Solved I've tried everything I need help

[tiffran]

Hello, and thanks in advance. I have been dealing with this attack for a while now and it’s not the first time. From prior knowledge
I knew the only way to actually find out anything was to boot up using a partition application. My C: drive was switched to system
reserve. X: was the boot and another drive, it could have been a network had no letter just a person’s avatar and name. Of course
formatting was no help and even with no network connection the files on my partition cd ended up corrupted. File dates changed
to the same as the rest of the corrupt files, 07/12/15. I’ve always been able to fix my devices myself im just really tired for real. I
scanned my pc with Farbar’s scanner and was in the process of reading the tut on the proper way to write the fixit file and I just
decided to reach out to you guys for help. Especially being that more than 10 of my devices have been infected. I just need a to
get 1 pc cleaned up and I should be able to take it from there. So im sending my files along with this request in the hopes that you
guys can can assist me.

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=========================================

Please observe forum rules. All logs have to be pasted not attached.

 

[tiffran]

Okay correcting that now

 

[tiffran]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-12-2020
Ran by What (administrator) on DESKTOP-60I1NFR (HP HP 15 Notebook PC) (03-01-2021 20:34:12)
Running from C:\Users\What\Desktop
Loaded Profiles: What
Platform: Windows 10 Home Version 1909 18363.592 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\WinStore.App.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\CredentialEnrollmentManager.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MicrosoftEdgeCP.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MicrosoftEdgeSH.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SystemSettingsAdminFlows.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.590_none_5efc551459114cb9\TiWorker.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\87.1.18.77\Installer\chrmstp.exe [2021-01-03] (Brave Software, Inc. -> Brave Software, Inc.)

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {8545A77D-3853-4015-B4BD-51A604ED7408} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [163528 2021-01-03] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {D44203F3-AE43-4381-B167-6938AC267161} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [163528 2021-01-03] (Brave Software, Inc. -> BraveSoftware Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{11acfaa8-31f7-4f3a-a94c-9fe30cc0fdb2}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Edge:
======
DownloadDir: C:\Users\What\Downloads

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [163528 2021-01-03] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [163528 2021-01-03] (Brave Software, Inc. -> BraveSoftware Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [4098056 2019-03-18] (Microsoft Corporation -> Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [113992 2019-03-18] (Microsoft Corporation -> Microsoft Corporation)
S3 WarpJITSvc; %SystemRoot%\System32\Windows.WARP.JITService.dll [X]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46472 2019-03-18] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [333784 2019-03-18] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [62432 2019-03-18] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-03 20:33 - 2021-01-03 20:35 - 000005202 _____ C:\Users\What\Desktop\FRST.txt
2021-01-03 20:32 - 2021-01-03 20:34 - 000000000 ____D C:\FRST
2021-01-03 20:28 - 2021-01-03 20:29 - 000001872 _____ C:\Users\What\Desktop\Rkill.txt
2021-01-03 20:28 - 2021-01-03 20:28 - 001802704 _____ (Bleeping Computer, LLC) C:\Users\What\Desktop\iExplore.exe
2021-01-03 20:27 - 2021-01-03 20:27 - 005054744 _____ (AO Kaspersky Lab) C:\Users\What\Desktop\tdsskiller.exe
2021-01-03 20:27 - 2021-01-03 20:27 - 002286592 _____ (Farbar) C:\Users\What\Desktop\FRST64.exe
2021-01-03 20:15 - 2021-01-03 20:15 - 000000000 _____ C:\Windows\start
2021-01-03 20:11 - 2021-01-03 20:12 - 000000000 _____ C:\Windows\system32\start
2021-01-03 19:56 - 2021-01-03 19:56 - 000002400 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2021-01-03 19:56 - 2021-01-03 19:56 - 000002359 _____ C:\Users\Public\Desktop\Brave.lnk
2021-01-03 19:56 - 2021-01-03 19:56 - 000002359 _____ C:\ProgramData\Desktop\Brave.lnk
2021-01-03 19:56 - 2021-01-03 19:56 - 000000000 ____D C:\Program Files\BraveSoftware
2021-01-03 19:54 - 2021-01-03 19:54 - 000000000 ____D C:\Users\What\AppData\LocalLow\Temp
2021-01-03 19:53 - 2021-01-03 19:54 - 000230224 _____ C:\Users\What\Desktop\ml.pdf
2021-01-03 19:51 - 2021-01-03 19:56 - 000000000 ____D C:\Users\What\AppData\Local\BraveSoftware
2021-01-03 19:51 - 2021-01-03 19:51 - 000003438 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineUA
2021-01-03 19:51 - 2021-01-03 19:51 - 000003314 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineCore
2021-01-03 19:51 - 2021-01-03 19:51 - 000000000 ____D C:\Program Files (x86)\BraveSoftware
2021-01-03 19:49 - 2021-01-03 19:49 - 000000000 ___HD C:\Users\What\MicrosoftEdgeBackups
2021-01-03 16:13 - 2021-01-03 19:46 - 000000296 _____ C:\Users\What\Desktop\results.txt
2021-01-03 15:58 - 2021-01-03 15:58 - 000035379 _____ C:\Users\What\Desktop\2.txt
2021-01-03 15:58 - 2021-01-03 15:58 - 000035071 _____ C:\Users\What\Desktop\1.txt
2021-01-03 15:56 - 2021-01-03 15:57 - 000035071 _____ C:\Windows\system32\0
2021-01-03 15:56 - 2021-01-03 15:56 - 000031093 _____ C:\Users\What\Desktop\0.txt
2021-01-03 15:52 - 2021-01-03 19:54 - 000000000 ____D C:\Users\What\AppData\Local\PlaceholderTileLogoFolder
2021-01-03 14:12 - 2021-01-03 14:13 - 000000000 ____D C:\Users\What\AppData\Local\Comms
2021-01-03 14:12 - 2021-01-03 14:12 - 000000000 ____D C:\Windows\pss
2021-01-03 14:11 - 2021-01-03 14:22 - 000000000 ____D C:\Users\What\AppData\Local\D3DSCache
2021-01-03 14:10 - 2021-01-03 19:54 - 000000000 ____D C:\ProgramData\Packages
2021-01-03 13:51 - 2021-01-03 14:14 - 000225106 _____ C:\Windows\ntbtlog.txt
2021-01-03 13:51 - 2021-01-03 14:14 - 000000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2021-01-03 13:36 - 2021-01-03 19:48 - 000000000 ____D C:\Users\What\AppData\Local\MicrosoftEdge
2021-01-03 13:36 - 2021-01-03 13:36 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2021-01-03 13:35 - 2021-01-03 13:35 - 000001450 _____ C:\Users\What\Desktop\Microsoft Edge.lnk
2021-01-03 13:34 - 2021-01-03 19:54 - 000000000 ____D C:\Users\What\AppData\Local\Packages
2021-01-03 13:34 - 2021-01-03 14:28 - 000000000 __RHD C:\Users\Public\AccountPictures
2021-01-03 13:34 - 2021-01-03 14:28 - 000000000 ___RD C:\Users\What\3D Objects
2021-01-03 13:34 - 2021-01-03 13:34 - 000000000 ____D C:\Users\What\AppData\Roaming\Adobe
2021-01-03 13:34 - 2021-01-03 13:34 - 000000000 ____D C:\Users\What\AppData\Local\VirtualStore
2021-01-03 13:34 - 2021-01-03 13:34 - 000000000 ____D C:\Users\What\AppData\Local\Publishers
2021-01-03 13:34 - 2021-01-03 13:34 - 000000000 ____D C:\Users\What\AppData\Local\ConnectedDevicesPlatform
2021-01-03 13:33 - 2021-01-03 13:33 - 000000020 ___SH C:\Users\What\ntuser.ini
2021-01-03 13:32 - 2021-01-03 19:49 - 000000000 ____D C:\Users\What
2021-01-03 13:32 - 2019-03-18 20:46 - 000001105 _____ C:\Users\What\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2021-01-03 13:29 - 2021-01-03 14:20 - 000795992 _____ C:\Windows\system32\PerfStringBackup.INI
2021-01-03 13:27 - 2021-01-03 13:27 - 000000000 ____D C:\Windows\minidump
2021-01-03 13:25 - 2021-01-03 13:25 - 000000000 _SHDL C:\Documents and Settings
2021-01-03 13:17 - 2021-01-03 19:46 - 000000000 ____D C:\Windows\system32\SleepStudy
2021-01-03 13:17 - 2021-01-03 14:16 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-01-03 13:17 - 2021-01-03 13:17 - 000257824 _____ C:\Windows\system32\FNTCACHE.DAT
2021-01-03 13:17 - 2021-01-03 13:17 - 000000000 ____D C:\Windows\system32\Drivers\wd
2021-01-03 13:17 - 2021-01-03 13:17 - 000000000 ____D C:\Windows\ServiceProfiles
2021-01-03 13:16 - 2021-01-03 13:24 - 000000000 ____D C:\Windows\Panther

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-03 20:26 - 2019-03-18 20:52 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-01-03 20:05 - 2019-03-18 20:52 - 000000000 ____D C:\Windows\AppReadiness
2021-01-03 19:53 - 2019-03-18 20:52 - 000000000 ___HD C:\Program Files\WindowsApps
2021-01-03 19:50 - 2019-03-18 20:50 - 000000000 ____D C:\Windows\INF
2021-01-03 19:48 - 2019-03-18 20:52 - 000000000 ____D C:\ProgramData\USOPrivate
2021-01-03 15:18 - 2019-03-18 20:37 - 000000000 ____D C:\Windows\CbsTemp
2021-01-03 14:28 - 2019-03-18 20:52 - 000000000 __RSD C:\Windows\Media
2021-01-03 14:28 - 2019-03-18 20:52 - 000000000 __RHD C:\Users\Public\Libraries
2021-01-03 14:15 - 2019-03-18 20:37 - 000262144 _____ C:\Windows\system32\config\BBI
2021-01-03 13:29 - 2019-03-18 20:52 - 000000000 ____D C:\Windows\system32\WinBioDatabase
2021-01-03 13:28 - 2019-03-18 20:52 - 000000000 ____D C:\Windows\system32\spool
2021-01-03 13:28 - 2019-03-18 20:52 - 000000000 ____D C:\Windows\system32\FxsTmp
2021-01-03 13:28 - 2019-03-18 20:52 - 000000000 ____D C:\Windows\ServiceState
2021-01-03 13:19 - 2019-03-18 20:52 - 000000000 ___RD C:\Windows\PrintDialog
2021-01-03 13:19 - 2019-03-18 20:52 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2021-01-03 13:18 - 2019-03-18 20:37 - 000032768 _____ C:\Windows\system32\config\ELAM
2021-01-03 13:16 - 2019-03-18 20:49 - 000028672 _____ C:\Windows\system32\config\BCD-Template

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-12-2020
Ran by What (03-01-2021 20:36:38)
Running from C:\Users\What\Desktop
Windows 10 Home Version 1909 18363.592 (X64) (2021-01-03 21:27:50)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2552480816-4193987694-3828653751-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2552480816-4193987694-3828653751-503 - Limited - Disabled)
Guest (S-1-5-21-2552480816-4193987694-3828653751-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-2552480816-4193987694-3828653751-504 - Limited - Disabled)
What (S-1-5-21-2552480816-4193987694-3828653751-1001 - Administrator - Enabled) => C:\Users\What

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 87.1.18.77 - Brave Software Inc)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.101.0 - Google LLC) Hidden

Packages:
=========
Mail and Calendar -> C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11029.20108.0_x64__8wekyb3d8bbwe [2021-01-03] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2021-01-03] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.2.11280.0_x86__8wekyb3d8bbwe [2021-01-03] (Microsoft Studios) [MS Ad]
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2021-01-03] (Microsoft Corporation) [MS Ad]
Skype -> C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c [2021-01-03] (Skype)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0 [2021-01-03] (Spotify AB) [Startup Task]
Your Phone -> C:\Program Files\WindowsApps\Microsoft.YourPhone_0.0.13313.0_x64__8wekyb3d8bbwe [2021-01-03] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

SearchScopes: HKU\S-1-5-21-2552480816-4193987694-3828653751-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-03-18 20:49 - 2019-03-18 20:49 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2552480816-4193987694-3828653751-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKU\S-1-5-21-2552480816-4193987694-3828653751-1001\...\StartupApproved\Run: => "OneDriveSetup"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{18D59B15-C6CF-4019-A8C8-4F26F5E0BB04}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{FEE1C9E4-F3B5-422A-BF43-9E80817D431B}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{A9B83B6E-1ADD-488B-BD04-58DFF6D82909}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{532D1A07-8891-49A9-9ADF-F10773DBF938}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{AF91F092-ED24-41D7-9527-4A2AFE30BD81}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{F5CA5393-1A40-4AFA-8138-F6EA9D422D60}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{5FC8ADEF-AB9E-4942-9E8B-4C4C09DA412E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{01396921-B6D9-4BE9-A329-0440EB960F92}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.148.625.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{4208BA4D-929C-44F6-A873-0F22E6055A2D}] => (Allow) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc. -> Brave Software, Inc.)

==================== Restore Points =========================

03-01-2021 15:57:13 Windows Update

==================== Faulty Device Manager Devices ============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Encryption/Decryption Controller
Description: PCI Encryption/Decryption Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: ========================

Application errors:
==================
Error: (01/03/2021 08:33:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 14.12.2020.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 18cc

Start Time: 01d6e2529d637c21

Termination Time: 4294967295

Application Path: C:\Users\What\Desktop\FRST64.exe

Report Id: 75a8f5d6-5f26-4e5c-865c-6fc8a58649b4

Faulting package full name:

Faulting package-relative application ID:

Hang type: Top level window is idle

Error: (01/03/2021 07:52:10 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program MicrosoftEdgeCP.exe version 11.0.18362.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 211c

Start Time: 01d6e24c9212c8b5

Termination Time: 119

Application Path: C:\Windows\System32\MicrosoftEdgeCP.exe

Report Id: 05161429-90d3-44df-870b-2b322f33d9ef

Faulting package full name: Microsoft.MicrosoftEdge_44.18362.449.0_neutral__8wekyb3d8bbwe

Faulting package-relative application ID: MicrosoftEdge

Hang type: Unknown

Error: (01/03/2021 03:51:15 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: NT AUTHORITY)
Description: Certificate Services Client failed to invoke the Providers in response to event 256. Error code 2147942405.

Error: (01/03/2021 03:51:15 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: NT AUTHORITY)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 5.

Error: (01/03/2021 02:17:06 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=0567073a-7d74-403b-b2d5-6b35da372d8d;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (01/03/2021 02:17:05 PM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=0567073a-7d74-403b-b2d5-6b35da372d8d

Error: (01/03/2021 02:17:05 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (01/03/2021 02:08:47 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=0567073a-7d74-403b-b2d5-6b35da372d8d;NotificationInterval=1440;Trigger=UserLogon;SessionId=1


System errors:
=============
Error: (01/03/2021 08:28:06 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.329.1647.0).

Error: (01/03/2021 08:26:55 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Intel(R) Corporation - MEDIA - 5/10/2016 12:00:00 AM - 6.16.0.3197.

Error: (01/03/2021 08:00:55 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Intel - DPTF - 5/13/2016 12:00:00 AM - 8.1.10608.329.

Error: (01/03/2021 07:57:58 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WarpJITSvc service terminated with the following error:
The specified module could not be found.

Error: (01/03/2021 07:51:25 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Intel - Other hardware - Intel(R) Celeron(R)/Pentium(R) SM Bus Controller - 2292.

Error: (01/03/2021 07:51:03 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Intel - DPTF - 5/13/2016 12:00:00 AM - 8.1.10608.329.

Error: (01/03/2021 07:50:54 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: HP Inc. - HIDClass - 2.1.14.1.

Error: (01/03/2021 07:50:30 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Intel - DPTF - 5/13/2016 12:00:00 AM - 8.1.10608.329.


Windows Defender:
===================================
Date: 2021-01-03 14:14:15.852
Description:
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2021-01-03 13:51:16.928
Description:
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

==================== Memory info ===========================

BIOS: Insyde F.36 06/09/2017
Motherboard: HP 8175
Processor: Intel(R) Celeron(R) CPU N3060 @ 1.60GHz
Percentage of memory in use: 58%
Total physical RAM: 4001.62 MB
Available physical RAM: 1676.78 MB
Total Virtual: 5409.62 MB
Available Virtual: 3133.41 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.13 GB) (Free:442.06 GB) NTFS
Drive e: () (RAMDisk) (Total:465.13 GB) (Free:439.86 GB) NTFS

\\?\Volume{8d7c1787-cef4-49af-90ce-415b587cb27f}\ (Recovery) (Fixed) (Total:0.52 GB) (Free:0.08 GB) NTFS
\\?\Volume{3c146a7c-c095-4aa4-97da-1d423914e87b}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 5B397E14)

Partition: GPT.

==================== End of Addition.txt =======================

 

[Broni]

I don't see much so far...

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

• Close all the running programs
• Double click on downloaded setup.exe file to install the program.
• Click on Start Scan button.
• Click on another Start Scan button.
• Wait until the Status box shows Scan Finished
• Click on Remove Selected.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.
• The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• Review the results...see note below
• After reviewing the log, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
• To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

 

[tiffran]

I'm in safe mode! Should I boot normally before running scans

 

[Broni]

Yes.

 

[tiffran]

RogueKiller Anti-Malware V14.8.2.0 (x64) [Dec 28 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18363) 64 bits
Started in : Normal mode
User : What [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210103_083432, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/01/03 22:14:12 (Duration : 00:11:52)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/3/21
Scan Time: 10:36 PM
Log File: 38afbff2-4e57-11eb-9486-ace2d3621d04.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.35267
License: Trial

-System Information-
OS: Windows 10 (Build 18362.592)
CPU: x64
File System: NTFS
User: DESKTOP-60I1NFR\What

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 253039
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 4 min, 11 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)




¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

After running adwcleaner PC went to blue screen after restarting

 

[Broni]

I don't see anything malicious there.
I suggest new topic in Windows forum.
Good luck