Windows -> Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\OpenWith.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17134.1_none_eedfeda03074e04e\TiWorker.exe
(Microsoft Windows Hardware Compatibility Publisher -> ) C:\Windows\wpcsc64Service.exe
(Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Windows 7 DDK provider) C:\Windows\System32\drivers\AdminService.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\MsMpEng.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\NisSrv.exe
(Qualcomm Atheros -> Qualcomm Technologies Inc.) C:\Windows\System32\drivers\QcomWlanSrvx64.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\RtkAudUService64.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\RtkAudUService64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-11] (Microsoft Windows -> Microsoft Corporation)
HKLM\...\Run: [RtkAudUService] => C:\Windows\System32\RtkAudUService64.exe [672192 2018-05-17] (Realtek Semiconductor Corp. -> Realtek Semiconductor)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {5A85CE32-7C04-472B-8AAF-0843D775E99F} - System32\Tasks\Microsoft\Windows\RetailDemo\CleanupOfflineContent => {61f77d5e-afe9-400b-a5e6-e9e80fc8e601} C:\Windows\System32\RDXTaskFactory.dll [393728 2018-04-11] (Microsoft Windows -> Microsoft Corporation)
Task: {624803BC-D704-400C-83AC-9F07B1E658FC} - System32\Tasks\OneDrive Standalone Update Task v2 => C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-3661324527-2278852709-3805750152-1001] => 187.188.46.172:53455
Tcpip\Parameters: [DhcpNameServer] 75.76.84.102 75.76.84.103
Tcpip\..\Interfaces\{11f85019-d4be-42f2-bf40-ffd0818d6443}: [DhcpNameServer] 75.76.84.102 75.76.84.103

Internet Explorer:
==================

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\windows\system32\DRIVERS\AdminService.exe [414696 2018-02-01] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Windows 7 DDK provider)
R2 esifsvc; C:\windows\System32\Intel\DPTF\esif_uf.exe [1696312 2018-03-23] (Intel Corporation -> Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\Intel(R) Management Engine Components\iCLS\SocketHeciServer.exe [761088 2018-06-08] (Intel(R) Trust Services -> Intel(R) Corporation)
S2 Intel(R) TPM Provisioning Service; C:\Program Files\Intel\Intel(R) Management Engine Components\iCLS\TPMProvisioningService.exe [737552 2018-06-08] (Intel(R) Trust Services -> Intel(R) Corporation)
S2 IntelAudioService; C:\windows\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe [212536 2018-05-10] (Intel(R) Smart Sound Technology -> Intel)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6562472 2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
R2 PanelCalibration Service; C:\windows\wpcsc64Service.exe [94896 2018-10-07] (Microsoft Windows Hardware Compatibility Publisher -> )
R2 QcomWlanSrv; C:\windows\System32\drivers\QcomWlanSrvx64.exe [190304 2018-06-04] (Qualcomm Atheros -> Qualcomm Technologies Inc.)
R2 RtkAudioUniversalService; C:\windows\System32\RtkAudUService64.exe [672192 2018-05-17] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1905.4-0\NisSrv.exe [2433136 2019-06-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1905.4-0\MsMpEng.exe [109896 2019-06-11] (Microsoft Windows Publisher -> Microsoft Corporation)
U2 WirelessPowerBackoffService; C:\windows\WirelessPowerBackoffService.exe [152240 2018-10-07] (Microsoft Windows Hardware Compatibility Publisher -> )

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BtFilter; C:\windows\system32\DRIVERS\btfilter.sys [65960 2018-02-01] (WDKTestCert aswbldsv,131431045756648395 -> Qualcomm)
R3 dptf_acpi; C:\windows\System32\drivers\dptf_acpi.sys [74696 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 dptf_cpu; C:\windows\System32\drivers\dptf_cpu.sys [70088 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 esif_lf; C:\windows\System32\drivers\esif_lf.sys [383432 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 HidEventFilter; C:\windows\System32\drivers\HidEventFilter.sys [85032 2017-12-13] (Intel(R) Software -> Intel Corporation)
R3 HID_PCI; C:\windows\System32\drivers\HID_PCI.sys [33952 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
R3 iactrllogic; C:\windows\System32\drivers\iactrllogic64.sys [175480 2018-03-04] (Intel Corporation -> Intel(R) Corporation)
R3 iaLPSS2_GPIO2; C:\windows\System32\drivers\iaLPSS2_GPIO2.sys [98968 2017-10-15] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation)
R3 ISH; C:\windows\System32\drivers\ISH.sys [155288 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
R3 ISH_BusDriver; C:\windows\System32\drivers\ISH_BusDriver.sys [89752 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
S0 MbamElam; C:\windows\System32\DRIVERS\MbamElam.sys [20936 2019-02-01] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\windows\System32\Drivers\mbamswissarmy.sys [275232 2019-06-10] (Malwarebytes Corporation -> Malwarebytes)
S1 MpKslc78f66b9; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKslc78f66b9.sys [58120 2019-06-08] () [File not signed]
R3 ov5693; C:\windows\System32\drivers\ov5693.sys [167840 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel(R) Corporation)
R3 ov7251; C:\windows\System32\drivers\ov7251.sys [169376 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
R3 ov8865; C:\windows\System32\drivers\ov8865.sys [166824 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
R3 Qcamain10x64; C:\windows\System32\drivers\Qcamain10x64.sys [2358112 2018-06-04] (Qualcomm Atheros -> Qualcomm Atheros, Inc.)
R3 QIOMem; C:\windows\System32\drivers\QIOMem.sys [33160 2018-10-07] (WDKTestCert TX7,131534493142891343 -> Surface)
R3 RTSPER; C:\windows\System32\drivers\RtsPer.sys [887240 2018-06-03] (Realtek Semiconductor Corp. -> Realsil Semiconductor Corporation)
R3 Surface1824DigitizerIntegration; C:\windows\System32\drivers\Surface1824DigitizerIntegration.sys [36312 2018-05-31] (Microsoft Corporation -> Microsoft Corporation)
U5 tiledatamodelsvc; C:\windows\system32\svchost.exe [85472 2019-01-08] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S0 WdBoot; C:\windows\System32\drivers\wd\WdBoot.sys [47496 2019-06-11] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\wd\WdFilter.sys [337632 2019-06-11] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\windows\System32\drivers\wd\WdNisDrv.sys [53984 2019-06-11] (Microsoft Windows -> Microsoft Corporation)
S3 wmbclass; C:\windows\System32\drivers\wmbclass.sys [335872 2018-04-11] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2019-06-11 13:30 - 2019-06-11 13:31 - 000010561 _____ C:\Users\AdminR&D\Desktop\FRST.txt
2019-06-11 13:28 - 2019-06-11 13:28 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\D3DSCache
2019-06-11 13:20 - 2019-06-11 13:30 - 000000000 ____D C:\FRST
2019-06-10 22:52 - 2019-06-10 22:52 - 000000000 ____D C:\windows\LastGood
2019-06-10 22:50 - 2019-06-10 22:50 - 000275232 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamswissarmy.sys
2019-06-10 22:38 - 2019-06-10 22:38 - 000000000 ___HD C:\Users\AdminR&D\MicrosoftEdgeBackups
2019-06-10 22:34 - 2019-06-10 22:34 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\mbamtray
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\mbam
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2019-06-10 22:34 - 2019-02-01 12:20 - 000020936 _____ (Malwarebytes) C:\windows\system32\Drivers\MbamElam.sys
2019-06-10 22:34 - 2019-01-08 16:32 - 000153328 _____ (Malwarebytes) C:\windows\system32\Drivers\mbae64.sys
2019-06-10 22:33 - 2019-06-10 22:33 - 000000000 ____D C:\Program Files\Malwarebytes
2019-06-10 22:33 - 2019-05-02 22:59 - 001307648 _____ (Microsoft Corporation) C:\windows\system32\MSVPXENC.dll
2019-06-10 22:33 - 2019-05-02 22:57 - 001295872 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSVPXENC.dll
2019-06-10 22:33 - 2019-05-02 22:54 - 000535552 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2019-06-10 22:33 - 2019-04-18 21:43 - 000150016 _____ (Microsoft Corporation) C:\windows\system32\fcon.dll
2019-06-10 22:33 - 2019-04-01 21:41 - 001235968 _____ (Microsoft Corporation) C:\windows\SysWOW64\rdpbase.dll
2019-06-10 22:33 - 2018-12-08 01:06 - 001017168 _____ (Microsoft Corporation) C:\windows\system32\msmpeg2adec.dll
2019-06-10 22:33 - 2018-12-08 00:47 - 000861744 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmpeg2adec.dll
2019-06-10 22:33 - 2018-12-08 00:46 - 001397104 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSVP9DEC.dll
2019-06-10 22:33 - 2018-12-08 00:46 - 000457056 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSAudDecMFT.dll
2019-06-10 22:33 - 2018-11-01 04:27 - 001121792 _____ (Microsoft Corporation) C:\windows\system32\TSWorkspace.dll
2019-06-10 22:33 - 2018-11-01 02:53 - 000908288 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSWorkspace.dll
2019-06-10 22:32 - 2019-05-03 04:51 - 003613696 _____ (Microsoft Corporation) C:\windows\system32\win32kfull.sys
2019-06-10 22:32 - 2019-05-03 04:50 - 004054528 _____ (Microsoft Corporation) C:\windows\system32\msi.dll
2019-06-10 22:32 - 2019-05-03 04:28 - 002882048 _____ (Microsoft Corporation) C:\windows\SysWOW64\win32kfull.sys
2019-06-10 22:32 - 2019-05-02 23:36 - 001035256 _____ (Microsoft Corporation) C:\windows\system32\ApplyTrustOffline.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 001219896 _____ (Microsoft Corporation) C:\windows\system32\hvix64.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 001027384 _____ (Microsoft Corporation) C:\windows\system32\hvax64.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 000709720 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2019-06-10 22:32 - 2019-05-02 23:32 - 000793640 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms2.sys
2019-06-10 22:32 - 2019-05-02 23:32 - 000170296 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2019-06-10 22:32 - 2019-05-02 23:31 - 009084432 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2019-06-10 22:32 - 2019-05-02 23:31 - 007519888 _____ (Microsoft Corporation) C:\windows\system32\Windows.Media.Protection.PlayReady.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 007436536 _____ (Microsoft Corporation) C:\windows\system32\windows.storage.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 002811192 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2019-06-10 22:32 - 2019-05-02 23:31 - 002771256 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 001098064 _____ (Microsoft Corporation) C:\windows\system32\msvproc.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 000412984 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms1.sys
2019-06-10 22:32 - 2019-05-02 23:19 - 006043712 _____ (Microsoft Corporation) C:\windows\SysWOW64\windows.storage.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 006569344 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 002258640 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 001130568 _____ (Microsoft Corporation) C:\windows\SysWOW64\msvproc.dll
2019-06-10 22:32 - 2019-05-02 23:12 - 025855488 _____ (Microsoft Corporation) C:\windows\system32\edgehtml.dll
2019-06-10 22:32 - 2019-05-02 23:10 - 022017024 _____ (Microsoft Corporation) C:\windows\SysWOW64\edgehtml.dll
2019-06-10 22:32 - 2019-05-02 23:05 - 022716416 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2019-06-10 22:32 - 2019-05-02 23:02 - 019401216 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2019-06-10 22:32 - 2019-05-02 23:02 - 004866048 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2019-06-10 22:32 - 2019-05-02 23:01 - 008189440 _____ (Microsoft Corporation) C:\windows\system32\Windows.Data.Pdf.dll
2019-06-10 22:32 - 2019-05-02 23:00 - 006661632 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Data.Pdf.dll
2019-06-10 22:32 - 2019-05-02 23:00 - 003400192 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentServer.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 007593472 _____ (Microsoft Corporation) C:\windows\system32\Chakra.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 005788672 _____ (Microsoft Corporation) C:\windows\SysWOW64\Chakra.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 003710976 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 000209408 _____ (Microsoft Corporation) C:\windows\system32\AppXApplicabilityBlob.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 000154112 _____ (Microsoft Corporation) C:\windows\system32\Chakradiag.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 002175488 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentExtensions.onecore.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 001708544 _____ (Microsoft Corporation) C:\windows\system32\MSPhotography.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 000894464 _____ (Microsoft Corporation) C:\windows\system32\webplatstorageserver.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 000726528 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 001560576 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentExtensions.desktop.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 001549824 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 000808448 _____ (Microsoft Corporation) C:\windows\system32\EdgeManager.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 000561152 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2019-06-10 22:32 - 2019-05-02 22:56 - 005350912 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2019-06-10 22:32 - 2019-05-02 22:56 - 001803776 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2019-06-10 22:32 - 2019-05-02 22:55 - 002166784 _____ (Microsoft Corporation) C:\windows\system32\win32kbase.sys
2019-06-10 22:32 - 2019-05-02 22:54 - 004929024 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 001628672 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000776192 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000669184 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000543744 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000507392 _____ (Microsoft Corporation) C:\windows\system32\edgeIso.dll
2019-06-10 22:32 - 2019-04-23 00:13 - 001008640 _____ (Microsoft Corporation) C:\windows\system32\Windows.Media.MixedRealityCapture.dll
2019-06-10 22:32 - 2019-04-22 23:14 - 000868864 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Media.MixedRealityCapture.dll
2019-06-10 22:32 - 2019-04-19 03:39 - 012754944 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2019-06-10 22:32 - 2019-04-19 03:36 - 000346112 _____ (Microsoft Corporation) C:\windows\system32\AcGenral.dll
2019-06-10 22:32 - 2019-04-19 02:28 - 011940864 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2019-06-10 22:32 - 2019-04-18 22:06 - 002571632 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2019-06-10 22:32 - 2019-04-18 22:06 - 000713264 _____ (Microsoft Corporation) C:\windows\system32\MSVideoDSP.dll
2019-06-10 22:32 - 2019-04-18 22:01 - 001982008 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2019-06-10 22:32 - 2019-04-18 21:42 - 004384256 _____ (Microsoft Corporation) C:\windows\system32\EdgeContent.dll
2019-06-10 22:32 - 2019-04-18 21:39 - 005307392 _____ (Microsoft Corporation) C:\windows\SysWOW64\d2d1.dll
2019-06-10 22:32 - 2019-04-18 21:38 - 002368512 _____ (Microsoft Corporation) C:\windows\system32\WebRuntimeManager.dll
2019-06-10 22:32 - 2019-04-18 21:37 - 000953856 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSyncCore.dll
2019-06-10 22:32 - 2019-04-18 21:36 - 002909696 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2019-06-10 22:32 - 2019-04-02 05:38 - 000094008 _____ (Microsoft Corporation) C:\windows\system32\rdpudd.dll
2019-06-10 22:32 - 2019-04-02 05:13 - 001605632 _____ (Microsoft Corporation) C:\windows\system32\rdpcorets.dll
2019-06-10 22:32 - 2019-04-02 05:11 - 001857536 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2019-06-10 22:32 - 2019-04-02 02:07 - 001586688 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2019-06-10 22:32 - 2019-04-02 01:21 - 002467536 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2019-06-10 22:32 - 2019-04-02 01:21 - 000735680 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentClient.dll
2019-06-10 22:32 - 2019-04-02 01:19 - 000786080 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2019-06-10 22:32 - 2019-04-02 00:44 - 001421312 _____ (Microsoft Corporation) C:\windows\system32\rdpbase.dll
2019-06-10 22:32 - 2019-04-01 22:05 - 001989544 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml6.dll
2019-06-10 22:32 - 2019-04-01 22:04 - 000604008 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2019-06-10 22:32 - 2019-04-01 22:04 - 000560600 _____ (Microsoft Corporation) C:\windows\SysWOW64\AppXDeploymentClient.dll
2019-06-10 22:32 - 2019-03-14 01:26 - 002421048 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ntfs.sys
2019-06-10 22:32 - 2019-03-14 01:18 - 000095744 _____ (Microsoft Corporation) C:\windows\SysWOW64\UserDataTimeUtil.dll
2019-06-10 22:32 - 2019-03-14 01:13 - 001468416 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2019-06-10 22:32 - 2019-03-14 00:56 - 000120320 _____ (Microsoft Corporation) C:\windows\system32\UserDataTimeUtil.dll
2019-06-10 22:32 - 2019-03-14 00:53 - 000787968 _____ (Microsoft Corporation) C:\windows\system32\Drivers\WdiWiFi.sys
2019-06-10 22:32 - 2019-03-14 00:50 - 001587712 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2019-06-10 22:32 - 2019-03-14 00:50 - 000847360 _____ (Microsoft Corporation) C:\windows\system32\bisrv.dll
2019-06-10 22:32 - 2019-03-06 02:16 - 001188000 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2019-06-10 22:32 - 2019-03-06 02:04 - 000945464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\refsv1.sys
2019-06-10 22:32 - 2019-03-06 02:03 - 001921848 _____ (Microsoft Corporation) C:\windows\system32\Drivers\refs.sys
2019-06-10 22:32 - 2019-03-06 02:03 - 000375608 _____ (Microsoft Corporation) C:\windows\system32\Drivers\msrpc.sys
2019-06-10 22:32 - 2019-03-06 01:33 - 000046080 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys
2019-06-10 22:32 - 2019-03-05 23:14 - 000785568 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2019-06-10 22:32 - 2019-02-16 05:30 - 002019840 _____ (Microsoft Corporation) C:\windows\system32\ResetEngine.dll
2019-06-10 22:32 - 2019-02-16 03:24 - 023862272 _____ (Microsoft Corporation) C:\windows\system32\Hydrogen.dll
2019-06-10 22:32 - 2019-02-16 03:22 - 019525120 _____ (Microsoft Corporation) C:\windows\system32\HologramCompositor.dll
2019-06-10 22:32 - 2019-02-16 01:03 - 007901392 _____ (Microsoft Corporation) C:\windows\system32\d3d10warp.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 005821440 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3d10warp.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 001934800 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 001792712 _____ (Microsoft Corporation) C:\windows\system32\propsys.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 000705848 _____ (Microsoft Corporation) C:\windows\system32\Drivers\vhdmp.sys
2019-06-10 22:32 - 2019-02-16 01:02 - 000413712 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2019-06-10 22:32 - 2019-02-16 01:01 - 001209696 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2019-06-10 22:32 - 2019-02-16 01:01 - 001028920 _____ (Microsoft Corporation) C:\windows\system32\Drivers\http.sys
2019-06-10 22:32 - 2019-02-16 01:01 - 000594024 _____ (Microsoft Corporation) C:\windows\system32\audiodg.exe
2019-06-10 22:32 - 2019-02-16 00:51 - 001584536 _____ (Microsoft Corporation) C:\windows\SysWOW64\propsys.dll
2019-06-10 22:32 - 2019-02-16 00:50 - 001805648 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2019-06-10 22:32 - 2019-02-16 00:50 - 001011872 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2019-06-10 22:32 - 2019-02-16 00:29 - 001768448 __


Here is addition.txt.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10-06-2019 01
Ran by AdminR&D (11-06-2019 13:35:07)
Running from C:\Users\AdminR&D\Desktop
Windows 10 Home Version 1803 17134.765 (X64) (2019-06-07 08:19:14)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3661324527-2278852709-3805750152-500 - Administrator - Disabled)
AdminR&D (S-1-5-21-3661324527-2278852709-3805750152-1001 - Administrator - Enabled) => C:\Users\AdminR&D
DefaultAccount (S-1-5-21-3661324527-2278852709-3805750152-503 - Limited - Disabled)
Guest (S-1-5-21-3661324527-2278852709-3805750152-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3661324527-2278852709-3805750152-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Malwarebytes version 3.7.1.2839 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.7.1.2839 - Malwarebytes)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24212 (HKLM-x32\...\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212 (HKLM-x32\...\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{C3ACFCEA-240F-4DCC-A0C3-DD55FEE6C3C2}) (Version: 2.58.0.0 - Microsoft Corporation)
Update for Windows 10 for x64-based Systems (KB4480730) (HKLM\...\{2E8B8BDD-03DF-4C1C-8C99-E6A4BCBF43CE}) (Version: 2.51.0.0 - Microsoft Corporation)
Vbsedit (HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\...\Vbsedit) (Version: 9.0 - Adersoft)
Vbsedit 32-bit (HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\...\Vbsedit 32-bit) (Version: 9.0 - Adersoft)
Vulkan Run Time Libraries 1.0.65.1 (HKLM\...\VulkanRT1.0.65.1) (Version: 1.0.65.1 - LunarG, Inc.) Hidden

Packages:
=========
Microsoft Access -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Access_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Microsoft Excel -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Excel_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Office Desktop Apps -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Outlook -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft PowerPoint -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.PowerPoint_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Publisher -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Publisher_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.3.4032.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Studios) [MS Ad]
Microsoft Word -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Word_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.28.10351.0_x64__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Surface -> C:\Program Files\WindowsApps\Microsoft.SurfaceHub_30.604.136.0_x64__8wekyb3d8bbwe [2018-06-22] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{04CCE2FF-A7D3-11D0-B436-00A0244A1DD2}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{0BFCC060-8C1D-11D0-ACCD-00AA0060275C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{170EC3FC-4E80-40AB-A85A-55900C7C70DE}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{26933B26-DA32-49FC-B31F-02BACE3A497D}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{83B8BCA6-687C-11D0-A405-00AA0060275C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{A74CA7D9-273A-45C5-8974-80F377486346}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C0C3E1E2-9196-43DD-8FA9-1423641098C8}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64/msdbg2.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{D04D550D-1EA8-4E37-830E-700FEA447688}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64/pdmproxy100.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{E190FD96-334A-456F-8ECE-F4E2FF8EF635}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{E9B104E5-17AF-45B0-9D01-C7D05DB3DB2D}\localserver32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\stickynotes2.exe (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2019-01-27] (Notepad++ -> )
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2018-04-11 16:38 - 2018-04-11 16:36 - 000000824 _____ C:\windows\system32\drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img13.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{B1B58784-E3D3-49CD-BD0B-2B045F32D799}] => (Allow) C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.11629.20214.0_x86__8wekyb3d8bbwe\Office16\OUTLOOK.exe (Microsoft Corporation -> Microsoft Corporation)

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/10/2019 10:52:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WirelessPowerBackoffService.exe, version: 0.0.0.0, time stamp: 0x5b7cad51
Faulting module name: WirelessPowerBackoffService.exe, version: 0.0.0.0, time stamp: 0x5b7cad51
Exception code: 0xc0000005
Fault offset: 0x00001ca7
Faulting process id: 0x2580
Faulting application start time: 0x01d52019d3302779
Faulting application path: C:\windows\WirelessPowerBackoffService.exe
Faulting module path: C:\windows\WirelessPowerBackoffService.exe
Report Id: f349d201-8256-48c8-ae76-bf84e18e3895
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 10:52:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0x4ac
Faulting application start time: 0x01d52019d4350271
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 27146bc5-654e-4d37-9629-af3131abc575
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 10:50:52 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e0feb7c3f5eb8e61ecac17cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(109ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 10:50:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0xfa4
Faulting application start time: 0x01d520198dedf4cf
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 90512264-b3b8-40ee-9372-7751057d8b0e
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 02:23:14 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e0feb7c3f5eb8e61ecac17cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(47ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 02:23:13 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e0feb7c3f5eb8e61ecac17cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(31ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 02:22:43 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0x116c
Faulting application start time: 0x01d51f6e0e928b19
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 8e24b9ea-9903-467a-b827-a960189d34ec
Faulting package full name:
Faulting package-relative application ID:

Error: (06/09/2019 04:40:55 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e0feb7c3f5eb8e61ecac17cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(31ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)


System errors:
=============
Error: (06/11/2019 01:17:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/11/2019 01:17:43 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-74AI7HU)
Description: The server {D63B10C5-BB46-4990-A94F-E40B9D520160} did not register with DCOM within the required timeout.

Error: (06/11/2019 01:17:18 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/11/2019 01:17:18 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscDataProtection
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscBrokerManager
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WirelessPowerBackoffService service terminated unexpectedly. It has done this 1 time(s).

Error: (06/10/2019 10:51:10 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Windows Defender:
===================================
Date: 2019-06-08 23:20:19.087
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {B0C17F1B-17B1-4C2C-8E45-5B7EE2767CFA}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-08 23:12:59.435
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {41778DEB-5E19-47CE-9186-5FBBE2CE3AF6}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-08 22:57:08.540
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {CF5269CB-9B84-46D5-A09B-E60876A2F540}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-11 13:32:01.556
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.507.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 22:30:30.586
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 02:32:58.027
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 02:11:10.324
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-09 04:30:17.636
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 0.0.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 0.0.0.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
===================================

Date: 2019-06-08 01:46:14.120
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume10\3z15z1zx.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:32:19.728
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume7\mytool.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:32:19.722
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume7\mytool.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:29:34.629
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\cmd.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:29:34.622
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\cmd.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:29:04.511
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume5\SanDiskSecureAccessV3.1_win.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:29:04.351
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume5\SanDiskSecureAccessV3.1_win.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-07 23:40:44.712
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\cAVS\Intel(R) Audio Service\IntelAudioService.exe) attempted to load \Device\HarddiskVolume3\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\c0f904109c6cca7fed5aa1bfd91298bf\System.Configuration.ni.dll that did not meet the Enterprise signing level requirements or violated code integrity policy.

==================== Memory info ===========================

BIOS: Microsoft Corporation 1.0.14 12/12/2018
Motherboard: Microsoft Corporation Surface Go
Processor: Intel(R) Pentium(R) CPU 4415Y @ 1.60GHz
Percentage of memory in use: 51%
Total physical RAM: 4003.46 MB
Available physical RAM: 1948.73 MB
Total Virtual: 5411.46 MB
Available Virtual: 3390.58 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:56.86 GB) (Free:39.86 GB) NTFS

\\?\Volume{d7792c01-115d-44db-89d9-f6b6f947479f}\ (WinRE) (Fixed) (Total:1 GB) (Free:0.62 GB) NTFS
\\?\Volume{5e2124ed-50fb-477e-a103-06d3ee4eb3eb}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.23 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 58.2 GB) (Disk ID: 1B888B57)

Partition: GPT.

==================== End of Addition.txt ============================



Sorry I tried to just attach the text files but the phone kept locking up.
 

Dcroft39

New Member
System restore is useless, as is reset, as is using a VPN. The service I need to use a VPN RasMan will not run. Since the first encounter, I have not been able to get RasMan to run, and they've crippled system restore. It'll try to run, restart... And then after about an hour of waiting it comes back and says it failed. So I don't even bother anymore.

I hope this helps you find out something. I am patient and I appreciate any help. thanks you so much.
 

Dcroft39

New Member
Curious. Did you interpret the GMER data as well? I have a ton of Wireshark data as well. I appreciate your time. But if it's malware that's unknown it wouldn't show up would it? No.. it would not. It's not gonna tell you that some of my system install files have been replaced with ones that have been injected with malicious code that was just made a month ago , especially for my system.

I just don't know how they keep accessing my devices. I know I'm not losing my mind. I was almost 100% certain nothing would show up. But I had to try and let someone that really understands the logs check. I believe there is some back door in some application. Else they could not crack it in under a minute.. I'm sure you think I'm crazy, paranoid, lost my mind like everyone else. But there is some way they keep getting in. I'm gonna relax a bit now since you have confirmed the logs are clean. Once again thank you. I'd say once it gets bad I'd submit scan results again, but ik it's a one shot deal. You found nothing. Another score for the hackers.
This just makes me more sure that the world needs an antivirus that seeks out malicious code in files rather than comparing the code to definitions of know malware. I'm getting a bit fed up with opening the laptop and seeing that it's been on for hours, or seeing mass emails being sent, settings being changed, setting buttons grayed out so I cannot select things. System restore being rendered useless. This is another reason I have formated and reinstalled so much. I don't want my fucking computer used as a tool for illegal endeavors. So when I see this kind of stuff, I have to start over. I should have waited till it was really in bad shape, but once it gets to that point it will not let me run any anti virus. . like I said. "possibly no help" . I'd hoped you guys could find something but these hackers are like ghosts. Literally. I know a good deal about computers and software dev, but next to nothing about antvirus , malware or hacking. This has lit a fire under my ass to learn and absorb every single byte of data I can about how they and the malware works. Again thank you.