New duplicate services popping up with funky extensions

Status
Not open for further replies.
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Where do I start.. ok, I downloaded a copy of tumblr from play store. It was a brand-new phone.and the only anti anything software was lookout. I began getting weird activity from that day. The app was a tumblr app and I was blogging about sig sauer pistols. The hacker began to attach a porn a based page to my blog and made it available to all. This is when I knew I'd been hacked. I went into Google accounts and he followed me immiediatly. Began to become a race to keep him out. Long story short I lost and couldn't recover the account. Him/they kept changing my password and I couldn't get back in. Finally they communicated to me that they wanted to use lookout and other apps on the phone to commit fraud. So like a dumb ass I sat and watched him control and program the phone remotely. Finally I'd had enough and I called my provider told them and he began to sennd threats saying hang up now. With that operation foiled, all hell broke lose. I changed phones 4 times that month, all my accounts, passwords, etc. I used to use several password generators. Every time I'd get a new phone, bam! They get in as soon as I created a new Google account. So I switched to apple. I was told. No way I could be hacked by apple unless they had physical contact. Well, one morning I inadvertently answered a robo call and from that point they were in. They made widgets to follow all my moves, they turned Siri against me to report passwords to them. They even put an extra pin after mine on the phone so I could not reset it. I'm on phone four. This was a cheap motor 6 forge prepaid in another person's name and before I even had the effing number activated they hacked in as I was setting it up. It's the phone I'm on now. I have a firewall called internet guard that I can allow each app on the phone access or block to. The net. I also use a tool called IP tools to watch the activity, but it's not showing a lot. Seems to be disabled. I use Kaspersky antivirus and it always comes up clean. And I have a widget that blocks the camera and mic. Now to the PC. As soon as I got it and went online they hacked in. They shut down half the computer and locked the C:\ making it almost impossible to use. Finally I called Microsoft to get the info for recovery files. And did a new install. It will run ok as long as I don't spend more than a few minutes online. If I do, they get in. My passwords are like 36 character freaking sentences and my pin is about 12 chars. They walk right in like it's theirs. This tells me, rootkit, or some back door. Every device that hooks to our wifi gets hacked. You realize that all the info I'm giving you they can get so it's a catch 22. The reason I have to reinstall Windows so much is because after a cpl days it becomes unusable. All my files are being shared with good knows who, all the permissions are out of whack. Hell I can't even access or save to half my folders. So I copy the data in the event viewer, system and security and I save it on USB drives. Format, reinstall. I even diskpart and name the system partition and format that. Then as soon as I go online to get out of S mode it slowly happens again. I took the windows 10 PC in the living room. An isolated machine. I used it to download the new install files from MS. And they got in that one. They change the router logins and I can't update the firmware cause there isn't an update. I unplugged the router from the cable, hooked to it with an Ethernet cable so I'd have proprietary access. And as I'm re entering new passwords they begin to change on me!!! I've been told this was impossible. Generally they hear. Our conversations via my roommates phone and know what steps were gonna take. This time I did it on a whim. And as I'm changing passwords I get locked out. I reset it to factory, and none of the default passwords would work. I reset again. Nothing. Finally I input the last one I used and gained access and it was as if nothing had been reset. That computer sits unplugged in the living room. My laptop I use several antivirus. But mostly rootkit finders. I have installed McAfee, Kaspersky, eset, all to just uninstall because they find nothing. Once I found some malware in notepad++ a Trojans cleaned it and was informed by the company it was a false positive? I work very hard to make a living these days. I haven't shelled out any money to purchase an antivirus because I haven't found any that can find the rootkits or viri that must be there. My point is, how could they hack a 30+char password in seconds Everytime I change it without a keylogger, or a backdoor in? I've reported it to the cops, I've stacked evidence, but they won't stop. I'm positive there is some malware at work here. The phone, ****, it's gone. Nothing clean it. They obviously have done something to files I can't access to let them keep following me. Ppl think I have lost mind or I am making this up. I spend hours studying the ways malware works and I've been writing batch files to make quick work of all the tests I have to run all the time. I'm trying to learn python,but if I can't get this fixed. It's pointless. As I said. I had unknown code on my MBR. I managed to fix that. So that was a small win. But all I have to do is login and I'll be infected again.



As stated I will follow protocol as soon as I'm able to get online and download the requested antivirus and submit the reports. You must know that at this point, after months of these attacks. And after hours of work to get my MBR clean, I'm very hesitant about even hooking to wifi. Because true to form, as soon as I do they will walk in the back door and it's likely take the machine down and with all this info out there, they know what I'm going to download, and have the ability to render any software unusable. I'll be back in touch when I can get this done.
 
Last edited by a moderator:
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Sorry about all the header info that got posted. I copy and pasted and I am working and atm do not have time to clean it all up.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
downloaded both tools... FRST I got a warning after downloading saying it was uncommonly used and could harm my computer?.. curious is that normal?
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Here's the report from malwarebytes for windows. Found nothing but to no surprise. I believe that the group targeting me is writing their own malware. But maybe it will show you something. The reports I get from GMER are a bit more in depth. But I believe it's been disabled because like many others it crashes halfway through the scan.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/10/19
Scan Time: 10:39 PM
Log File: 40a0a15a-8c0b-11e9-800d-000000000000.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10988
License: Free

-System Information-
OS: Windows 10 (Build 17134.112)
CPU: x64
File System: NTFS
User: DESKTOP-74AI7HU\AdminR&D

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 256976
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Here's a GMER report appended with extra info on how it reacts strangely

GMER 2.2.19882 - GMER - Rootkit Detector and Remover
3rd party scan 2019-06-10 02:27:29
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e VID:90 rev.0.1 58.24GB
Running: mytool.exe; Driver: C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys


---- Modules - GMER 2.2 ----

Module \SystemRoot\System32\drivers\RtsPer.sys (RTS PCIE READER Driver/Realsil Semiconductor Corporation SIGNED)(2018-06-22 23:03:24) fffff80501cc0000-fffff80501d9c000 (901120 bytes)
Module \SystemRoot\System32\Drivers\dump_dumpsd.sys fffff80503070000-fffff805030a3000 (208896 bytes)
Module \SystemRoot\System32\Drivers\dump_dumpfve.sys fffff805030d0000-fffff805030ed000 (118784 bytes)
---- Processes - GMER 2.2 ----

Process C:\windows\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe [3860] (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:03) 00007ffe0ba70000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System\f6e685fe963bccd90580ac7c199fa1f1\System.ni.dll (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:03) 00007ffe0ba70000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\c23304336821a0954144b446945aa7dd\System.ServiceProcess.ni.dll (.NET Framework/Microsoft Corporation)(2018-06-25 15:36:18) 00007ffe0b9e0000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Core\bc492a09fdac1f8f19ff8705de972bec\System.Core.ni.dll (.NET Framework/Microsoft Corporation)(2019-06-07 08:29:24) 00007ffe06dd0000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Xml\94ccebb52471583c75bb4035c7eaefd3\System.Xml.ni.dll (.NET Framework/Microsoft Corporation)(2018-06-25 15:36:38) 00007ffe03050000
Library C:\windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\c0f904109c6cca7fed5aa1bfd91298bf\System.Configuration.ni.dll (System.Configuration.dll/Microsoft Corporation)(2018-06-25 15:36:37) 00007ffe02e70000
Process C:\Users\AdminR&D\Desktop\mytool.exe [8128](2019-06-09 11:21:47) 0000000000400000

---- Services - GMER 2.2 ----

Service .NET CLR Data
Service .NET CLR Networking
Service .NET CLR Networking 4.0.0.0
Service .NET Data Provider for Oracle
Service .NET Data Provider for SqlServer
Service .NET Memory Cache 4.0
Service .NETFramework
Service ADOVMPPackage
Service BthA2DP
Service CoreUI
Service HomeGroupListener
Service HomeGroupProvider
Service MSDTC Bridge 4.0.0.0
Service napagent
Service NetbiosSmb
Service netvscvfpp
Service RDMANDK
Service RDPUDD
Service C:\windows\System32\drivers\RtsPer.sys (RTS PCIE READER Driver/Realsil Semiconductor Corporation SIGNED)(2018-06-22 23:03:24) [MANUAL] RTSPER
Service SMSvcHost 4.0.0.0
Service tiledatamodelsvc
Service Windows Workflow Foundation 4.0.0.0
Service workerdd
Service WSearchIdxPi
Service C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys (GMER Driver http://www.gmer.net/GMER)(2019-06-08 08:46:13) [MANUAL] pfrdipod

---- EOF - GMER 2.2 ----
everytime i run a scan this software starts up saying

"C\Windows\system32\config\system: The process cannot access the file because it is being used by another process."

If I try to run a scan with all boxes checked the driver that runs it always crashes. i can only get it to finish by selecting "3rd party" or by unchecking half the boxes. and then when it finishes I get that same error message above twice in a row, then it says scan fished succesfully.

This is the only software save a beta version of malwarebytes rootkit finder and mbrcheck that has ever yielded any results. And yes i know you do not install more than one antivirus at a time on your machine.
Ive always tried them out one at a time. Avast, mcafee, Defender, which never ever finds a thing, and Eset. I have only used the trial versions. I really dont know whom to put my money into. At this point in my life
im lucky if I have $40 left on payday so I dont have a lot to work with.

Also when Gmer starts this is always displayed:

GMER 2.2.19882 - GMER - Rootkit Detector and Remover
Rootkit scan 2019-06-10 02:37:38
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e VID:90 rev.0.1 58.24GB
Running: mytool.exe; Driver: C:\Users\AdminR&D\AppData\Local\Temp\pfrdipod.sys


---- Threads - GMER 2.2 ----

Thread C:\windows\system32\csrss.exe [700:756] fffffcc4b3a96840

---- EOF - GMER 2.2 ----

Sometimes itll disappear once the scan starts sometimes it stays. I have let windows update install all the updates in the past, firmware antivirus defs win 10 security patches. etc. But tbh. I cannot be perfectly sure these files are legit. the Hackers Ive been dealing with are extremely crafty and have on more than one occasion intercepted calls, webpages, etc. Ive grown wise to their tricks. The last one was in the windows OS saying there was a fix to my windows update problems and went through with it. then when the computer rebooted the update screen, progresss bar, all of it loooked really funky. Then i begam having problems with unknown mbr code. found a few trojans in the temp directory. I am in the process of developing a virus scanner that does not use definitions. Its all on paper now and the coding hasnt begun
for obvious reasons. but i believe i have figured out an algorythmn that will actually find rogue code in files with no need for prior notice of a virus. I dont want this stolen so I am not coding any of it until
i can find the malware, keyloggers, rootkits, and all the godamn backdoors they use to get into my PC and devices.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
I can't ever get a full scan to work and this is common with most antivirus. The driver for the antivirus always crashes halfway through. So this is the best scan I can get. Hope this helps and let me know ow if I need to run FRST as well. Might as well but the warning kind of bothers me.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Ok, I figured as much. That's just the warning IExplorer gave me. Which is not my choice of browser. But right now I don't like staying online long enough to download Firefox. I stay away from Google products like the plaque. If you read the terms and agreements, they clearly state their products, most of them, chrome, drive, duo, etc maintain a solid data connection at all times. This creates a means for a man in the middle attack, not like that of a wifi cafe, rathe as a gateway for malicious users to access your device/data/PC. By agreeing to the terms, if you get malware or attacked via their software they cannot be held liable. So, no chrome, only Gmail, and that's only because the last phone I could afford was an Android and you are hog tied into using Google in one way or another to use an Android. Unless you crack the bootloader, and flash a rom that doesn't rely on Google. I've tried that but the only OS I could find was quirky at best. My problem is a focused attack. This is why idk if you guys can help. I did happen upon infected software, but it was basically a front with a gateway designed to let the Intruders in. They seem to have a hard on for me now and will not relent. These aren't 14 yr old kids playing pranks, from the Intel I've gathered since February, they run a cyber security business, and at least one works for Google. I believe the base of operations is on the west coast. I appreciate any help you guys can give it will add to the evidence I've accumulated thus far. My ultimate goal is to take it all to the FBI via my lawyer. I do indeed believe they custom write any malware they use. It will not be on any virus definitions list, at least I don't think. This is why I have been thrust into the desire to engineer an antivirus that doesn't rely on a list of known malware. I believe my algorithm is sound and once I rid myself of this infestation I can begin the coding. Things have been quite since contacting you guys. No random changes of wallpaper, no mysterious folders popping up, no unknown MBR code. But there are bots, software with backdoors, and other types of malware on this phone and my PC. As stated before. How else could anyone, or any computer for that matter consistently crack 30+ char passwords and access my PC in seconds? I'll run FRST and get back. Thank you for the help.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Here is FRST. Text


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-06-2019 01
Ran by AdminR&D (administrator) on DESKTOP-74AI7HU (Microsoft Corporation Surface Go) (11-06-2019 13:30:23)
Running from C:\Users\AdminR&D\Desktop
Loaded Profiles: AdminR&D (Available Profiles: AdminR&D)
Platform: Windows 10 Home Version 1803 17134.765 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() [File not signed] C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\dptf_helper.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_base.inf_amd64_062d16984e6c0a6b\IntelCpHDCPSvc.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_base.inf_amd64_062d16984e6c0a6b\IntelCpHeciSvc.exe
(Malwarebytes Corporation -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Windows -> Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\OpenWith.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17134.1_none_eedfeda03074e04e\TiWorker.exe
(Microsoft Windows Hardware Compatibility Publisher -> ) C:\Windows\wpcsc64Service.exe
(Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider) C:\Windows\System32\drivers\AdminService.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\MsMpEng.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\NisSrv.exe
(Qualcomm Atheros -> Qualcomm Technologies Inc.) C:\Windows\System32\drivers\QcomWlanSrvx64.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\RtkAudUService64.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\RtkAudUService64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-11] (Microsoft Windows -> Microsoft Corporation)
HKLM\...\Run: [RtkAudUService] => C:\Windows\System32\RtkAudUService64.exe [672192 2018-05-17] (Realtek Semiconductor Corp. -> Realtek Semiconductor)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {5A85CE32-7C04-472B-8AAF-0843D775E99F} - System32\Tasks\Microsoft\Windows\RetailDemo\CleanupOfflineContent => {61f77d5e-afe9-400b-a5e6-e9e80fc8e601} C:\Windows\System32\RDXTaskFactory.dll [393728 2018-04-11] (Microsoft Windows -> Microsoft Corporation)
Task: {624803BC-D704-400C-83AC-9F07B1E658FC} - System32\Tasks\OneDrive Standalone Update Task v2 => C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-3661324527-2278852709-3805750152-1001] => 187.188.46.172:53455
Tcpip\Parameters: [DhcpNameServer] 75.76.84.102 75.76.84.103
Tcpip\..\Interfaces\{11f85019-d4be-42f2-bf40-ffd0818d6443}: [DhcpNameServer] 75.76.84.102 75.76.84.103

Internet Explorer:
==================

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\windows\system32\DRIVERS\AdminService.exe [414696 2018-02-01] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)
R2 esifsvc; C:\windows\System32\Intel\DPTF\esif_uf.exe [1696312 2018-03-23] (Intel Corporation -> Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\Intel(R) Management Engine Components\iCLS\SocketHeciServer.exe [761088 2018-06-08] (Intel(R) Trust Services -> Intel(R) Corporation)
S2 Intel(R) TPM Provisioning Service; C:\Program Files\Intel\Intel(R) Management Engine Components\iCLS\TPMProvisioningService.exe [737552 2018-06-08] (Intel(R) Trust Services -> Intel(R) Corporation)
S2 IntelAudioService; C:\windows\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe [212536 2018-05-10] (Intel(R) Smart Sound Technology -> Intel)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6562472 2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
R2 PanelCalibration Service; C:\windows\wpcsc64Service.exe [94896 2018-10-07] (Microsoft Windows Hardware Compatibility Publisher -> )
R2 QcomWlanSrv; C:\windows\System32\drivers\QcomWlanSrvx64.exe [190304 2018-06-04] (Qualcomm Atheros -> Qualcomm Technologies Inc.)
R2 RtkAudioUniversalService; C:\windows\System32\RtkAudUService64.exe [672192 2018-05-17] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1905.4-0\NisSrv.exe [2433136 2019-06-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1905.4-0\MsMpEng.exe [109896 2019-06-11] (Microsoft Windows Publisher -> Microsoft Corporation)
U2 WirelessPowerBackoffService; C:\windows\WirelessPowerBackoffService.exe [152240 2018-10-07] (Microsoft Windows Hardware Compatibility Publisher -> )

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BtFilter; C:\windows\system32\DRIVERS\btfilter.sys [65960 2018-02-01] (WDKTestCert aswbldsv,131431045756648395 -> Qualcomm)
R3 dptf_acpi; C:\windows\System32\drivers\dptf_acpi.sys [74696 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 dptf_cpu; C:\windows\System32\drivers\dptf_cpu.sys [70088 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 esif_lf; C:\windows\System32\drivers\esif_lf.sys [383432 2017-11-27] (Intel Corporation -> Intel Corporation)
R3 HidEventFilter; C:\windows\System32\drivers\HidEventFilter.sys [85032 2017-12-13] (Intel(R) Software -> Intel Corporation)
R3 HID_PCI; C:\windows\System32\drivers\HID_PCI.sys [33952 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
R3 iactrllogic; C:\windows\System32\drivers\iactrllogic64.sys [175480 2018-03-04] (Intel Corporation -> Intel(R) Corporation)
R3 iaLPSS2_GPIO2; C:\windows\System32\drivers\iaLPSS2_GPIO2.sys [98968 2017-10-15] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation)
R3 ISH; C:\windows\System32\drivers\ISH.sys [155288 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
R3 ISH_BusDriver; C:\windows\System32\drivers\ISH_BusDriver.sys [89752 2017-11-10] (Intel(R) Embedded Subsystems and IP Blocks Group -> Intel)
S0 MbamElam; C:\windows\System32\DRIVERS\MbamElam.sys [20936 2019-02-01] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\windows\System32\Drivers\mbamswissarmy.sys [275232 2019-06-10] (Malwarebytes Corporation -> Malwarebytes)
S1 MpKslc78f66b9; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKslc78f66b9.sys [58120 2019-06-08] () [File not signed]
R3 ov5693; C:\windows\System32\drivers\ov5693.sys [167840 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel(R) Corporation)
R3 ov7251; C:\windows\System32\drivers\ov7251.sys [169376 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
R3 ov8865; C:\windows\System32\drivers\ov8865.sys [166824 2018-05-16] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
R3 Qcamain10x64; C:\windows\System32\drivers\Qcamain10x64.sys [2358112 2018-06-04] (Qualcomm Atheros -> Qualcomm Atheros, Inc.)
R3 QIOMem; C:\windows\System32\drivers\QIOMem.sys [33160 2018-10-07] (WDKTestCert TX7,131534493142891343 -> Surface)
R3 RTSPER; C:\windows\System32\drivers\RtsPer.sys [887240 2018-06-03] (Realtek Semiconductor Corp. -> Realsil Semiconductor Corporation)
R3 Surface1824DigitizerIntegration; C:\windows\System32\drivers\Surface1824DigitizerIntegration.sys [36312 2018-05-31] (Microsoft Corporation -> Microsoft Corporation)
U5 tiledatamodelsvc; C:\windows\system32\svchost.exe [85472 2019-01-08] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S0 WdBoot; C:\windows\System32\drivers\wd\WdBoot.sys [47496 2019-06-11] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\wd\WdFilter.sys [337632 2019-06-11] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\windows\System32\drivers\wd\WdNisDrv.sys [53984 2019-06-11] (Microsoft Windows -> Microsoft Corporation)
S3 wmbclass; C:\windows\System32\drivers\wmbclass.sys [335872 2018-04-11] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2019-06-11 13:30 - 2019-06-11 13:31 - 000010561 _____ C:\Users\AdminR&D\Desktop\FRST.txt
2019-06-11 13:28 - 2019-06-11 13:28 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\D3DSCache
2019-06-11 13:20 - 2019-06-11 13:30 - 000000000 ____D C:\FRST
2019-06-10 22:52 - 2019-06-10 22:52 - 000000000 ____D C:\windows\LastGood
2019-06-10 22:50 - 2019-06-10 22:50 - 000275232 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamswissarmy.sys
2019-06-10 22:38 - 2019-06-10 22:38 - 000000000 ___HD C:\Users\AdminR&D\MicrosoftEdgeBackups
2019-06-10 22:34 - 2019-06-10 22:34 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\mbamtray
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\Users\AdminR&D\AppData\Local\mbam
2019-06-10 22:34 - 2019-06-10 22:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2019-06-10 22:34 - 2019-02-01 12:20 - 000020936 _____ (Malwarebytes) C:\windows\system32\Drivers\MbamElam.sys
2019-06-10 22:34 - 2019-01-08 16:32 - 000153328 _____ (Malwarebytes) C:\windows\system32\Drivers\mbae64.sys
2019-06-10 22:33 - 2019-06-10 22:33 - 000000000 ____D C:\Program Files\Malwarebytes
2019-06-10 22:33 - 2019-05-02 22:59 - 001307648 _____ (Microsoft Corporation) C:\windows\system32\MSVPXENC.dll
2019-06-10 22:33 - 2019-05-02 22:57 - 001295872 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSVPXENC.dll
2019-06-10 22:33 - 2019-05-02 22:54 - 000535552 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2019-06-10 22:33 - 2019-04-18 21:43 - 000150016 _____ (Microsoft Corporation) C:\windows\system32\fcon.dll
2019-06-10 22:33 - 2019-04-01 21:41 - 001235968 _____ (Microsoft Corporation) C:\windows\SysWOW64\rdpbase.dll
2019-06-10 22:33 - 2018-12-08 01:06 - 001017168 _____ (Microsoft Corporation) C:\windows\system32\msmpeg2adec.dll
2019-06-10 22:33 - 2018-12-08 00:47 - 000861744 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmpeg2adec.dll
2019-06-10 22:33 - 2018-12-08 00:46 - 001397104 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSVP9DEC.dll
2019-06-10 22:33 - 2018-12-08 00:46 - 000457056 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSAudDecMFT.dll
2019-06-10 22:33 - 2018-11-01 04:27 - 001121792 _____ (Microsoft Corporation) C:\windows\system32\TSWorkspace.dll
2019-06-10 22:33 - 2018-11-01 02:53 - 000908288 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSWorkspace.dll
2019-06-10 22:32 - 2019-05-03 04:51 - 003613696 _____ (Microsoft Corporation) C:\windows\system32\win32kfull.sys
2019-06-10 22:32 - 2019-05-03 04:50 - 004054528 _____ (Microsoft Corporation) C:\windows\system32\msi.dll
2019-06-10 22:32 - 2019-05-03 04:28 - 002882048 _____ (Microsoft Corporation) C:\windows\SysWOW64\win32kfull.sys
2019-06-10 22:32 - 2019-05-02 23:36 - 001035256 _____ (Microsoft Corporation) C:\windows\system32\ApplyTrustOffline.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 001219896 _____ (Microsoft Corporation) C:\windows\system32\hvix64.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 001027384 _____ (Microsoft Corporation) C:\windows\system32\hvax64.exe
2019-06-10 22:32 - 2019-05-02 23:33 - 000709720 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2019-06-10 22:32 - 2019-05-02 23:32 - 000793640 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms2.sys
2019-06-10 22:32 - 2019-05-02 23:32 - 000170296 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2019-06-10 22:32 - 2019-05-02 23:31 - 009084432 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2019-06-10 22:32 - 2019-05-02 23:31 - 007519888 _____ (Microsoft Corporation) C:\windows\system32\Windows.Media.Protection.PlayReady.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 007436536 _____ (Microsoft Corporation) C:\windows\system32\windows.storage.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 002811192 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2019-06-10 22:32 - 2019-05-02 23:31 - 002771256 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 001098064 _____ (Microsoft Corporation) C:\windows\system32\msvproc.dll
2019-06-10 22:32 - 2019-05-02 23:31 - 000412984 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms1.sys
2019-06-10 22:32 - 2019-05-02 23:19 - 006043712 _____ (Microsoft Corporation) C:\windows\SysWOW64\windows.storage.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 006569344 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 002258640 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2019-06-10 22:32 - 2019-05-02 23:18 - 001130568 _____ (Microsoft Corporation) C:\windows\SysWOW64\msvproc.dll
2019-06-10 22:32 - 2019-05-02 23:12 - 025855488 _____ (Microsoft Corporation) C:\windows\system32\edgehtml.dll
2019-06-10 22:32 - 2019-05-02 23:10 - 022017024 _____ (Microsoft Corporation) C:\windows\SysWOW64\edgehtml.dll
2019-06-10 22:32 - 2019-05-02 23:05 - 022716416 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2019-06-10 22:32 - 2019-05-02 23:02 - 019401216 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2019-06-10 22:32 - 2019-05-02 23:02 - 004866048 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2019-06-10 22:32 - 2019-05-02 23:01 - 008189440 _____ (Microsoft Corporation) C:\windows\system32\Windows.Data.Pdf.dll
2019-06-10 22:32 - 2019-05-02 23:00 - 006661632 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Data.Pdf.dll
2019-06-10 22:32 - 2019-05-02 23:00 - 003400192 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentServer.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 007593472 _____ (Microsoft Corporation) C:\windows\system32\Chakra.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 005788672 _____ (Microsoft Corporation) C:\windows\SysWOW64\Chakra.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 003710976 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 000209408 _____ (Microsoft Corporation) C:\windows\system32\AppXApplicabilityBlob.dll
2019-06-10 22:32 - 2019-05-02 22:59 - 000154112 _____ (Microsoft Corporation) C:\windows\system32\Chakradiag.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 002175488 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentExtensions.onecore.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 001708544 _____ (Microsoft Corporation) C:\windows\system32\MSPhotography.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 000894464 _____ (Microsoft Corporation) C:\windows\system32\webplatstorageserver.dll
2019-06-10 22:32 - 2019-05-02 22:58 - 000726528 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 001560576 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentExtensions.desktop.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 001549824 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 000808448 _____ (Microsoft Corporation) C:\windows\system32\EdgeManager.dll
2019-06-10 22:32 - 2019-05-02 22:57 - 000561152 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2019-06-10 22:32 - 2019-05-02 22:56 - 005350912 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2019-06-10 22:32 - 2019-05-02 22:56 - 001803776 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2019-06-10 22:32 - 2019-05-02 22:55 - 002166784 _____ (Microsoft Corporation) C:\windows\system32\win32kbase.sys
2019-06-10 22:32 - 2019-05-02 22:54 - 004929024 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 001628672 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000776192 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000669184 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000543744 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2019-06-10 22:32 - 2019-05-02 22:54 - 000507392 _____ (Microsoft Corporation) C:\windows\system32\edgeIso.dll
2019-06-10 22:32 - 2019-04-23 00:13 - 001008640 _____ (Microsoft Corporation) C:\windows\system32\Windows.Media.MixedRealityCapture.dll
2019-06-10 22:32 - 2019-04-22 23:14 - 000868864 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.Media.MixedRealityCapture.dll
2019-06-10 22:32 - 2019-04-19 03:39 - 012754944 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2019-06-10 22:32 - 2019-04-19 03:36 - 000346112 _____ (Microsoft Corporation) C:\windows\system32\AcGenral.dll
2019-06-10 22:32 - 2019-04-19 02:28 - 011940864 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2019-06-10 22:32 - 2019-04-18 22:06 - 002571632 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2019-06-10 22:32 - 2019-04-18 22:06 - 000713264 _____ (Microsoft Corporation) C:\windows\system32\MSVideoDSP.dll
2019-06-10 22:32 - 2019-04-18 22:01 - 001982008 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2019-06-10 22:32 - 2019-04-18 21:42 - 004384256 _____ (Microsoft Corporation) C:\windows\system32\EdgeContent.dll
2019-06-10 22:32 - 2019-04-18 21:39 - 005307392 _____ (Microsoft Corporation) C:\windows\SysWOW64\d2d1.dll
2019-06-10 22:32 - 2019-04-18 21:38 - 002368512 _____ (Microsoft Corporation) C:\windows\system32\WebRuntimeManager.dll
2019-06-10 22:32 - 2019-04-18 21:37 - 000953856 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSyncCore.dll
2019-06-10 22:32 - 2019-04-18 21:36 - 002909696 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2019-06-10 22:32 - 2019-04-02 05:38 - 000094008 _____ (Microsoft Corporation) C:\windows\system32\rdpudd.dll
2019-06-10 22:32 - 2019-04-02 05:13 - 001605632 _____ (Microsoft Corporation) C:\windows\system32\rdpcorets.dll
2019-06-10 22:32 - 2019-04-02 05:11 - 001857536 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2019-06-10 22:32 - 2019-04-02 02:07 - 001586688 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2019-06-10 22:32 - 2019-04-02 01:21 - 002467536 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2019-06-10 22:32 - 2019-04-02 01:21 - 000735680 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentClient.dll
2019-06-10 22:32 - 2019-04-02 01:19 - 000786080 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2019-06-10 22:32 - 2019-04-02 00:44 - 001421312 _____ (Microsoft Corporation) C:\windows\system32\rdpbase.dll
2019-06-10 22:32 - 2019-04-01 22:05 - 001989544 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml6.dll
2019-06-10 22:32 - 2019-04-01 22:04 - 000604008 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2019-06-10 22:32 - 2019-04-01 22:04 - 000560600 _____ (Microsoft Corporation) C:\windows\SysWOW64\AppXDeploymentClient.dll
2019-06-10 22:32 - 2019-03-14 01:26 - 002421048 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ntfs.sys
2019-06-10 22:32 - 2019-03-14 01:18 - 000095744 _____ (Microsoft Corporation) C:\windows\SysWOW64\UserDataTimeUtil.dll
2019-06-10 22:32 - 2019-03-14 01:13 - 001468416 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2019-06-10 22:32 - 2019-03-14 00:56 - 000120320 _____ (Microsoft Corporation) C:\windows\system32\UserDataTimeUtil.dll
2019-06-10 22:32 - 2019-03-14 00:53 - 000787968 _____ (Microsoft Corporation) C:\windows\system32\Drivers\WdiWiFi.sys
2019-06-10 22:32 - 2019-03-14 00:50 - 001587712 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2019-06-10 22:32 - 2019-03-14 00:50 - 000847360 _____ (Microsoft Corporation) C:\windows\system32\bisrv.dll
2019-06-10 22:32 - 2019-03-06 02:16 - 001188000 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2019-06-10 22:32 - 2019-03-06 02:04 - 000945464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\refsv1.sys
2019-06-10 22:32 - 2019-03-06 02:03 - 001921848 _____ (Microsoft Corporation) C:\windows\system32\Drivers\refs.sys
2019-06-10 22:32 - 2019-03-06 02:03 - 000375608 _____ (Microsoft Corporation) C:\windows\system32\Drivers\msrpc.sys
2019-06-10 22:32 - 2019-03-06 01:33 - 000046080 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys
2019-06-10 22:32 - 2019-03-05 23:14 - 000785568 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2019-06-10 22:32 - 2019-02-16 05:30 - 002019840 _____ (Microsoft Corporation) C:\windows\system32\ResetEngine.dll
2019-06-10 22:32 - 2019-02-16 03:24 - 023862272 _____ (Microsoft Corporation) C:\windows\system32\Hydrogen.dll
2019-06-10 22:32 - 2019-02-16 03:22 - 019525120 _____ (Microsoft Corporation) C:\windows\system32\HologramCompositor.dll
2019-06-10 22:32 - 2019-02-16 01:03 - 007901392 _____ (Microsoft Corporation) C:\windows\system32\d3d10warp.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 005821440 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3d10warp.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 001934800 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 001792712 _____ (Microsoft Corporation) C:\windows\system32\propsys.dll
2019-06-10 22:32 - 2019-02-16 01:02 - 000705848 _____ (Microsoft Corporation) C:\windows\system32\Drivers\vhdmp.sys
2019-06-10 22:32 - 2019-02-16 01:02 - 000413712 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2019-06-10 22:32 - 2019-02-16 01:01 - 001209696 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2019-06-10 22:32 - 2019-02-16 01:01 - 001028920 _____ (Microsoft Corporation) C:\windows\system32\Drivers\http.sys
2019-06-10 22:32 - 2019-02-16 01:01 - 000594024 _____ (Microsoft Corporation) C:\windows\system32\audiodg.exe
2019-06-10 22:32 - 2019-02-16 00:51 - 001584536 _____ (Microsoft Corporation) C:\windows\SysWOW64\propsys.dll
2019-06-10 22:32 - 2019-02-16 00:50 - 001805648 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2019-06-10 22:32 - 2019-02-16 00:50 - 001011872 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2019-06-10 22:32 - 2019-02-16 00:29 - 001768448 __


Here is addition.txt.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10-06-2019 01
Ran by AdminR&D (11-06-2019 13:35:07)
Running from C:\Users\AdminR&D\Desktop
Windows 10 Home Version 1803 17134.765 (X64) (2019-06-07 08:19:14)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3661324527-2278852709-3805750152-500 - Administrator - Disabled)
AdminR&D (S-1-5-21-3661324527-2278852709-3805750152-1001 - Administrator - Enabled) => C:\Users\AdminR&D
DefaultAccount (S-1-5-21-3661324527-2278852709-3805750152-503 - Limited - Disabled)
Guest (S-1-5-21-3661324527-2278852709-3805750152-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3661324527-2278852709-3805750152-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Malwarebytes version 3.7.1.2839 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.7.1.2839 - Malwarebytes)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24212 (HKLM-x32\...\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212 (HKLM-x32\...\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{C3ACFCEA-240F-4DCC-A0C3-DD55FEE6C3C2}) (Version: 2.58.0.0 - Microsoft Corporation)
Update for Windows 10 for x64-based Systems (KB4480730) (HKLM\...\{2E8B8BDD-03DF-4C1C-8C99-E6A4BCBF43CE}) (Version: 2.51.0.0 - Microsoft Corporation)
Vbsedit (HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\...\Vbsedit) (Version: 9.0 - Adersoft)
Vbsedit 32-bit (HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\...\Vbsedit 32-bit) (Version: 9.0 - Adersoft)
Vulkan Run Time Libraries 1.0.65.1 (HKLM\...\VulkanRT1.0.65.1) (Version: 1.0.65.1 - LunarG, Inc.) Hidden

Packages:
=========
Microsoft Access -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Access_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Microsoft Excel -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Excel_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Office Desktop Apps -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Outlook -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft PowerPoint -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.PowerPoint_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Publisher -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Publisher_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.3.4032.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Studios) [MS Ad]
Microsoft Word -> C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Word_16051.11629.20214.0_x86__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation)
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.28.10351.0_x64__8wekyb3d8bbwe [2019-06-10] (Microsoft Corporation) [MS Ad]
Surface -> C:\Program Files\WindowsApps\Microsoft.SurfaceHub_30.604.136.0_x64__8wekyb3d8bbwe [2018-06-22] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{04CCE2FF-A7D3-11D0-B436-00A0244A1DD2}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{0BFCC060-8C1D-11D0-ACCD-00AA0060275C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{170EC3FC-4E80-40AB-A85A-55900C7C70DE}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{26933B26-DA32-49FC-B31F-02BACE3A497D}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{83B8BCA6-687C-11D0-A405-00AA0060275C}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{A74CA7D9-273A-45C5-8974-80F377486346}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C0C3E1E2-9196-43DD-8FA9-1423641098C8}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64/msdbg2.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{D04D550D-1EA8-4E37-830E-700FEA447688}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64//pdm.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64/pdmproxy100.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{E190FD96-334A-456F-8ECE-F4E2FF8EF635}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{E9B104E5-17AF-45B0-9D01-C7D05DB3DB2D}\localserver32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\stickynotes2.exe (Adersoft -> Adersoft)
CustomCLSID: HKU\S-1-5-21-3661324527-2278852709-3805750152-1001_Classes\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\InprocServer32 -> C:\Users\AdminR&D\AppData\Local\Adersoft\Vbsedit\x64\Vbsedit64.dll (Adersoft -> Adersoft)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2019-01-27] (Notepad++ -> )
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2018-04-11 16:38 - 2018-04-11 16:36 - 000000824 _____ C:\windows\system32\drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3661324527-2278852709-3805750152-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img13.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{B1B58784-E3D3-49CD-BD0B-2B045F32D799}] => (Allow) C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.11629.20214.0_x86__8wekyb3d8bbwe\Office16\OUTLOOK.exe (Microsoft Corporation -> Microsoft Corporation)

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/10/2019 10:52:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WirelessPowerBackoffService.exe, version: 0.0.0.0, time stamp: 0x5b7cad51
Faulting module name: WirelessPowerBackoffService.exe, version: 0.0.0.0, time stamp: 0x5b7cad51
Exception code: 0xc0000005
Fault offset: 0x00001ca7
Faulting process id: 0x2580
Faulting application start time: 0x01d52019d3302779
Faulting application path: C:\windows\WirelessPowerBackoffService.exe
Faulting module path: C:\windows\WirelessPowerBackoffService.exe
Report Id: f349d201-8256-48c8-ae76-bf84e18e3895
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 10:52:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0x4ac
Faulting application start time: 0x01d52019d4350271
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 27146bc5-654e-4d37-9629-af3131abc575
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 10:50:52 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e...cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(109ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 10:50:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0xfa4
Faulting application start time: 0x01d520198dedf4cf
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 90512264-b3b8-40ee-9372-7751057d8b0e
Faulting package full name:
Faulting package-relative application ID:

Error: (06/10/2019 02:23:14 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e...cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(47ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 02:23:13 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e...cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(31ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (06/10/2019 02:22:43 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Faulting module name: wpcsc64.exe, version: 0.0.0.0, time stamp: 0x5a65b0b7
Exception code: 0xc0000409
Fault offset: 0x0000000000007fbd
Faulting process id: 0x116c
Faulting application start time: 0x01d51f6e0e928b19
Faulting application path: C:\Windows\wpcsc64.exe
Faulting module path: C:\Windows\wpcsc64.exe
Report Id: 8e24b9ea-9903-467a-b827-a960189d34ec
Faulting package full name:
Faulting package-relative application ID:

Error: (06/09/2019 04:40:55 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-74AI7HU$ via https://INTC-KeyId-6ca9df62a1aae23e...cb7.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(31ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)


System errors:
=============
Error: (06/11/2019 01:17:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/11/2019 01:17:43 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-74AI7HU)
Description: The server {D63B10C5-BB46-4990-A94F-E40B9D520160} did not register with DCOM within the required timeout.

Error: (06/11/2019 01:17:18 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/11/2019 01:17:18 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscDataProtection
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscBrokerManager
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/10/2019 10:52:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WirelessPowerBackoffService service terminated unexpectedly. It has done this 1 time(s).

Error: (06/10/2019 10:51:10 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Windows Defender:
===================================
Date: 2019-06-08 23:20:19.087
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {B0C17F1B-17B1-4C2C-8E45-5B7EE2767CFA}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-08 23:12:59.435
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {41778DEB-5E19-47CE-9186-5FBBE2CE3AF6}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-08 22:57:08.540
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {CF5269CB-9B84-46D5-A09B-E60876A2F540}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2019-06-11 13:32:01.556
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.507.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 22:30:30.586
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 02:32:58.027
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-10 02:11:10.324
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.295.372.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16000.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2019-06-09 04:30:17.636
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 0.0.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 0.0.0.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
===================================

Date: 2019-06-08 01:46:14.120
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume10\3z15z1zx.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:32:19.728
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume7\mytool.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:32:19.722
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume7\mytool.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:29:34.629
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\cmd.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:29:34.622
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\cmd.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-08 01:29:04.511
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume5\SanDiskSecureAccessV3.1_win.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.

Date: 2019-06-08 01:29:04.351
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume5\SanDiskSecureAccessV3.1_win.exe that did not meet the Enterprise signing level requirements.

Date: 2019-06-07 23:40:44.712
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\cAVS\Intel(R) Audio Service\IntelAudioService.exe) attempted to load \Device\HarddiskVolume3\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\c0f904109c6cca7fed5aa1bfd91298bf\System.Configuration.ni.dll that did not meet the Enterprise signing level requirements or violated code integrity policy.

==================== Memory info ===========================

BIOS: Microsoft Corporation 1.0.14 12/12/2018
Motherboard: Microsoft Corporation Surface Go
Processor: Intel(R) Pentium(R) CPU 4415Y @ 1.60GHz
Percentage of memory in use: 51%
Total physical RAM: 4003.46 MB
Available physical RAM: 1948.73 MB
Total Virtual: 5411.46 MB
Available Virtual: 3390.58 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:56.86 GB) (Free:39.86 GB) NTFS

\\?\Volume{d7792c01-115d-44db-89d9-f6b6f947479f}\ (WinRE) (Fixed) (Total:1 GB) (Free:0.62 GB) NTFS
\\?\Volume{5e2124ed-50fb-477e-a103-06d3ee4eb3eb}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.23 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 58.2 GB) (Disk ID: 1B888B57)

Partition: GPT.

==================== End of Addition.txt ============================



Sorry I tried to just attach the text files but the phone kept locking up.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
System restore is useless, as is reset, as is using a VPN. The service I need to use a VPN RasMan will not run. Since the first encounter, I have not been able to get RasMan to run, and they've crippled system restore. It'll try to run, restart... And then after about an hour of waiting it comes back and says it failed. So I don't even bother anymore.

I hope this helps you find out something. I am patient and I appreciate any help. thanks you so much.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Curious. Did you interpret the GMER data as well? I have a ton of Wireshark data as well. I appreciate your time. But if it's malware that's unknown it wouldn't show up would it? No.. it would not. It's not gonna tell you that some of my system install files have been replaced with ones that have been injected with malicious code that was just made a month ago , especially for my system.

I just don't know how they keep accessing my devices. I know I'm not losing my mind. I was almost 100% certain nothing would show up. But I had to try and let someone that really understands the logs check. I believe there is some back door in some application. Else they could not crack it in under a minute.. I'm sure you think I'm crazy, paranoid, lost my mind like everyone else. But there is some way they keep getting in. I'm gonna relax a bit now since you have confirmed the logs are clean. Once again thank you. I'd say once it gets bad I'd submit scan results again, but ik it's a one shot deal. You found nothing. Another score for the hackers.
This just makes me more sure that the world needs an antivirus that seeks out malicious code in files rather than comparing the code to definitions of know malware. I'm getting a bit fed up with opening the laptop and seeing that it's been on for hours, or seeing mass emails being sent, settings being changed, setting buttons grayed out so I cannot select things. System restore being rendered useless. This is another reason I have formated and reinstalled so much. I don't want my #####ing computer used as a tool for illegal endeavors. So when I see this kind of stuff, I have to start over. I should have waited till it was really in bad shape, but once it gets to that point it will not let me run any anti virus. . like I said. "possibly no help" . I'd hoped you guys could find something but these hackers are like ghosts. Literally. I know a good deal about computers and software dev, but next to nothing about antvirus , malware or hacking. This has lit a fire under my ass to learn and absorb every single byte of data I can about how they and the malware works. Again thank you.
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Yes, GMER shows almost always shows some warning doesn't matter if it is malicious or not, that's how that tool works.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
True. Thanks for the help THE... it seems no antivirus finds anything. The only one that will is Microsofts windows malicious software removal tool and it takes like 5 hours to run. I believe the antivirus software I've used has been rendered useless by the hackers. Btw. I gathered all my evidence yesterday, USB drives with complete copies of the computer from several installs, event logs, security logs and gigabytes of other data and turned it all over to my lawyer yesterday. I'm running Microsoft s tool now which I cannot download on my computer. I have to use another computer because mine simply will not complete the download. It's 3 hours in and has found 2 infections. Now true to form I guarantee that before the test is over it will stall and then go to the "there is no malicious software on your computer" screen. That's what it used to do. And it's found as many as 6. But that was like 5 installs back. Now it's on 2 infected files, and the progress bar is 1/4 through. I sure wish there was a way to stop it now and find out what it knows. Since I started using frst and the malware bytes software you recommend. It behaves very strangely. When I first used it it took some time to complete. Now, it takes about 2 minutes. I'm pretty sure y'all think I'm crazy. I'm used to it after dealing with this 6 month infiltration. But as I said. Finally I got enough evidence I believe to track them down. I've kept logs since day one. And at first they left some stuff behind namely a file in my iPhone I copied before they went back in and deleted it. The devices (ones I'm not using now of course ) and the software data is alll in the hands of the states forensics now. Then to the FBI if anything shows up. What is your take on this Microsoft tool? I've also noticed they have crippled defender. I just recently took a daring chance and upgraded windows to the latest 1903 vs online which left it wide open. But since then, defender will not do an offline scan, will not scan from the commandline and FRST and malware bytes for windows are useless. They literally run a scan that takes seconds to minutes and they are done. So, the MS tool has found 2 thus far but has a long ways to go. But it may not finish. Is there another high test industrial antivirus I can use to clean this computer up? I honestly do not want to format and reinstall again. But if I have to, I have to. Oh, I found a Malwarebytes product called chameleon. It consists of 13 buttons that run in a command window trying to download mbam.... none of them succeeded. Not a one. They would start a download and then terminate? From what I understand that may mean I have a very nasty piece of malware that will not let the antivirus, any if them run correctly. Even GMER. I had to rename it to get it to run. Another thing I noticed. When I go into the recovery portion, all the options are no longer there. For instance the command prompt is gone. I have no way of getting one from recovery and I believe this was done on purpose. Unless it has something to do with my MBR. My MBR was infected with "unknown" code. I tried to diskpart and format the partion, several different ways and I could not get rid of that code. Finally I used a tool that had the MBR code on board for several different OS's but not win10. So I used windows 7 and it worked fine. No boot problems, just the recovery screen is very limited now. Should I just format and start over? And is there a way I can scan the usb recovery drive I use to install Windows and make sure it's not a part of this vicious cycle?
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
Just as I predicted. The windows malicious file removal tool after a total of 5 hours found 3 infected files. Then about 3/4 the way through. It pauses. All scanning stops and it goes directly to the "no malware found on your computer." Screen. This is driving me absolutely apeshit. I know you are not supposed to use more than one antivirus at a time. That is have more than one installed on the system. I have portable ones, FRST, GMER, a couple different rootkit scanners. But they're useless as far as I can tell. So I guess my main one would be defender. And the hackers I've been dealing with have a specialist in every OS made. They can access windows and grey out any box they don't want me to click . Malwarebytes for windows has never found anything and as I said above the behavior after my last definition update became very odd. Where a full scan would take about an hour to 2 hours, it now only takes less than 2 minutes. Any fool can tell you that, that ain't right. Someone or something has altered if not replaced the program with a fake one or probably a Trojan. Well if they did it's all been copied and sent to forensics. I have ran a few portable scanners. One called roguekiller I believe, well it found about 20 things wrong with my VBS editor so I deleted that. I also have or had I should say a copy of visual studio 6 installed on the windows 10 machine because I like using visual c++ and visual basic. It may be almost as dead as Latin but you can still write powerful apps with it even if they are only for your own use. It's from a CD that must be 20 years old and so scratched you have to run it 10 times before it's all said and done. And then there is the matter of installing it on win 10. (which took some major tweaking on a 64bit machine. I was actually going to write an installer that does it for you for others that wanna use it, but I digress). This I converted to an .iso which remained on one of my many USB drives because I cannot trust the cloud.. any cloud these days. And has been reinstalled many times. Now I have one resident AV installed and the others are all portable. The portable ones Began to find that the vb6.exe file was infected. This is what made me subscribe to the notion that somehow these hackers were, or had put a bot on my machine that would attack the executables on my USB drives. Seeing as they were my last line of defense and as often as they forced me to reinstall Windows, this way I could never get away. So I deleted it once and for all. Gone, gone, I'm more interested in python these days anyway. This is why I need to find a portable scanner that will scan my USB drives for anything funky. I mean why is it that you can only defend yourself against a virus that is already known? And so many antivirus programs are nothing more than open doors for hackers to walk right in anyway. Well I've got a machine that the windows tool has found 3 infected files on, but it's the only scanner that will and it quits before it had a chance to tell me what virii I'm dealing with. And for all I know my recovery files are corrupt so what's the point in formating and reinstalling again? It's a real no win situation. I just don't know enough about it to make the correct decision. After what I did yesterday I hope these hackers have packed up and left my corner of the world for good. If they knew my lawyer and the tenacity of the computer forensics they would, but one never knows, and from now until my Dying day, I will never approach any device I own without believing it has someone on the other end, or some bot, recording my every move.
 
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
if anyone has time. I know there is malware on this little box. trouble is whenever a scanner finds it it shuts down before the scan is over. I tried using microsofts surface attack analyzer and the same thing.. it wont even generate a cab file before it shuts down. No hurry. But if anyone wants to have a look these scans were done with the latest FRST an hour or so ago.
 

Attachments

  • Addition6-29.txt
    32.1 KB · Views: 555
  • FRST6-29.txt
    114 KB · Views: 398
  • Shortcut6-29.txt
    39.5 KB · Views: 375
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
How is it that Microsoft Windows malicious software removal tool is the only tool that finds infections? It takes it 6 hours but manages to find 3 on the hard Disk. And one on my recovery drive. But here's the clencher. It never finishes. After hours and hours of scanning. Finally it'll just pause and then bam.. no malicious software has been found on your computer? Is anybody out there? Is this the malware making it do this or what? I don't know what to do. I don't have any idea when the payload of any of these viruses goes off.... Idk if I should format and reinstall . Oh yeh, my recovery files have at least one infected file as well. I just spent about 6 hours upgrading to the very latest windows 10. I have no idea what to do, I know you guys already read some of my scans but TBH, the software I used was fooled. There are infections here and there always have been. I just wish someone could tell me how the hell I could get rid of these damn viruses! This is the only proof I have. The photo from my scan of my recovery drive. This was right before it paused.... And went to the "no malicious software found" page. The scan of my recovery drive shows one infection. And when I do a cmdline scan... Is this right? It just says starting scan.... For about a half hour and then it says Scan finished. That doesn't seem right. That's the "MpCmdrun.exe /scan /3 D:\" Windows defender cmdline scan. I've tried, Malwarebytes for windows, FRST, GMER, Immunet, Zonealarm, Avast, avira, avg, panda... Goddamn , you name it, I've scanned it. And the only one that shows results is the latest version of the MS windows malicious software removal tool. GMER is trying to tell me something. But I can't figure out what the hell it is. Please, any help is greatly appreciated. I am out of work at the moment and cannot afford to take the computer to a professional. All I've been able to do is submit many gigabytes of data to my lawyer to have it tested. Thank God I already paid his $20k retainer. However, most of that data is from past installs and it's unlikely to help me clean the system now. I'm sure the hackers are still breaking into my computer. They aren't going to be deterred by data being sent to a lab. I dont know if I should just format the computer and turn it off or what, but I am studying 2 different languages while I look for work and would hate to stop learning especially since I'm finally beginning to really get python. Any help is greatly appreciated. Please. Any help at all.
 

Attachments

  • IMG_20190630_115457620.jpg
    IMG_20190630_115457620.jpg
    3.5 MB · Views: 825
  • IMG_20190630_094343264.jpg
    IMG_20190630_094343264.jpg
    2.7 MB · Views: 808
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Maybe take a look at the spawn and ForgottenSeer 58943 suggestions and follow them to the letter? Like post 9 and 13?
malwaretips.com

Troubleshoot - My devices all hacked or being accessed by a Developer. All events by hacker logged in Event Viewer

I have been hacked on all my devices including Android tablet, Windows PC, iPhone, and Samsung Smart TV. They have hacked into my email accounts and all my bank and credit card accounts. I do not know what their motive is as they have not yet stolen anything that I know of. I may know who did...
malwaretips.com malwaretips.com
And if you found a virus in your backup don't use it. Sorry thats all the help I can provide. Good luck
 
  • HaHa
  • Like
Reactions: blackice and oldschool
D

Dcroft39

New Member
Thread author
Jun 9, 2019
25
I may need to post this elsewhere.. but I noticed this morning all these duplicate services running. You can stop them but can't disable and they have names like cbdhsvc_582f17... Wtf? They're all over the place and most aren't anything I think you must have. consentUXUserSvc_582f17. They're everywhere. And I can't find any info on the net about this. I've been able to delete some using SC... But most of them have other services with the same name just no extension. This morning the extension was different.. any idea what's up?
 
Status
Not open for further replies.

Similar threads

Moonhorse
    • Wow
    • Like
  • Locked
Question Weird site in f-secure blocked sites logs
Replies
14
Views
793
Malware Analysis
struppigel
struppigel
P
    • Wow
How do I stop hackers from hacking my cellphone?
Replies
9
Views
395
New Members Introduction
oldschool
oldschool
SamStam
    • Wow
    • Like
Serious Discussion General question about hacks
Replies
7
Views
600
General Security Discussions
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top