Solved Gmer found rootkit activity

[Broni]

In the future do NOT checkamrk any extra boxes. Run it as it is.

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

• Close all the running programs
• Double click on downloaded setup.exe file to install the program.
• Click on Start Scan button.
• Click on another Start Scan button.
• Wait until the Status box shows Scan Finished
• Click on Remove Selected.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.
• The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• Review the results...see note below
• After reviewing the log, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
• To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

 

[Kevin Hill]

Buzzing sound as well

 

[Broni]

What buzzing sound?

 

[Kevin Hill]

Just a buzzing sound u get b4 freezing n sometimes a blue screen, indictive of rootkit usually

 

[Broni]

So far I don't see any rootkit activity.
Please run scans I asked.

 

[Kevin Hill]

Ok, whats the buzzing sound? n could it b hidden?

 

[Broni]

Please complete scans from my reply #26.

 

[Kevin Hill]

RogueKiller V12.12.21.0 (x64) [Jun 11 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : kevca [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 06/20/2018 18:37:12 (Duration : 01:31:06)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Deleted
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Deleted
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Deleted
[VT.Unknown] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RegRun WinBait : C:\WINDOWS\winbait.exe [7] -> Deleted
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWDUMon (\SystemRoot\system32\DRIVERS\SWDUMon.sys) -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 4 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\SlimWare Utilities, Inc -> Deleted
[PUP.Gen1][File] C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads\0074D65ECDDEB264B2395FAFE29705DCB2000000001257A936.exe -> Deleted
[PUP.Gen1][Folder] C:\ProgramData\SlimWare Utilities, Inc\DriverApp\Downloads -> Deleted
[PUP.Gen1][Folder] C:\ProgramData\SlimWare Utilities, Inc\DriverApp -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\Downloaded Installers -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\Downloaded Installers\{BDFFBC5C-0414-4D59-8EF9-AC28884A8213} -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\ignores.dat -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Images\acer.png -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Images -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 06-30-40 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 07-03-14 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 08-38-16 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 09-19-10 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 11-21-42 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 11-56-24 0.log -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs\2018-06-19 13-52-41 0.log -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\Logs -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\rupdates.db -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\settings.db -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\supdates.db -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\SWDUMon.cat -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\SWDUMon.inf -> Deleted
[PUP.Gen1][File] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers\SWDUMon.sys -> Deleted
[PUP.Gen1][Folder] C:\Users\kevca\AppData\Local\SlimWare Utilities Inc\SlimDrivers -> Deleted
[PUP.Gen1][Folder] C:\ProgramData\SlimWare Utilities, Inc -> ERROR [3]

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 4756eb180319ec3e0f74e7ed532b3903
[BSP] 841e446e368d47e2870fff30ce4f4060 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 936558 MB
3 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1918539776 | Size: 450 MB
4 - Basic data partition | Offset (sectors): 1919461376 | Size: 16632 MB
User = LL1 ... OK
User = LL2 ... OK

 

[Kevin Hill]

Aswmbr quits working n blue screens n buzzes, I tried asw b4, even in safe mode does it

 

[Broni]

What is Aswmbr?

 

[Kevin Hill]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/20/18
Scan Time: 8:23 PM
Log File: 5d589fd0-74e9-11e8-ac1b-a0d3c1273261.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5560
License: Trial

-System Information-
OS: Windows 10 (Build 16299.492)
CPU: x64
File System: NTFS
User: DESKTOP-3NEUN1F\kevca

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 270599
Threats Detected: 32
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 15 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

 

[Kevin Hill]

# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build: 04-27-2018
# Database: 2018-04-24.1
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 06-20-2018
# Duration: 00:02:17
# OS: Windows 10 Pro
# Scanned: 40734
# Detected: 32


***** [ Services ] *****

PUP.Optional.SpyHunter SpyHunter 4 Service

***** [ Folders ] *****

PUP.Optional.Legacy C:\Users\All Users\Documents\Downloaded Installers
PUP.Optional.Legacy C:\Users\Public\Documents\Downloaded Installers
PUP.Optional.SlimCleanerPlus C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimDrivers
PUP.Optional.SlimCleanerPlus C:\Program Files (x86)\SlimDrivers
PUP.Optional.SpyHunter C:\Program Files\Enigma Software Group

***** [ Files ] *****

PUP.Optional.Legacy C:\Windows\System32\drivers\swdumon.sys
PUP.Optional.SlimCleanerPlus C:\Users\All Users\Desktop\SlimDrivers.lnk
PUP.Optional.SlimCleanerPlus C:\Users\Public\Desktop\SlimDrivers.lnk
PUP.Optional.SpyHunter C:\Windows\System32\drivers\EsgScanner.sys

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

PUP.Optional.SlimCleanerPlus C:\Windows\Tasks\SlimDrivers Startup.job
PUP.Optional.SlimCleanerPlus C:\Windows\System32\Tasks\SlimDrivers Startup
PUP.Optional.SpyHunter C:\Windows\System32\Tasks\SpyHunter4Startup

***** [ Registry ] *****

PUP.Optional.Legacy HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\952BA647474611149866C1269F6A0E36
PUP.Optional.Legacy HKLM\Software\Classes\Installer\Products\952BA647474611149866C1269F6A0E36
PUP.Optional.Legacy HKLM\Software\Classes\Installer\Features\952BA647474611149866C1269F6A0E36
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\TypeLib\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}
PUP.Optional.Legacy HKLM\Software\Classes\TypeLib\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}
PUP.Optional.Legacy HKLM\Software\Classes\CLSID\{6DC6EE87-F3BB-40EB-BCEE-12F7D6E3EEDF}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\AppID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}
PUP.Optional.Legacy HKLM\Software\Classes\AppID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}
PUP.Optional.Legacy HKLM\Software\Classes\CLSID\{959D527D-6C27-4879-A644-065526D6969C}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\AppID\{1BD47D21-01F4-4538-9290-39FD569A0F24}
PUP.Optional.Legacy HKLM\Software\Classes\AppID\{1BD47D21-01F4-4538-9290-39FD569A0F24}
PUP.Optional.SlimCleanerPlus HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{746AB259-6474-4111-8966-1C62F9A6E063}
PUP.Optional.SlimCleanerPlus HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C556375-3076-4A2A-934D-81205DC52D2B}
PUP.Optional.SlimCleanerPlus HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SlimDrivers Startup
PUP.Optional.SpyHunter HKLM\Software\EnigmaSoftwareGroup
PUP.Optional.SpyHunter HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\SpyHunter4.exe
PUP.Optional.SpyHunter HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E403DCE7-8B8A-4FC9-B8FC-DDDCE1D18EE7}
PUP.Optional.SpyHunter HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpyHunter4Startup

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy Ask

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########

 

[Broni]

Malwarebytes log is incomplete.
Please post complete log.

 

[Kevin Hill]

https://www.bleepingcomputer.com/download/aswmbr/

 

[Kevin Hill]

Malwarebytes log is incomplete.
Please post complete log

where do I find the log?

 

[Kevin Hill]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/20/18
Scan Time: 8:23 PM
Log File: 5d589fd0-74e9-11e8-ac1b-a0d3c1273261.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5560
License: Trial

-System Information-
OS: Windows 10 (Build 16299.492)
CPU: x64
File System: NTFS
User: DESKTOP-3NEUN1F\kevca

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 270599
Threats Detected: 32
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 15 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 19
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SLIMDRIVERS STARTUP, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C556375-3076-4A2A-934D-81205DC52D2B}, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{1C556375-3076-4A2A-934D-81205DC52D2B}, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{746AB259-6474-4111-8966-1C62F9A6E063}, No Action By User, [1430], [396322],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BDFFBC5C-0414-4D59-8EF9-AC28884A8213}, No Action By User, [1430], [335437],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\CLSID\{6DC6EE87-F3BB-40EB-BCEE-12F7D6E3EEDF}, No Action By User, [2877], [335836],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\CLSID\{959D527D-6C27-4879-A644-065526D6969C}, No Action By User, [2877], [335833],1.0.5560

Registry Value: 2
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BDFFBC5C-0414-4D59-8EF9-AC28884A8213}|DISPLAYNAME, No Action By User, [1430], [335437],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C556375-3076-4A2A-934D-81205DC52D2B}|PATH, No Action By User, [1430], [334915],1.0.5560

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.SlimCleanerPlus, C:\PROGRAM FILES (X86)\SLIMDRIVERS, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SLIMDRIVERS, No Action By User, [1430], [335035],1.0.5560

File: 9
PUP.Optional.DriverUpdate, C:\WINDOWS\System32\drivers\SWDUMon.sys, No Action By User, [2877], [448467],0.0.0
PUP.Optional.SlimCleanerPlus, C:\USERS\PUBLIC\DESKTOP\SLIMDRIVERS.LNK, No Action By User, [1430], [334854],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\WINDOWS\SYSTEM32\TASKS\SLIMDRIVERS STARTUP, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\WINDOWS\TASKS\SLIMDRIVERS STARTUP.JOB, No Action By User, [1430], [334888],1.0.5560
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [5244], [433122],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\Program Files (x86)\SlimDrivers\Open-Source Licenses.txt, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\Program Files (x86)\SlimDrivers\UnifiedLogger.dll, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimDrivers\SlimDrivers Help.lnk, No Action By User, [1430], [335035],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimDrivers\SlimDrivers.lnk, No Action By User, [1430], [335035],1.0.5560

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[Kevin Hill]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/20/18
Scan Time: 8:23 PM
Log File: 5d589fd0-74e9-11e8-ac1b-a0d3c1273261.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5560
License: Trial

-System Information-
OS: Windows 10 (Build 16299.492)
CPU: x64
File System: NTFS
User: DESKTOP-3NEUN1F\kevca

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 270599
Threats Detected: 32
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 15 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 19
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SLIMDRIVERS STARTUP, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C556375-3076-4A2A-934D-81205DC52D2B}, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{1C556375-3076-4A2A-934D-81205DC52D2B}, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{746AB259-6474-4111-8966-1C62F9A6E063}, No Action By User, [1430], [396322],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BDFFBC5C-0414-4D59-8EF9-AC28884A8213}, No Action By User, [1430], [335437],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{149622B2-F1C5-492D-BFDF-8E5ED85854A0}, No Action By User, [2877], [335820],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\TYPELIB\{95F57E4A-1FFA-4814-9AEC-34D22DF3D8FA}, No Action By User, [2877], [335828],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{1BD47D21-01F4-4538-9290-39FD569A0F24}, No Action By User, [2877], [335822],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{A5FF3EB5-BF62-4D59-84DF-DC518E46FCB3}, No Action By User, [2877], [335824],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\CLSID\{6DC6EE87-F3BB-40EB-BCEE-12F7D6E3EEDF}, No Action By User, [2877], [335836],1.0.5560
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\CLASSES\CLSID\{959D527D-6C27-4879-A644-065526D6969C}, No Action By User, [2877], [335833],1.0.5560

Registry Value: 2
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BDFFBC5C-0414-4D59-8EF9-AC28884A8213}|DISPLAYNAME, No Action By User, [1430], [335437],1.0.5560
PUP.Optional.SlimCleanerPlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C556375-3076-4A2A-934D-81205DC52D2B}|PATH, No Action By User, [1430], [334915],1.0.5560

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.SlimCleanerPlus, C:\PROGRAM FILES (X86)\SLIMDRIVERS, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SLIMDRIVERS, No Action By User, [1430], [335035],1.0.5560

File: 9
PUP.Optional.DriverUpdate, C:\WINDOWS\System32\drivers\SWDUMon.sys, No Action By User, [2877], [448467],0.0.0
PUP.Optional.SlimCleanerPlus, C:\USERS\PUBLIC\DESKTOP\SLIMDRIVERS.LNK, No Action By User, [1430], [334854],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\WINDOWS\SYSTEM32\TASKS\SLIMDRIVERS STARTUP, No Action By User, [1430], [334890],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\WINDOWS\TASKS\SLIMDRIVERS STARTUP.JOB, No Action By User, [1430], [334888],1.0.5560
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [5244], [433122],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\Program Files (x86)\SlimDrivers\Open-Source Licenses.txt, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\Program Files (x86)\SlimDrivers\UnifiedLogger.dll, No Action By User, [1430], [334846],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimDrivers\SlimDrivers Help.lnk, No Action By User, [1430], [335035],1.0.5560
PUP.Optional.SlimCleanerPlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimDrivers\SlimDrivers.lnk, No Action By User, [1430], [335035],1.0.5560

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[Broni]

Good

Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download

Malwarebytes Anti-Rootkit (MBAR) to your desktop.

• Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click "Next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".
• When the scan is finished and no malware has been found select "Exit".
• If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
• Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

 

[Kevin Hill]

Malwarebytes Anti-Rootkit BETA 1.10.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 10.0.9200 Windows 10 x64

Account is Administrative

Internet Explorer version: 11.492.16299.0

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.996000 GHz
Memory total: 3957440512, free: 571797504

Downloaded database version: v2018.06.21.06
Downloaded database version: v2018.06.21.06
Downloaded database version: v2018.01.20.01
=======================================
Initializing...
Driver version: 4.3.0.15
------------ Kernel report ------------
06/21/2018 17:30:02
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\WppRecorder.sys
\SystemRoot\system32\drivers\SleepStudyHelper.sys
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\system32\drivers\mssecflt.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\amd_sata.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\amd_xata.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\drivers\amdkmpfd.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\bam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_9c1fb8f4db31c348\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\rtwlane.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\usbfilter.sys
\SystemRoot\System32\drivers\amdppm.sys
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\LifeCamTrueColor.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\pikbd.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\pimou.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\system32\Drivers\RtsUer.sys
\SystemRoot\system32\DRIVERS\udfs.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_amd_sata.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\cldflt.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\drivers\tunnel.sys
\??\C:\Users\kjh71leo\Downloads\cce_public_x64\cce_2.5.242177.201_x64\cce_x64\ccekrnl.dat
\SystemRoot\system32\drivers\wd\WdFilter.sys
\SystemRoot\system32\drivers\wd\WdNisDrv.sys
\SystemRoot\System32\DriverStore\FileRepository\c0328911.inf_amd64_a81756cbffedb936\B328940\atikmpag.sys
\SystemRoot\System32\DriverStore\FileRepository\c0328911.inf_amd64_a81756cbffedb936\B328940\atikmdag.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\AtihdWT6.sys
\SystemRoot\system32\drivers\wimmount.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\7312422C.sys
----------- End -----------
Done!

Scan started
Database versions:
main: v2018.06.21.06
rootkit: v2018.06.21.06

 

[Broni]

Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

• Double click to run it.
• Make sure you checkmark Addition.txt box.
• Press Scan button.
• Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

 

[Kevin Hill]

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
main: v2018.06.21.06
rootkit: v2018.06.21.06

Windows 10 x64 NTFS
Internet Explorer 11.492.16299.0
kjh71leo :: DESKTOP-FD8AF8U [administrator]

6/21/2018 5:30:28 PM
mbar-log-2018-06-21 (17-30-28).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 176302
Time elapsed: 26 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

[Broni]

No rootkit detected.
Go ahead with my previous reply.

 

[Kevin Hill]

FRST

 

[Kevin Hill]

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by kjh71leo (21-06-2018 18:21:19)
Running from C:\Users\kjh71leo\Downloads
Windows 10 Pro Version 1709 16299.492 (X64) (2018-06-21 07:14:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3854661557-338783425-4161308871-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3854661557-338783425-4161308871-503 - Limited - Disabled)
Guest (S-1-5-21-3854661557-338783425-4161308871-501 - Limited - Disabled)
kjh71leo (S-1-5-21-3854661557-338783425-4161308871-1001 - Administrator - Enabled) => C:\Users\kjh71leo
WDAGUtilityAccount (S-1-5-21-3854661557-338783425-4161308871-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 18.5.1 - Advanced Micro Devices, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 67.0.3396.87 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Microsoft OneDrive (HKU\S-1-5-21-3854661557-338783425-4161308871-1001\...\OneDriveSetup.exe) (Version: 18.065.0329.0002 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24123 (HKLM-x32\...\{206898cc-4b41-4d98-ac28-9f9ae57f91fe}) (Version: 14.0.24123.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8372 - Realtek Semiconductor Corp.)
VoodooShield version 4.28 (HKLM\...\{A8644328-A66F-490E-B8FA-901FF649189D}_is1) (Version: 4.28 - VoodooSoft, LLC)
Vulkan Run Time Libraries 1.1.70.0 (HKLM\...\VulkanRT1.1.70.0) (Version: 1.1.70.0 - LunarG, Inc.) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files\AMD\CNext\CNext\atiacm64.dll [2018-05-16] (Advanced Micro Devices, Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {22B9C179-BF7B-4931-B142-0AB66F74141B} - System32\Tasks\StartDVR => C:\Program Files\AMD\CNext\CNext\dvrcmd.exe [2018-05-16] (Advanced Micro Devices, Inc.)
Task: {3B65746D-496A-43ED-A02C-765A2D260F4C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-06-21] (Microsoft Corporation)
Task: {5795DEEC-9AA8-4B07-8000-799883EE8094} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-21] (Google Inc.)
Task: {61C271E7-56F7-44D1-8631-33834D485525} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-06-21] (Microsoft Corporation)
Task: {8CF29635-BDC5-4491-BAA6-E88E7ACEA8D4} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [2018-05-30] (Realtek Semiconductor)
Task: {BF0B8C7B-F497-46B4-8E50-7FE1BF4503A2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-06-21] (Microsoft Corporation)
Task: {D325DDC4-8AAD-413C-BD25-1482ADBDF487} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-21] (Google Inc.)
Task: {E5CDF05B-F697-49F0-9BF8-FB4B6AD4CBDD} - System32\Tasks\StartCN => C:\Program Files\AMD\CNext\CNext\cncmd.exe [2018-05-16] (Advanced Micro Devices, Inc.)
Task: {EA27BDD1-11A6-4099-A187-E946FA9C7D7D} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-06-21] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-09-29 09:41 - 2017-09-29 09:41 - 000184432 ____N () C:\Windows\SYSTEM32\inputhost.dll
2015-12-22 01:34 - 2018-05-22 10:54 - 000119672 _____ () C:\Windows\SYSTEM32\atidxx64.dll
2016-12-11 20:16 - 2018-06-21 10:31 - 000271280 _____ () C:\Users\kjh71leo\Downloads\cce_public_x64\cce_2.5.242177.201_x64\cce_x64\themes\CCE.THEME
2016-03-16 06:25 - 2018-06-21 10:31 - 000073912 _____ () C:\Users\kjh71leo\Downloads\cce_public_x64\cce_2.5.242177.201_x64\cce_x64\scanners\smart.cav
2018-06-13 09:52 - 2018-06-08 02:00 - 011044864 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-06-13 09:51 - 2018-06-08 01:56 - 001804288 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-06-21 03:28 - 2018-06-12 01:36 - 004608856 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.87\libglesv2.dll
2018-06-21 03:28 - 2018-06-12 01:36 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.87\libegl.dll
2018-05-16 14:29 - 2018-05-16 14:29 - 000007680 _____ () C:\Program Files (x86)\AMD\Performance Profile Client\AUEPLauncher.exe
2018-05-16 14:29 - 2018-05-16 14:29 - 000082432 _____ () C:\Program Files (x86)\AMD\Performance Profile Client\AUEPMaster.exe
2018-05-16 14:29 - 2018-05-16 14:29 - 000011264 _____ () C:\Program Files (x86)\AMD\Performance Profile Client\AUEPUF.exe
2018-05-16 14:29 - 2018-05-16 14:29 - 000062976 _____ () C:\Program Files (x86)\AMD\Performance Profile Client\AUEPDU.exe
2018-04-24 22:12 - 2018-04-24 22:12 - 000015360 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.DLL
2018-04-24 22:12 - 2018-04-24 22:12 - 002519040 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2018-06-21 04:01 - 2018-06-21 04:04 - 001280176 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.9330.20915.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Word.dll
2018-06-21 18:04 - 2018-04-11 07:59 - 000053584 _____ () C:\Program Files\VoodooShield\VoodooShield.API.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2018-06-21 06:29 - 2018-06-21 06:24 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3854661557-338783425-4161308871-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{4F88EC8E-5D0A-498D-A685-ACAD27FF9868}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

21-06-2018 10:32:16 Windows Update
21-06-2018 17:26:47 june 21/2018

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/21/2018 11:15:16 AM) (Source: Perflib) (EventID: 1023) (User: )
Description: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.

Error: (06/21/2018 10:38:09 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (06/21/2018 03:22:43 AM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (7448,P,0) TILEREPOSITORYS-1-5-21-3854661557-338783425-4161308871-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (06/21/2018 04:57:01 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-FD8AF8U)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
and APPID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
to the user DESKTOP-FD8AF8U\kjh71leo SID (S-1-5-21-3854661557-338783425-4161308871-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ContentDeliveryManager_10.0.16299.15_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723). This security permission can be modified using the Component Services administrative tool.

Error: (06/21/2018 03:13:28 PM) (Source: WinRM) (EventID: 10142) (User: )
Description: The WinRM service cannot migrate the listener with Address * and Transport HTTP. A listener that has the same Address and Transport configuration already exists.

Error: (06/21/2018 11:14:49 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The AMD User Experience Program Launcher service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (06/21/2018 11:13:10 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-FD8AF8U)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user DESKTOP-FD8AF8U\kjh71leo SID (S-1-5-21-3854661557-338783425-4161308871-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/21/2018 10:55:21 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-FD8AF8U)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
and APPID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
to the user DESKTOP-FD8AF8U\kjh71leo SID (S-1-5-21-3854661557-338783425-4161308871-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ContentDeliveryManager_10.0.16299.15_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723). This security permission can be modified using the Component Services administrative tool.

Error: (06/21/2018 10:27:16 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/21/2018 10:26:13 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-FD8AF8U)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user DESKTOP-FD8AF8U\kjh71leo SID (S-1-5-21-3854661557-338783425-4161308871-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/21/2018 10:25:12 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Windows Defender:
===================================
Date: 2018-06-21 12:00:52.265
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {C63D0622-AD3B-4379-8A76-8F9FDA55C7A4}
Scan Type: Antimalware
Scan Parameters: Full Scan

Date: 2018-06-21 11:33:19.785
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {EB991F59-074D-4E2E-A1B8-471A26A07F61}
Scan Type: Antimalware
Scan Parameters: Full Scan

==================== Memory info ===========================

Processor: AMD A8-6410 APU with AMD Radeon R5 Graphics
Percentage of memory in use: 89%
Total physical RAM: 3774.11 MB
Available physical RAM: 407.55 MB
Total Virtual: 7644.95 MB
Available Virtual: 1106.6 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:914.61 GB) (Free:862.12 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (HP_RECOVERY) (Fixed) (Total:16.24 GB) (Free:16.19 GB) NTFS
Drive e: (GSP1RMCPRFREO_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF

\\?\Volume{d449f8e8-43a8-49d2-bf73-88cf82d4038b}\ (SYSTEM) (Fixed) (Total:0.09 GB) (Free:0.04 GB) FAT32
\\?\Volume{fd99637c-da41-451f-8c7b-c3bf61abaed9}\ () (Fixed) (Total:0.44 GB) (Free:0.05 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: F9B5B31A)

Partition: GPT.

==================== End of Addition.txt ============================

 

[Broni]

As I said before all logs have to be pasted not attached.