Inactive Multiple infection CoinMiner.BLF + Ramnit.A + Wacatac.C!ml + Occamy.CAC + DOS attack

Status
Not open for further replies.
janda

janda

Posts: 8   +0
Hi, can someone help me with this?

seems that computer automaticaly try to download viruses/trojans when is online

I also found in router under UPNP libtorrent/0.16 that this computer is probably connected somewhere using this libtorrent, but we dont install any torrent app on this device

there has been also DOS attack/attemps to log into sql usin open sql port (I know our fail), now it is closed
 
Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==================================

Please, observe forum rules.
All logs have to be pasted not attached.
I just need both FRST logs to be pasted.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-09-2020
Ran by Turtel437 (administrator) on POLOM (Dell Inc. PowerEdge T140) (09-09-2020 20:11:00)
Running from C:\Users\Turtel437\Downloads
Loaded Profiles: Turtel437 & Kubek & Admin & Administrator & SQLTELEMETRY$POHODA
Platform: Windows Server 2019 Essentials Version 1809 17763.1457 (X64) Language: English (United States)
Default browser not detected!
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() [File not signed] C:\Users\Turtel437\Documents\NextCom\PohodaConnector\PohodaConnectorService.exe
(Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Dell Inc -> ) C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
(Dell Inc -> Dell Technologies Inc.) C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe
(Dell Inc -> Dell Technologies Inc.) C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
(Dell Inc -> Dell Technologies Inc.) C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe
(Dell Inc. -> Dell Inc.) C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc. -> Dell Inc.) C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe
(Dell Inc. -> Dell Inc.) C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe
(Dell Inc. -> Dell Inc.) C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_connsvc64.exe
(Dell Technologies Inc. -> Apache Software Foundation) C:\Program Files\Dell\SupportAssist\bin\SupportAssistDataBaseService.exe
(Dell Technologies Inc. -> Apache Software Foundation) C:\Program Files\Dell\SupportAssist\bin\SupportAssistService.exe
(ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\egui.exe
(ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\eguiProxy.exe
(ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\ekrn.exe
(Ghisler Software GmbH -> Ghisler Software GmbH) C:\Program Files\totalcmd\TOTALCMD64.EXE
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <34>
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlceip.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation -> Sysinternals - www.sysinternals.com) C:\Users\Turtel437\Desktop\ProcessExplorer\procexp64.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\silsvc.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smbhash.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\snmptrap.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe
(PC-Doctor, Inc. -> PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.7193.518\DSAPI.exe
(Piriform Software Ltd -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Piriform Software Ltd -> Piriform Software) C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\CCleanerBrowserCrashHandler.exe
(Piriform Software Ltd -> Piriform Software) C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\CCleanerBrowserCrashHandler64.exe
(Symantec Corporation -> Symantec Corporation) E:\Install\Antispyware\FxRamnit.exe
(ZHUHAI PANTUM ELECTRONICS CO.,LTD -> Zhuhai Pantum Electronics Co.,Ltd.) C:\Program Files\Pantum\ptm7100\PushScan\ptm7100PushMonitor.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [bacstray] => C:\Program Files\Broadcom\BACS\BacsTray.exe
HKLM\...\Run: [ptm7100Monitor] => C:\Program Files\Pantum\ptm7100\PushScan\ptm7100PushMonitor.exe [270008 2018-05-12] (ZHUHAI PANTUM ELECTRONICS CO.,LTD -> Zhuhai Pantum Electronics Co.,Ltd.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Security\ecmds.exe [180464 2020-03-26] (ESET, spol. s r.o. -> ESET)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-736157781-1329237808-919620891-1002\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [29271224 2020-08-05] (Piriform Software Ltd -> Piriform Software Ltd)
HKU\S-1-5-21-736157781-1329237808-919620891-1002\...\MountPoints2: {b5fc4a3a-aaf9-11ea-a4fc-806e6f6e6963} - "O:\SETUP.EXE"
HKU\S-1-5-21-736157781-1329237808-919620891-500\...\MountPoints2: {9c36a9d9-a4b7-11ea-a4ec-806e6f6e6963} - "D:\setup.exe"
HKLM\...\Windows x64\Print Processors\Pantum M7100 PCL Processor: C:\Windows\System32\spool\prtprocs\x64\ptm7100PCL6pro.dll [86144 2018-05-13] (Microsoft Windows Hardware Compatibility Publisher -> Zhuhai Pantum Electronics Co.,Ltd.)
HKLM\...\Print\Monitors\Pantum M7100 Language Monitor: C:\Windows\system32\ptm7100PCL6lm.dll [74880 2018-05-13] (Microsoft Windows Hardware Compatibility Publisher -> Zhuhai Pantum Electronics Co.,Ltd.)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{052EB454-9F19-CB42-7875-807F79F311C4}] -> C:\Program Files (x86)\CCleaner Browser\Application\85.0.5675.86\Installer\chrmstp.exe [2020-09-09] (Piriform Software Ltd -> Piriform Software)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\85.0.4183.102\Installer\chrmstp.exe [2020-09-08] (Google LLC -> Google LLC)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2018-09-15] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2018-09-15] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2018-09-15] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2018-09-15] (Microsoft Windows -> Microsoft Corporation)
Lsa: [Notification Packages] rassfm scecli
BootExecute: autocheck autochk /q /v * sdnclean64.exe
GroupPolicy: Restriction ? <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04C7A262-4BC9-4AC8-8FB8-80368048991F} - System32\Tasks\CCleaner Browser Heartbeat Task (Hourly) => C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe [2117368 2020-08-31] (Piriform Software Ltd -> Piriform Software)
Task: {06D77CFF-15A5-47C8-BCB7-F908FC8DA9D6} - System32\Tasks\Pohoda Export Aktualizacia => C:\ScriptPohoda\zasoby.bat [249 2020-07-23] () [File not signed]
Task: {10A0223B-4B42-422F-987B-D2ABD6D48EF9} - System32\Tasks\Microsoft\Windows\Network Controller\SDN Diagnostics Task => C:\Windows\System32\SDNDiagnosticsTask.exe [284672 2020-06-03] (Microsoft Windows -> Microsoft)
Task: {1C4B46F3-3049-4808-B32C-3E59389CCC58} - System32\Tasks\StormWare Office\Delete old Backup => D:\PohodaE1\Scripty\DeleteBAKs.bat [343 2020-06-16] () [File not signed]
Task: {21CB909F-17BE-4DB6-A917-EF367072AB23} - System32\Tasks\StormWare Office\Taskkill => D:\PohodaE1\Scripty\Taskkill\taskkill.bat [69 2020-06-16] () [File not signed]
Task: {3A77414A-B7D0-4E59-9884-B5A27CDABCDE} - System32\Tasks\Teamviewer-QS-updater-7sgjsbw => C:\Users\Turtel437\AppData\Local\TeamViewer\CustomConfigs\7sgjsbw\TeamViewer.exe
Task: {4128A354-0496-4CA5-B8CB-3D359A41CB3E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-06-16] (Google LLC -> Google LLC)
Task: {42C04F3A-2C9F-445B-A7F2-11BD9F65AC68} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistInstaller.exe [1045976 2020-07-06] (Dell Inc. -> Dell Inc.)
Task: {4FDDCF3F-2B68-44F7-836F-6A4ECB901FFF} - System32\Tasks\StormWare Office\mServer STOP => D:\PohodaE1\Scripty\mServerStop.bat [57 2020-06-16] () [File not signed]
Task: {50587138-D546-4885-A150-BA148B461951} - System32\Tasks\CCleanerUpdateTaskMachineUA => C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe [200928 2020-09-09] (Piriform Software Ltd -> Piriform Software)
Task: {5E6FFD28-414B-4692-8CF3-1D89594592A9} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [94208 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
Task: {6ECF6B42-0F60-4AA7-9D74-3E2A4C512524} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Configuration => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd configure
Task: {70204D00-E296-4066-8A9D-3986791E4778} - System32\Tasks\CCleanerUpdateTaskMachineCore => C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe [200928 2020-09-09] (Piriform Software Ltd -> Piriform Software)
Task: {7A745936-8C63-48F1-BA03-23A85476C520} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-06-16] (Google LLC -> Google LLC)
Task: {818DCB15-8C47-4FD7-9EC8-FB00DE1E4EFE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1336400 2020-07-08] (Adobe Inc. -> Adobe Inc.)
Task: {8DBFB0DE-8291-430F-B96B-E8DE1A515DB4} - System32\Tasks\StormWare Office\Taskkill end => D:\PohodaE1\Scripty\Taskkill\taskkillEnd.bat [39 2020-06-16] () [File not signed]
Task: {93532071-8463-451C-B7C6-8BE0F4803CBF} - System32\Tasks\StormWare Office\Ekonomický systém POHODA - Automatická úloha číslo 2 {0D7B87F3-122F-4B70-86F2-CD26DCDB3003} => D:\PohodaE1\POHODA.EXE [457536 2020-06-14] (STORMWARE s.r.o. -> STORMWARE s.r.o.)
Task: {9A0A31E9-EE46-411B-8161-6ED475766745} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {9A6F37B3-78A1-49D2-B31D-39F87AC4EB88} - System32\Tasks\StormWare Office\Ekonomický systém POHODA - Automatická úloha číslo 1 {0D7B87F3-122F-4B70-86F2-CD26DCDB3003} => D:\PohodaE1\POHODA.EXE [457536 2020-06-14] (STORMWARE s.r.o. -> STORMWARE s.r.o.)
Task: {AD561709-127E-403A-AED8-1211AB884A0C} - System32\Tasks\StormWare Office\Taskkill pohoda => D:\PohodaE1\Scripty\Taskkill\taskkillPohoda.bat [179 2020-06-16] () [File not signed]
Task: {AECF2AED-97EC-471D-85CD-54387D303071} - System32\Tasks\StormWare Office\mServer START => D:\PohodaE1\Scripty\mServerStart.bat [58 2020-06-16] () [File not signed]
Task: {B016173F-7BAC-46DC-9AEC-31B7A070D452} - System32\Tasks\Kaspersky Security for Windows Server OS Upgrade Detect => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10.1 for Windows Server\patch.exe
Task: {BF10CA90-7420-4CF9-A4A0-945DF166CE9B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [24770744 2020-08-05] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {C280F809-52EE-41DF-93D5-C90FFFF36FD2} - System32\Tasks\Dochadza prenos zo snimaca => C:\IDKarta\IDWareLite\Compute.bat [25 2012-12-19] () [File not signed]
Task: {D2363B76-559C-4C9D-99D0-28F1A91DC97E} - System32\Tasks\CCleaner Browser Heartbeat Task (Logon) => C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe [2117368 2020-08-31] (Piriform Software Ltd -> Piriform Software)
Task: {EB8C0B56-2AB8-4EA9-BA40-75162DEEFDBC} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [686384 2020-08-05] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {EDEE2386-AB64-445D-93E8-74C9E1803648} - System32\Tasks\StormWare Office\Externe ulohy => D:\PohodaE1\Scripty\ExterneUlohy.bat [98 2020-08-04] () [File not signed]
Task: {F18F5E68-77A7-46E1-A701-BF6716337296} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Collection => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd publish
Task: {F35D943C-CFA9-46A7-B646-59377334AA6A} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Teamviewer-QS-updater-7sgjsbw.job => C:\Users\Turtel437\AppData\Local\TeamViewer\CustomConfigs\7sgjsbw\TeamViewer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{8de3ab3e-69fd-4ad0-afeb-776b8a28c38c}: [NameServer] 192.168.35.1

Internet Explorer:
==================
HKU\S-1-5-21-736157781-1329237808-919620891-1002\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
HKU\S-1-5-21-736157781-1329237808-919620891-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm

FireFox:
========
FF Plugin-x32: @update.ccleanerbrowser.com/CCleaner Browser;version=3 -> C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\npCCleanerBrowserUpdate3.dll [2020-09-09] (Piriform Software Ltd -> Piriform Software)
FF Plugin-x32: @update.ccleanerbrowser.com/CCleaner Browser;version=9 -> C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\npCCleanerBrowserUpdate3.dll [2020-09-09] (Piriform Software Ltd -> Piriform Software)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2020-08-17] (Adobe Inc. -> Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2020-09-09] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2020-09-09] <==== ATTENTION

Chrome:
=======
CHR Profile: C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default [2020-09-09]
CHR Extension: (Prezentácie) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2020-07-28]
CHR Extension: (Dokumenty) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2020-07-28]
CHR Extension: (Disk Google) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-07-28]
CHR Extension: (YouTube) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2020-07-28]
CHR Extension: (Tabuľky) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2020-07-28]
CHR Extension: (Dokumenty Google v režime offline) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-07-28]
CHR Extension: (Platby Internetového obchodu Chrome) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2020-07-28]
CHR Extension: (Gmail) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-07-28]
CHR Extension: (Chrome Media Router) - C:\Users\Turtel437\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-09-09]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"silsvc" => service was unlocked. <==== ATTENTION

R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [169544 2020-07-08] (Adobe Inc. -> Adobe Inc.)
S2 AntiRansom4; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Ransomware Tool for Business 4\anti_ransom.exe [233064 2020-05-28] (Kaspersky Lab -> AO Kaspersky Lab)
R2 AzureAttestService; C:\Program Files\Microsoft\AzureAttestService\AzureAttestService.dll [151288 2019-07-24] (Microsoft Windows -> Microsoft Corporation)
S2 ccleaner; C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe [200928 2020-09-09] (Piriform Software Ltd -> Piriform Software)
S3 CCleanerBrowserElevationService; C:\Program Files (x86)\CCleaner Browser\Application\85.0.5675.86\elevation_service.exe [1343624 2020-08-31] (Piriform Software Ltd -> Piriform Software)
S3 ccleanerm; C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe [200928 2020-09-09] (Piriform Software Ltd -> Piriform Software)
R2 dcevt64; C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe [549880 2019-12-25] (Dell Inc. -> Dell Inc.)
R2 dcstor64; C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe [713720 2019-12-25] (Dell Inc. -> Dell Inc.)
R2 DDVCollectorSvcApi; C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe [284720 2020-06-10] (Dell Inc -> Dell Technologies Inc.)
R2 DDVDataCollector; C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe [3455536 2020-06-10] (Dell Inc -> Dell Technologies Inc.)
R2 DDVRulesProcessor; C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe [294448 2020-06-10] (Dell Inc -> Dell Technologies Inc.)
R2 Dell Hardware Support; C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.7193.518\DSAPI.exe [965104 2020-07-27] (PC-Doctor, Inc. -> PC-Doctor, Inc.)
R2 DellClientManagementService; C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe [36544 2020-04-17] (Dell Inc -> )
R2 Dfs; C:\Windows\system32\dfssvc.exe [452608 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S3 EHttpSrv; C:\Program Files\ESET\ESET Security\ehttpsrv.exe [56928 2020-03-26] (ESET, spol. s r.o. -> ESET)
R2 ekrn; C:\Program Files\ESET\ESET Security\ekrn.exe [2422600 2020-03-26] (ESET, spol. s r.o. -> ESET)
R3 ekrnEpfw; C:\Program Files\ESET\ESET Security\ekrn.exe [2422600 2020-03-26] (ESET, spol. s r.o. -> ESET)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [199168 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
R2 MSSQL$POHODA; C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe [623712 2020-03-14] (Microsoft Corporation -> Microsoft Corporation)
S4 omsad; C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc64.exe [67576 2019-12-25] (Dell Inc. -> Dell Inc.)
R2 PohodaConnectorService; C:\Users\Turtel437\Documents\NextCom\PohodaConnector\PohodaConnectorService.exe [9728 2020-07-23] () [File not signed]
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [96256 2020-09-09] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [81408 2020-09-09] (Microsoft Windows -> Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [16896 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [6115864 2020-09-09] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 Server Administrator; C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_connsvc64.exe [72696 2019-12-25] (Dell Inc. -> Dell Inc.)
R2 SmbHash; C:\Windows\System32\smbhash.exe [79360 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S4 SQLAgent$POHODA; C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\SQLAGENT.EXE [725896 2020-03-14] (Microsoft Corporation -> Microsoft Corporation)
R2 SQLTELEMETRY$POHODA; C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlceip.exe [283744 2020-03-14] (Microsoft Corporation -> Microsoft Corporation)
R2 SupportAssistAgent; C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [33240 2020-07-06] (Dell Inc. -> Dell Inc.)
R2 SupportAssistDataBaseService; C:\Program Files\Dell\SupportAssist\bin\SupportAssistDataBaseService.exe [115768 2020-04-02] (Dell Technologies Inc. -> Apache Software Foundation)
R2 SupportAssistService; C:\Program Files\Dell\SupportAssist\bin\SupportAssistService.exe [115768 2020-04-02] (Dell Technologies Inc. -> Apache Software Foundation)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [262144 2019-09-07] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\NisSrv.exe [2343112 2020-09-02] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MsMpEng.exe [128360 2020-09-02] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 bfadfcoei; C:\Windows\System32\drivers\bfadfcoei.sys [2279440 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 bfadi; C:\Windows\System32\drivers\bfadi.sys [2279224 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [209920 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [550928 2018-09-15] (Microsoft Windows -> QLogic Corporation)
R3 dcdbas; C:\Windows\System32\drivers\dcdbas64.sys [50824 2019-12-25] (Dell Inc. -> Dell Inc.)
R3 DDDriver; C:\Windows\System32\drivers\dddriver64Dcsa.sys [35208 2020-05-26] (Microsoft Windows Hardware Compatibility Publisher -> Dell Inc.)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [59392 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [148648 2020-03-26] (ESET, spol. s r.o. -> ESET)
S0 eelam; C:\Windows\System32\DRIVERS\eelam.sys [15800 2020-03-18] (Microsoft Windows Early Launch Anti-malware Publisher -> ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [192888 2020-03-26] (ESET, spol. s r.o. -> ESET)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [758584 2018-09-15] (Microsoft Windows -> Emulex)
S0 elxstor; C:\Windows\System32\drivers\elxstor.sys [838672 2018-09-15] (Microsoft Windows -> Broadcom)
R1 epfw; C:\Windows\system32\DRIVERS\epfw.sys [84776 2020-03-26] (ESET, spol. s r.o. -> ESET)
R1 epfwwfp; C:\Windows\system32\DRIVERS\epfwwfp.sys [115976 2020-03-26] (ESET, spol. s r.o. -> ESET)
S3 IPsecGW; C:\Windows\System32\drivers\ipsecgw.sys [18944 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [656448 2019-12-15] (Kaspersky Lab -> AO Kaspersky Lab)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [92736 2019-12-27] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [172608 2019-12-21] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klflt; C:\Windows\system32\DRIVERS\klflt.sys [490560 2019-12-31] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klgse; C:\Windows\System32\DRIVERS\klgse.sys [562448 2019-12-26] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [1099328 2019-12-20] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [79424 2019-12-21] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klwtp; C:\Windows\system32\DRIVERS\klwtp.sys [232512 2019-12-26] (Kaspersky Lab -> AO Kaspersky Lab)
S3 MsLbfoProvider; C:\Windows\System32\drivers\MsLbfoProvider.sys [128000 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
R3 mv91cons; C:\Windows\System32\drivers\mv91cons.sys [34056 2020-03-17] (Marvell Taiwan Ltd. -> Marvell Semiconductor Inc.)
R3 MxG2wDO64; C:\Windows\system32\DRIVERS\MxG2wDO64.sys [588000 2019-05-06] (MATROX GRAPHICS INC. -> Matrox Graphics Inc.)
R3 PeerDistKM; C:\Windows\System32\drivers\peerdistkm.sys [147456 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S0 qebdrv; C:\Windows\System32\drivers\qevbda.sys [2128184 2018-09-15] (Microsoft Windows -> Cavium, Inc.)
S0 qefcoe; C:\Windows\System32\drivers\qefcoe.sys [269824 2018-09-15] (Microsoft Windows -> Cavium, Inc.)
S0 qeois; C:\Windows\System32\drivers\qeois.sys [654848 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 ql2300i; C:\Windows\System32\drivers\ql2300i.sys [1632800 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 ql40xx2i; C:\Windows\System32\drivers\ql40xx2i.sys [475648 2018-09-15] (Microsoft Windows -> QLogic Corporation)
S0 qlfcoei; C:\Windows\System32\drivers\qlfcoei.sys [1300488 2018-09-15] (Microsoft Windows -> QLogic Corporation)
R3 RasGre; C:\Windows\System32\drivers\rasgre.sys [49664 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S4 RsFx0600; C:\Windows\System32\DRIVERS\RsFx0600.sys [286976 2019-09-24] (Microsoft Corporation -> Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [99128 2018-09-15] (Microsoft Windows -> Microsoft Corporation)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [48520 2020-09-02] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [428256 2020-09-02] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [69856 2020-09-02] (Microsoft Windows -> Microsoft Corporation)
R5 silsvc; <==== ATTENTION: Locked Service
S3 vwifibus; \SystemRoot\System32\drivers\vwifibus.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-09-09 20:11 - 2020-09-09 20:11 - 000027402 _____ C:\Users\Turtel437\Downloads\FRST.txt
2020-09-09 20:10 - 2020-09-09 20:11 - 000000000 ____D C:\FRST
2020-09-09 20:10 - 2020-09-09 20:10 - 002297344 _____ (Farbar) C:\Users\Turtel437\Downloads\FRST64.exe
2020-09-09 20:07 - 2020-09-09 20:07 - 000388608 _____ (Trend Micro Inc.) C:\Users\Turtel437\Downloads\HijackThis.exe
2020-09-09 19:49 - 2020-09-09 19:49 - 008414384 _____ (Malwarebytes) C:\Users\Turtel437\Downloads\adwcleaner_8.0.7(1).exe
2020-09-09 19:47 - 2020-09-09 19:47 - 012795472 _____ (Zemana Ltd. ) C:\Users\Turtel437\Downloads\AntiMalware_Setup.exe
2020-09-09 19:43 - 2020-09-09 19:46 - 000000000 ____D C:\ProgramData\HitmanPro
2020-09-09 19:42 - 2020-09-09 19:42 - 011429976 _____ (SurfRight B.V.) C:\Users\Turtel437\Downloads\HitmanPro_x64.exe
2020-09-09 19:40 - 2020-09-09 19:55 - 000000000 ____D C:\Users\Turtel437\Desktop\Staré údaje Firefoxu
2020-09-09 18:53 - 2020-09-09 18:53 - 000003936 _____ C:\Windows\system32\Tasks\CCleaner Update
2020-09-09 18:53 - 2020-09-09 18:53 - 000003842 _____ C:\Windows\system32\Tasks\CCleaner Browser Heartbeat Task (Hourly)
2020-09-09 18:53 - 2020-09-09 18:53 - 000003512 _____ C:\Windows\system32\Tasks\CCleanerUpdateTaskMachineUA
2020-09-09 18:53 - 2020-09-09 18:53 - 000003388 _____ C:\Windows\system32\Tasks\CCleanerUpdateTaskMachineCore
2020-09-09 18:53 - 2020-09-09 18:53 - 000003258 _____ C:\Windows\system32\Tasks\CCleaner Browser Heartbeat Task (Logon)
2020-09-09 18:53 - 2020-09-09 18:53 - 000002876 _____ C:\Windows\system32\Tasks\CCleanerSkipUAC
2020-09-09 18:53 - 2020-09-09 18:53 - 000002425 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner Browser.lnk
2020-09-09 18:53 - 2020-09-09 18:53 - 000002390 _____ C:\Users\Public\Desktop\CCleaner Browser.lnk
2020-09-09 18:53 - 2020-09-09 18:53 - 000002390 _____ C:\ProgramData\Desktop\CCleaner Browser.lnk
2020-09-09 18:53 - 2020-09-09 18:53 - 000000869 _____ C:\Users\Public\Desktop\CCleaner.lnk
2020-09-09 18:53 - 2020-09-09 18:53 - 000000869 _____ C:\ProgramData\Desktop\CCleaner.lnk
2020-09-09 18:53 - 2020-09-09 18:53 - 000000000 ____D C:\Users\Turtel437\AppData\Local\CCleaner Browser
2020-09-09 18:53 - 2020-09-09 18:53 - 000000000 ____D C:\ProgramData\CCleaner Browser
2020-09-09 18:53 - 2020-09-09 18:53 - 000000000 ____D C:\Program Files\CCleaner
2020-09-09 18:53 - 2020-09-09 18:53 - 000000000 ____D C:\Program Files (x86)\CCleaner Browser
2020-09-09 18:52 - 2020-09-09 18:52 - 027072192 _____ (Piriform Software Ltd) C:\Users\Turtel437\Downloads\ccsetup570(1).exe
2020-09-09 18:47 - 2020-09-09 18:47 - 000000085 _____ C:\Windows\wininit.ini
2020-09-09 18:42 - 2020-09-09 15:41 - 000454708 ____R C:\Windows\system32\Drivers\etc\hosts.20200909-184203.backup
2020-09-09 18:28 - 2020-09-09 18:55 - 000000000 ____D C:\Users\Turtel437\Desktop\ProcessExplorer
2020-09-09 17:40 - 2020-09-09 17:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2020-09-09 17:40 - 2020-09-09 17:40 - 000000000 ____D C:\ProgramData\ESET
2020-09-09 17:40 - 2020-09-09 17:40 - 000000000 ____D C:\Program Files\ESET
2020-09-09 17:38 - 2020-09-09 17:38 - 015265152 _____ (Kaspersky Lab ZAO) C:\Users\Turtel437\Downloads\kavremvr.exe
2020-09-09 17:34 - 2020-09-09 17:34 - 008761108 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2020-09-09 17:34 - 2020-09-09 17:34 - 000003672 _____ C:\Windows\system32\Tasks\Kaspersky Security for Windows Server OS Upgrade Detect
2020-09-09 17:34 - 2020-09-09 17:34 - 000000410 __RSH C:\ProgramData\ntuser.pol
2020-09-09 17:30 - 2020-09-09 17:30 - 000000000 ____D C:\ks4ws
2020-09-09 17:28 - 2020-09-09 17:30 - 296010896 _____ (Kaspersky Lab AO) C:\Users\Turtel437\Downloads\ks4ws_10.1.0.622_en.exe
2020-09-09 17:26 - 2020-09-09 17:26 - 002705752 _____ (Kaspersky) C:\Users\Turtel437\Downloads\kav21.1.15.500en_25392.exe
2020-09-09 17:26 - 2020-09-09 17:26 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2020-09-09 17:25 - 2020-09-09 17:26 - 187052032 _____ C:\Users\Turtel437\Downloads\ees_nt64.msi
2020-09-09 17:25 - 2020-09-09 17:26 - 183697408 _____ C:\Users\Turtel437\Downloads\eea_nt64.msi
2020-09-09 17:23 - 2020-09-09 17:24 - 155643904 _____ C:\Users\Turtel437\Downloads\efsw_nt64.msi
2020-09-09 17:20 - 2020-09-09 17:20 - 059263072 _____ (ESET) C:\Users\Turtel437\Downloads\eis_nt64.exe
2020-09-09 17:19 - 2020-09-09 17:20 - 059263072 _____ (ESET) C:\Users\Turtel437\Downloads\essp_nt64.exe
2020-09-09 17:18 - 2020-09-09 17:18 - 006333736 _____ (ESET) C:\Users\Turtel437\Downloads\eset_internet_security_live_installer.exe
2020-09-09 17:17 - 2020-09-09 17:17 - 005504960 _____ (ESET) C:\Users\Turtel437\Downloads\eset_smart_security_premium_live_installer.exe
2020-09-09 15:41 - 2018-09-15 09:16 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20200909-154122.backup
2020-09-09 15:40 - 2020-09-09 15:40 - 027072192 _____ (Piriform Software Ltd) C:\Users\Turtel437\Downloads\ccsetup570.exe
2020-09-09 14:47 - 2020-09-09 14:47 - 000000000 ____D C:\Safer-Networking Ltd
2020-09-09 13:51 - 2020-09-09 13:51 - 000000000 ____D C:\Users\Admin\AppData\Local\mbam
2020-09-09 12:53 - 2020-09-09 13:43 - 000000221 _____ C:\Users\Admin\Desktop\virus-trojan.txt
2020-09-09 12:53 - 2020-09-09 13:43 - 000000000 ____D C:\Users\Admin\AppData\Roaming\PSpad
2020-09-09 11:46 - 2020-09-09 11:46 - 000000000 ____D C:\Users\Admin\AppData\Local\CrashDumps
2020-09-09 11:14 - 2020-09-09 11:14 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Kaspersky Anti-Ransomware Tool for Business
2020-09-09 01:15 - 2020-09-09 01:15 - 032925296 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecsRaw.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 031602032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsRaw.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 023470080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 019035648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 013038080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 012326400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 007873024 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 006053888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 005617936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 005436712 _____ (Microsoft Corporation) C:\Windows\system32\mfcore.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 004876288 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 004694528 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 004628480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 004488192 _____ (Microsoft Corporation) C:\Windows\system32\xpsrchvw.exe
2020-09-09 01:15 - 2020-09-09 01:15 - 003918336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 003706880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 003638272 _____ (Microsoft Corporation) C:\Windows\system32\tellib.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 003550400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 003442176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xpsrchvw.exe
2020-09-09 01:15 - 2020-09-09 01:15 - 002748776 _____ (Microsoft Corporation) C:\Windows\system32\mfmp4srcsnk.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002500096 _____ (Microsoft Corporation) C:\Windows\system32\themecpl.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002469440 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002457600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\themecpl.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002429552 _____ (Microsoft Corporation) C:\Windows\system32\WMVCORE.DLL
2020-09-09 01:15 - 2020-09-09 01:15 - 002323696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002279824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002273096 _____ (Microsoft Corporation) C:\Windows\system32\mfasfsrcsnk.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002159944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVCORE.DLL
2020-09-09 01:15 - 2020-09-09 01:15 - 002086400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xpsservices.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 002004992 _____ (Microsoft Corporation) C:\Windows\system32\gpmgmt.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 001709576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfmp4srcsnk.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 001697792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpmgmt.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 001503232 _____ (Microsoft Corporation) C:\Windows\system32\wsecedit.dll
2020-09-09 01:15 - 2020-09-09 01:15 - 001473024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32full.dll



**** deleted

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-09-09 20:07 - 2020-06-12 08:03 - 000000000 ____D C:\Users\Turtel437\AppData\Local\VirtualStore
2020-09-09 20:05 - 2020-07-23 15:08 - 000000000 ____D C:\Users\Turtel437\AppData\Roaming\PohodaConnector
2020-09-09 20:05 - 2020-07-23 15:06 - 000000000 ____D C:\Users\Turtel437\Documents\NextCom
2020-09-09 20:02 - 2020-06-17 11:35 - 000000000 ____D C:\Users\Turtel437\AppData\Local\Google
2020-09-09 19:56 - 2020-08-05 16:47 - 000000000 ____D C:\Users\Turtel437\AppData\Roaming\Mozilla
2020-09-09 19:56 - 2020-08-05 16:47 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2020-09-09 19:55 - 2020-08-05 16:47 - 000000000 ____D C:\Users\Turtel437\AppData\LocalLow\Mozilla
2020-09-09 19:13 - 2020-06-12 10:40 - 000004152 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{A86EB8C8-1BC5-4F53-B9F3-05EFBA1224B5}
2020-09-09 18:59 - 2018-09-15 09:19 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2020-09-09 18:55 - 2020-06-02 11:07 - 008710508 _____ C:\Windows\system32\PerfStringBackup.INI
2020-09-09 18:55 - 2019-09-28 20:26 - 000851944 _____ C:\Windows\system32\perfh010.dat
2020-09-09 18:55 - 2019-09-28 20:26 - 000186388 _____ C:\Windows\system32\perfc010.dat
2020-09-09 18:55 - 2019-09-28 20:14 - 000856160 _____ C:\Windows\system32\perfh015.dat
2020-09-09 18:55 - 2019-09-28 20:14 - 000192588 _____ C:\Windows\system32\perfc015.dat
2020-09-09 18:55 - 2019-09-27 19:29 - 000834080 _____ C:\Windows\system32\prfh0416.dat
2020-09-09 18:55 - 2019-09-27 19:29 - 000189246 _____ C:\Windows\system32\prfc0416.dat
2020-09-09 18:55 - 2019-09-27 19:17 - 000570082 _____ C:\Windows\system32\perfh011.dat
2020-09-09 18:55 - 2019-09-27 19:17 - 000173496 _____ C:\Windows\system32\perfc011.dat
2020-09-09 18:55 - 2019-09-27 19:05 - 000859194 _____ C:\Windows\system32\perfh00A.dat
2020-09-09 18:55 - 2019-09-27 19:05 - 000195802 _____ C:\Windows\system32\perfc00A.dat
2020-09-09 18:55 - 2019-09-27 18:53 - 000581156 _____ C:\Windows\system32\perfh012.dat
2020-09-09 18:55 - 2019-09-27 18:53 - 000173520 _____ C:\Windows\system32\perfc012.dat
2020-09-09 18:55 - 2019-09-27 18:40 - 000813174 _____ C:\Windows\system32\perfh007.dat
2020-09-09 18:55 - 2019-09-27 18:40 - 000190698 _____ C:\Windows\system32\perfc007.dat
2020-09-09 18:55 - 2019-09-27 18:28 - 000863100 _____ C:\Windows\system32\perfh00C.dat
2020-09-09 18:55 - 2019-09-27 18:28 - 000190200 _____ C:\Windows\system32\perfc00C.dat
2020-09-09 18:55 - 2018-09-15 09:17 - 000000000 ____D C:\Windows\INF
2020-09-09 18:53 - 2020-07-23 14:32 - 000000000 ____D C:\Temp
2020-09-09 18:53 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\AppReadiness
2020-09-09 18:52 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\Registration
2020-09-09 18:49 - 2020-06-02 10:58 - 000309512 _____ C:\Windows\system32\FNTCACHE.DAT
2020-09-09 18:49 - 2020-06-02 10:58 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-09-09 18:48 - 2018-09-15 08:09 - 000131072 _____ C:\Windows\system32\config\BBI
2020-09-09 18:48 - 2018-09-15 08:09 - 000032768 _____ C:\Windows\system32\config\ELAM
2020-09-09 17:40 - 2018-09-15 09:19 - 000000000 ___HD C:\Windows\ELAMBKUP
2020-09-09 17:34 - 2018-09-15 09:19 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2020-09-09 15:36 - 2020-08-05 18:17 - 000000000 ____D C:\Users\Admin\AppData\LocalLow\Mozilla
2020-09-09 14:48 - 2020-06-03 11:47 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2020-09-09 11:16 - 2020-08-05 16:25 - 000000000 ____D C:\Users\Admin\AppData\Local\D3DSCache
2020-09-09 11:14 - 2020-08-05 16:22 - 000000000 ___RD C:\Users\Admin\3D Objects
2020-09-09 11:14 - 2020-06-02 11:04 - 000000000 __RHD C:\Users\Public\AccountPictures
2020-09-09 07:57 - 2020-06-12 08:03 - 000000000 ___RD C:\Users\Turtel437\3D Objects
2020-09-09 01:52 - 2020-06-12 08:03 - 000000000 ____D C:\Users\Turtel437
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ___SD C:\Windows\system32\DiagSvcs
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\system32\oobe
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\ShellExperiences
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\PolicyDefinitions
2020-09-09 01:52 - 2018-09-15 09:19 - 000000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2020-09-09 01:19 - 2018-09-15 09:06 - 000000000 ____D C:\Windows\CbsTemp
2020-09-09 01:18 - 2020-06-03 12:08 - 000000000 ____D C:\Windows\system32\MRT
2020-09-09 01:16 - 2020-06-03 12:08 - 129170736 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2020-09-09 01:14 - 2020-06-02 11:04 - 002867200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2020-09-09 01:12 - 2019-09-07 02:19 - 000725696 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2020-09-08 23:22 - 2020-06-16 22:16 - 000002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2020-09-08 23:22 - 2020-06-16 22:16 - 000002226 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2020-09-08 23:22 - 2020-06-16 22:16 - 000002226 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2020-09-08 17:45 - 2020-07-13 10:59 - 000000000 ____D C:\Users\Kubek
2020-09-08 17:45 - 2020-06-02 11:04 - 000000000 ____D C:\Users\Administrator
2020-09-08 17:43 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\SysWOW64\setup
2020-09-08 17:43 - 2018-09-15 09:19 - 000000000 ____D C:\Windows\system32\setup
2020-09-08 13:37 - 2020-06-16 22:15 - 000004152 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{B71F05ED-0FE2-4E4E-9A7B-F46BCDD37A22}
2020-09-03 11:34 - 2020-08-05 16:22 - 000000000 ____D C:\Users\Admin\AppData\Local\Google
2020-09-03 10:08 - 2020-08-05 16:25 - 000004144 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{22F4F209-B103-4F1A-9967-5871D7177EA3}
2020-09-02 16:35 - 2020-06-02 10:58 - 000000000 ____D C:\Windows\system32\Drivers\wd
2020-08-31 16:52 - 2020-08-05 16:22 - 000000000 ____D C:\Users\Admin\AppData\Local\VirtualStore
2020-08-23 11:00 - 2020-07-28 13:46 - 000002102 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2020-08-14 11:17 - 2020-07-28 13:46 - 000004562 _____ C:\Windows\system32\Tasks\Adobe Acrobat Update Task
2020-08-13 00:11 - 2020-06-11 17:17 - 000000000 ____D C:\Users\Stormware\AppData\Roaming\Adobe
2020-08-13 00:11 - 2020-06-11 17:17 - 000000000 ____D C:\Users\Stormware\AppData\Local\Packages
2020-08-13 00:03 - 2020-06-16 23:25 - 000000000 ____D C:\Windows\system32\Tasks\StormWare Office

==================== Files in the root of some directories ========

2020-07-27 17:49 - 2020-07-27 17:53 - 001713658 _____ () C:\Users\Turtel437\AppData\Roaming\SupportAssistEnterpriseInstaller.log
2020-07-08 16:33 - 2020-07-08 16:33 - 000000128 _____ () C:\Users\Turtel437\AppData\Roaming\winscp.rnd
2020-07-28 13:51 - 2020-07-28 13:51 - 000421180 _____ () C:\Users\Turtel437\AppData\Local\dd_vcredistMSI1B70.txt
2020-07-28 13:51 - 2020-07-28 13:51 - 000432666 _____ () C:\Users\Turtel437\AppData\Local\dd_vcredistMSI1B76.txt
2020-07-28 13:51 - 2020-07-28 13:51 - 000063474 _____ () C:\Users\Turtel437\AppData\Local\dd_vcredistUI1B70.txt
2020-07-28 13:51 - 2020-07-28 13:51 - 000063442 _____ () C:\Users\Turtel437\AppData\Local\dd_vcredistUI1B76.txt
2020-09-09 00:51 - 2020-09-09 00:51 - 000000036 _____ () C:\Users\Turtel437\AppData\Local\housecall.guid.cache

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2020-09-02 06:27
==================== End of FRST.txt ========================
 
Last edited:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 09-09-2020
Ran by Turtel437 (09-09-2020 20:11:40)
Running from C:\Users\Turtel437\Downloads
Windows Server 2019 Essentials Version 1809 17763.1457 (X64) (2020-06-02 09:03:54)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-736157781-1329237808-919620891-1006 - Limited - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-736157781-1329237808-919620891-500 - Administrator - Disabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-736157781-1329237808-919620891-503 - Limited - Disabled)
Guest (S-1-5-21-736157781-1329237808-919620891-501 - Limited - Disabled)
Kubek (S-1-5-21-736157781-1329237808-919620891-1005 - Limited - Enabled) => C:\Users\Kubek
Stormware (S-1-5-21-736157781-1329237808-919620891-1001 - Administrator - Enabled) => C:\Users\Stormware
Turtel437 (S-1-5-21-736157781-1329237808-919620891-1002 - Administrator - Enabled) => C:\Users\Turtel437
WDAGUtilityAccount (S-1-5-21-736157781-1329237808-919620891-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC - Slovak (HKLM-x32\...\{AC76BA86-7AD7-1051-7B44-AC0F074E4100}) (Version: 20.012.20043 - Adobe Systems Incorporated)
Broadcom Drivers and Management Applications (HKLM\...\{4B3B7115-3942-4DCC-A8E4-42995C76D044}) (Version: 216.0.4.2 - Broadcom Corporation)
Browser for SQL Server 2019 (HKLM-x32\...\{5E366957-8D78-4BB5-A790-96F97A9766BD}) (Version: 15.0.2000.5 - Microsoft Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.70 - Piriform)
CCleaner Browser (HKLM-x32\...\CCleaner Browser) (Version: 85.0.5675.86 - Piriform Software)
CCleaner Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.8.1067.0 - Piriform Software) Hidden
Dell EMC OpenManage Systems Management Software (64-Bit) (HKLM\...\{EAD64C1A-88C0-43C9-874F-E49D2F7A2514}) (Version: 9.4.0 - Dell Inc.)
Dell EMC SupportAssist Enterprise (HKLM\...\{C91A5119-D1B4-437D-9502-E72EA9D8EA63}) (Version: 2.0.50.32 - Dell EMC)
DELL EMC System Update (HKLM\...\{A56F372D-1C13-4F2B-8D85-28B6EC0E2BB4}) (Version: 1.8.0 - Dell, Inc.)
Dell SupportAssist (HKLM\...\{57CBE96A-3AA5-4421-A87C-6C6C3B6C5ECA}) (Version: 3.6.0.97 - Dell Inc.)
Elcomm (HKLM-x32\...\Elcomm) (Version: - )
ESET File Security (HKLM\...\{1B437ACE-5403-45B0-AD06-1F259B9EC9B2}) (Version: 7.1.12010.0 - ESET, spol. s r.o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 85.0.4183.102 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.451 - Google LLC) Hidden
Hotfix 4033 for SQL Server 2019 (KB4548597) (64-bit) (HKLM\...\KB4548597) (Version: 15.0.4033.1 - Microsoft Corporation)
Integration Services (HKLM-x32\...\{51883D17-F2BD-4CBC-825E-867A13E1E3BB}) (Version: 15.0.2000.92 - Microsoft Corporation) Hidden
Intel(R) Chipset Device Software (HKLM-x32\...\{f3b1c211-1159-4262-bb97-84150cda9096}) (Version: 10.1.18243.8188 - Intel(R) Corporation)
Kaspersky Anti-Ransomware Tool for Business (HKLM-x32\...\{166AE239-F67B-45BA-A647-3B55A7EE5D1D}) (Version: 3.0.1.2058 - Kaspersky Lab)
Matrox Graphics Software (remove only) (HKLM-x32\...\Matrox Vista Driver Uninstaller) (Version: 4.4.1.3 - Matrox Graphics Inc.)
Microsoft Access database engine 2010 (English) (HKLM-x32\...\{90140000-00D1-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Help Viewer 2.3 (HKLM-x32\...\Microsoft Help Viewer 2.3) (Version: 2.3.28107 - Microsoft Corporation)
Microsoft ODBC Driver 17 for SQL Server (HKLM\...\{E36FFC78-D25E-4962-872B-9CE0E50E62CD}) (Version: 17.5.1.1 - Microsoft Corporation)
Microsoft OLE DB Driver for SQL Server (HKLM\...\{74A97B61-DE37-40DF-9E00-B302E5D3C4CE}) (Version: 18.3.0.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client (HKLM\...\{9D93D367-A2CC-4378-BD63-79EF3FE76C78}) (Version: 11.4.7462.6 - Microsoft Corporation)
Microsoft SQL Server 2019 (64-bit) (HKLM\...\Microsoft SQL Server SQL2019) (Version: - Microsoft Corporation)
Microsoft SQL Server 2019 Setup (English) (HKLM\...\{4DABAEE3-3EDB-4908-B7FB-6C0080708E4A}) (Version: 15.0.4033.1 - Microsoft Corporation)
Microsoft SQL Server 2019 T-SQL Language Service (HKLM\...\{31D27B41-A051-49D8-907A-62E0F4A2188C}) (Version: 15.0.2000.5 - Microsoft Corporation)
Microsoft SQL Server Management Studio - 18.5.1 (HKLM-x32\...\{819022b1-484d-41b2-8972-dbb375fd4f07}) (Version: 15.0.18333.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.16.27029 (HKLM-x32\...\{64ff2cb0-807c-4ee9-87ef-ec1b2ede0daf}) (Version: 14.16.27029.1 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.16.27029 (HKLM-x32\...\{f50edb7e-c25e-47b4-bc4f-7ec4a4d256b1}) (Version: 14.16.27029.1 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2017 (HKLM-x32\...\{f895a2f1-ae3f-4212-8af1-7fa1f8c212ea}) (Version: 15.0.27520 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2019 (HKLM\...\{2C33F4D4-E9A5-4DE1-ACFE-3A13464E6703}) (Version: 15.0.2000.5 - Microsoft Corporation)
OpenOffice 4.1.7 (HKLM-x32\...\{0DF1E791-63F3-491F-BE56-3013DEDC03B9}) (Version: 4.17.9800 - Apache Software Foundation)
Pantum M7100DW Series (HKLM\...\Pantum M7100DW Series) (Version: 5.1.1.23 - Zhuhai Pantum Electronics Co.,Ltd.)
PSPad editor (HKLM-x32\...\PSPad editor_is1) (Version: 5.0.3.377 - Jan Fiala)
Python 3.7.7 (64-bit) (HKU\S-1-5-21-736157781-1329237808-919620891-1002\...\{6b043b92-4219-49e9-98cb-80558c6db697}) (Version: 3.7.7150.0 - Python Software Foundation)
Python 3.7.7 Core Interpreter (64-bit) (HKLM\...\{9BE0AC23-0551-4755-94A3-F4D377E3CF16}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Development Libraries (64-bit) (HKLM\...\{937814BD-E132-48AA-95BF-1DA243130C61}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Documentation (64-bit) (HKLM\...\{9EED2F05-DE91-4CE8-B562-AB64115D2CD5}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Executables (64-bit) (HKLM\...\{60776648-6B18-47AC-AAA3-0C0DCFC28F26}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 pip Bootstrap (64-bit) (HKLM\...\{DE9BCC96-48C4-4275-A383-C49B3957A617}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Standard Library (64-bit) (HKLM\...\{5F12F065-8081-4D3A-B4B1-9A90953CE8CF}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Tcl/Tk Support (64-bit) (HKLM\...\{F21D9D7C-3E98-4CF3-B450-30F794588EA7}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Test Suite (64-bit) (HKLM\...\{40D70865-BA27-44B6-AA5C-2215098AEA50}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python 3.7.7 Utility Scripts (64-bit) (HKLM\...\{3B826D9B-4141-455E-967A-B0984088BC2E}) (Version: 3.7.7150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{06667732-CFB4-44B1-86AF-D7FDF9962B84}) (Version: 3.7.7008.0 - Python Software Foundation)
SQL Server 2019 Batch Parser (HKLM\...\{D459615B-83B0-408F-8F39-6CC07C277BA6}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Common Files (HKLM\...\{0FB552DD-543E-48E7-A6F4-2F8D82723C6A}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Common Files (HKLM\...\{5E4344C9-8B97-4ED9-8760-57E221C240F4}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Connection Info (HKLM\...\{99B940D5-1A49-4B6C-B26C-6A88B2C061CA}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Connection Info (HKLM\...\{FD730873-33D1-4D1F-9AE0-E259586F8827}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Database Engine Services (HKLM\...\{A60B3D8E-5311-4BF1-AF7A-D1AC15F9152E}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Database Engine Services (HKLM\...\{E3E84B2C-FCF6-469F-9FE7-5E8934DB69AD}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Database Engine Shared (HKLM\...\{619F0B6C-C802-422A-B4E5-294E61F68473}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Database Engine Shared (HKLM\...\{DE5B7937-D5B5-4157-BC30-BB87F021CFF0}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 DMF (HKLM\...\{814D5077-C93F-42E2-B875-717007C186B9}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 DMF (HKLM\...\{FC8DC283-4A85-467F-8D0E-2FE4606DCCA1}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Shared Management Objects (HKLM\...\{6213D6CB-D258-47A3-B1A0-EE1E5C080DCF}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Shared Management Objects (HKLM\...\{A8581199-F913-443B-B058-8E8BF317E71C}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Shared Management Objects Extensions (HKLM\...\{8DDAEBCA-4267-4E16-9FE0-D87F21D36891}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 Shared Management Objects Extensions (HKLM\...\{C7E6D4B7-CB10-4239-BA04-D9339B39D0BD}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 SQL Diagnostics (HKLM\...\{28ED6838-D8E5-454C-A813-12C5EB447CAB}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 XEvent (HKLM\...\{2129312E-5204-4F3A-9039-B6D34DBB00FB}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server 2019 XEvent (HKLM\...\{228C3DC2-695E-4FC7-87E4-6A9CE905DA9B}) (Version: 15.0.2000.5 - Microsoft Corporation) Hidden
SQL Server Management Studio (HKLM\...\{83660798-3DA3-4197-B48A-D2F6FC52CCF5}) (Version: 15.0.18333.0 - Microsoft Corporation) Hidden
SQL Server Management Studio (HKLM\...\{88B2AD79-69CF-486A-A778-BB4D1A1245BC}) (Version: 15.0.18333.0 - Microsoft Corporation) Hidden
SQL Server Management Studio for Analysis Services (HKLM\...\{716FFA4B-418E-461E-B49D-F18A7673B522}) (Version: 15.0.18333.0 - Microsoft Corporation) Hidden
SQL Server Management Studio for Reporting Services (HKLM\...\{5B1F6B58-4DC3-44CD-B9C7-AF7CD68A14C7}) (Version: 15.0.18333.0 - Microsoft Corporation) Hidden
SSMS Post Install Tasks (HKLM\...\{519E7EBD-C514-4104-B205-574E7E6039DE}) (Version: 15.0.18333.0 - Microsoft Corporation) Hidden
STORMWARE POHODA E1 SK Jazz (HKLM-x32\...\{0D7B87F3-122F-4B70-86F2-CD26DCDB3003}) (Version: 12500.192 - STORMWARE)
Total Commander 64-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 9.51 - Ghisler Software GmbH)
WinSCP 5.17.6 (HKLM-x32\...\winscp3_is1) (Version: 5.17.6 - Martin Prikryl)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers1: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2020-03-26] (ESET, spol. s r.o. -> ESET)
ContextMenuHandlers1: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} => -> No File
ContextMenuHandlers2: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2020-03-26] (ESET, spol. s r.o. -> ESET)
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers4: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers6: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2020-03-26] (ESET, spol. s r.o. -> ESET)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Turtel437\Desktop\zasoby.lnk -> C:\ScriptPohoda\zasoby.bat ()
ShortcutWithArgument: C:\Users\Public\Desktop\SupportAssist Enterprise.lnk -> C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation) -> /c "start hxxp://localhost:9099/SupportAssist/resx/login.jsp"

==================== Loaded Modules (Whitelisted) =============

2019-12-25 08:47 - 2019-12-25 08:47 - 000837144 _____ (Avago Technologies U.S. Inc -> Avago Technologies) [File not signed] C:\Program Files\Dell\SysMgt\sm\storelibir-3.dll
2019-12-25 08:47 - 2019-12-25 08:47 - 000790880 _____ (Avago Technologies U.S. Inc. -> Avago Technologies) [File not signed] C:\Program Files\Dell\SysMgt\sm\storelibit.dll
2019-12-25 08:47 - 2019-12-25 08:47 - 000314880 _____ (Avago Technologies) [File not signed] C:\Program Files\Dell\SysMgt\sm\storelib.dll
2014-11-10 02:25 - 2014-11-10 02:25 - 000816128 _____ (Broadcom Corporation) [File not signed] C:\Program Files\Dell\SysMgt\shared\bin\bmapia.dll
2020-09-09 18:49 - 2020-09-09 18:49 - 000198144 ____N (Java(TM) Native Access (JNA)) [File not signed] C:\Windows\Temp\jna--1929334599\jna168803032843688313.dll
2019-12-25 08:47 - 2019-12-25 08:47 - 000390304 _____ (LSI Corporation -> LSI Corporation) [File not signed] C:\Program Files\Dell\SysMgt\sm\storelibir.dll
2019-12-25 08:47 - 2019-12-25 08:47 - 000576160 _____ (LSI Corporation -> LSI Corporation) [File not signed] C:\Program Files\Dell\SysMgt\sm\storelibir-2.dll
2017-08-03 20:11 - 2017-08-03 20:11 - 000556544 _____ (QLogic Corporation) [File not signed] C:\Program Files\Dell\SysMgt\shared\bin\qlmapia.dll
2020-07-02 10:06 - 2020-07-02 10:06 - 001899008 _____ (SQLite Development Team) [File not signed] C:\Program Files\Dell\SupportAssistAgent\bin\x64\sqlite3.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer trusted/restricted ==========

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2018-09-15 09:16 - 2020-09-09 18:42 - 000000938 ____R C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-736157781-1329237808-919620891-1002\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-736157781-1329237808-919620891-1005\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-736157781-1329237808-919620891-1006\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-736157781-1329237808-919620891-500\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img1.jpg
HKU\S-1-5-80-957441422-1458543631-4002447012-1271817580-1826578072\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
DNS Servers: 192.168.35.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SLBM-MUX-IN-TCP] => (Allow) %SystemRoot%\system32\MuxSvcHost.exe => No File
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) C:\Windows\system32\wbengine.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{E21871C2-BFC8-43F1-9B54-A187A576C181}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
FirewallRules: [{7F7D6A06-27FC-4784-BBB0-E3DA7E8A7D7B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
FirewallRules: [{E8E0209E-DF19-4F44-83B5-3A7F89E60469}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
FirewallRules: [{7F38F334-E157-434F-884B-5E56328F1164}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
FirewallRules: [{E73F3F48-852C-4F26-B7C0-4CF2FB7A36F3}] => (Allow) D:\PohodaE1\Pohoda.exe (STORMWARE s.r.o. -> STORMWARE s.r.o.)
FirewallRules: [{A4443A75-B3B9-4A17-9B6C-D3F14D38D370}] => (Allow) D:\PohodaE1\Pohoda.exe (STORMWARE s.r.o. -> STORMWARE s.r.o.)
FirewallRules: [{C442893D-F717-425F-9301-51E73E537E09}] => (Allow) LPort=1433
FirewallRules: [{3CB8C16D-857E-42FA-922E-E0915F9D84AD}] => (Allow) LPort=1111
FirewallRules: [{75D06345-812A-4538-9211-9F3722319130}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
FirewallRules: [{968D3C13-41FA-476C-BBD4-1360FAE84056}] => (Allow) LPort=1346
FirewallRules: [{D9CFAC0B-AD19-432D-8606-9D6FDAA87025}] => (Allow) LPort=1344
FirewallRules: [{11CC6867-D844-40AB-A7B5-8A8413046B01}] => (Allow) LPort=1345
FirewallRules: [{341C5469-69E3-47EE-B75D-13E383E7B776}] => (Allow) LPort=1347
FirewallRules: [{21BB7E91-1A1C-490D-89C2-045694B3ECBB}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10.1 for Windows Server\kavfsgt.exe => No File
FirewallRules: [{9D950335-F3AE-4D27-8C09-7804DB37DF00}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10.1 for Windows Server\kavfsgt.exe => No File
FirewallRules: [{2DDE56AC-8952-4F5E-AA3C-D74ACF0BDB53}] => (Allow) LPort=15000
FirewallRules: [{A9C3192D-28A8-4E49-AFF4-ABE9B8A1B305}] => (Allow) C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe (Piriform Software Ltd -> Piriform Software)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:114.4 GB) (Free:69.32 GB) (61%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: Intel(R) USB 3.1 eXtensible Host Controller - 1.10 (Microsoft)
Description: USB xHCI Compliant Host Controller
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: Generic USB xHCI Host Controller
Service: USBXHCI
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

Name: HL-DT-ST DVD+-RW GU90N
Description: CD-ROM Drive
Class Guid: {4d36e965-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.


==================== Event log errors: ========================

Application errors:
==================
Error: (09/09/2020 06:47:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: hhctrl.ocx_unloaded, version: 10.0.17763.475, time stamp: 0x20226a0f
Exception code: 0xc0000005
Fault offset: 0x000262f4
Faulting process id: 0x1250
Faulting application start time: 0x01d686c8dae7c413
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: hhctrl.ocx
Report Id: 85ba0365-1929-459c-9da0-092ac8f75bdd
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2020 06:47:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Exception code: 0xc0000005
Fault offset: 0x00005c92
Faulting process id: 0x1250
Faulting application start time: 0x01d686c8dae7c413
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Report Id: 37dfb450-94df-44ff-93a7-af1869daa118
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2020 06:47:08 PM) (Source: Spybot Auto Update) (EventID: 0) (User: )
Description: Event-ID 0

Error: (09/09/2020 06:40:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: hhctrl.ocx_unloaded, version: 10.0.17763.475, time stamp: 0x20226a0f
Exception code: 0xc0000005
Fault offset: 0x000262f4
Faulting process id: 0x2360
Faulting application start time: 0x01d686c7e6c846d8
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: hhctrl.ocx
Report Id: 2f06bc65-3377-4424-92af-a551ea797f19
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2020 06:40:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Exception code: 0xc0000005
Fault offset: 0x00005c92
Faulting process id: 0x2360
Faulting application start time: 0x01d686c7e6c846d8
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Report Id: 10295d0b-bb92-477e-833c-2e61bd5a346c
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2020 06:40:18 PM) (Source: Spybot Auto Update) (EventID: 0) (User: )
Description: Event-ID 0

Error: (09/09/2020 06:37:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: hhctrl.ocx_unloaded, version: 10.0.17763.475, time stamp: 0x20226a0f
Exception code: 0xc0000005
Fault offset: 0x000262f4
Faulting process id: 0x2f34
Faulting application start time: 0x01d686c77546e7c8
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: hhctrl.ocx
Report Id: 7171c2f1-9f25-4f5f-8dee-ea5feebefca8
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2020 06:37:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Faulting module name: SDUpdate.exe, version: 2.8.68.100, time stamp: 0x5ea5e0d1
Exception code: 0xc0000005
Fault offset: 0x00005c92
Faulting process id: 0x2f34
Faulting application start time: 0x01d686c77546e7c8
Faulting application path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Report Id: 02c49864-363c-48f3-a139-1e4a258bd899
Faulting package full name:
Faulting package-relative application ID:


System errors:
=============
Error: (09/09/2020 07:57:41 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 07:41:11 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 07:27:36 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 06:57:52 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 06:57:14 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 06:53:45 PM) (Source: DCOM) (EventID: 10016) (User: POLOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user POLOM\Turtel437 SID (S-1-5-21-736157781-1329237808-919620891-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/09/2020 06:52:42 PM) (Source: HTTP) (EventID: 15005) (User: )
Description: Unable to bind to the underlying transport for [::]:5700. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.

Error: (09/09/2020 06:49:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The AntiRansom4 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Windows Defender:
===================================
Date: 2020-09-09 17:33:37.551
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:MSIL/CoinMiner!MTB
ID: 2147763432
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\DATA\SqlManagement\SqlManagement.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
Signature Version: AV: 1.323.819.0, AS: 1.323.819.0, NIS: 1.323.819.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 17:32:59.459
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:MSIL/CoinMiner!MTB
ID: 2147763432
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\DATA\SqlManagement\SqlManagement.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
Signature Version: AV: 1.323.819.0, AS: 1.323.819.0, NIS: 1.323.819.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 17:32:37.218
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:MSIL/CoinMiner!MTB
ID: 2147763432
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\DATA\SqlManagement\SqlManagement.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
Signature Version: AV: 1.323.819.0, AS: 1.323.819.0, NIS: 1.323.819.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 17:31:36.899
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:MSIL/CoinMiner!MTB
ID: 2147763432
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\DATA\SqlManagement\SqlManagement.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
Signature Version: AV: 1.323.819.0, AS: 1.323.819.0, NIS: 1.323.819.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 17:30:59.165
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:MSIL/CoinMiner!MTB
ID: 2147763432
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\DATA\SqlManagement\SqlManagement.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\Microsoft SQL Server\MSSQL15.POHODA\MSSQL\Binn\sqlservr.exe
Signature Version: AV: 1.323.819.0, AS: 1.323.819.0, NIS: 1.323.819.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 12:15:37.355
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Virus:VBS/Ramnit.gen!C
ID: 2147651565
Severity: Severe
Category: Virus
Path: containerfile:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA; file:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA->(GZip)->(UTF-8)
Detection Origin: Local machine
Detection Type: Generic
Detection Source: System
Process Name: Unknown
Action: Clean
Action Status: No additional actions required
Error Code: 0x8007065b
Error description: Function failed during execution.
Signature Version: AV: 1.323.780.0, AS: 1.323.780.0, NIS: 1.323.780.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 12:07:31.312
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Virus:VBS/Ramnit.gen!C
ID: 2147651565
Severity: Severe
Category: Virus
Path: containerfile:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA; file:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA->(GZip)->(UTF-8)
Detection Origin: Local machine
Detection Type: Generic
Detection Source: System
Process Name: Unknown
Action: Clean
Action Status: No additional actions required
Error Code: 0x8007065b
Error description: Function failed during execution.
Signature Version: AV: 1.323.780.0, AS: 1.323.780.0, NIS: 1.323.780.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 11:57:04.425
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Virus:VBS/Ramnit.gen!C
ID: 2147651565
Severity: Severe
Category: Virus
Path: containerfile:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA; file:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA->(GZip)->(UTF-8)
Detection Origin: Local machine
Detection Type: Generic
Detection Source: System
Process Name: Unknown
Action: Clean
Action Status: No additional actions required
Error Code: 0x8007065b
Error description: Function failed during execution.
Signature Version: AV: 1.323.780.0, AS: 1.323.780.0, NIS: 1.323.780.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 11:56:39.428
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Virus:VBS/Ramnit.gen!C
ID: 2147651565
Severity: Severe
Category: Virus
Path: containerfile:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA; file:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA->(GZip)->(UTF-8)
Detection Origin: Local machine
Detection Type: Generic
Detection Source: System
Process Name: Unknown
Action: Clean
Action Status: No additional actions required
Error Code: 0x8007065b
Error description: Function failed during execution.
Signature Version: AV: 1.323.780.0, AS: 1.323.780.0, NIS: 1.323.780.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

Date: 2020-09-09 11:56:00.603
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Virus:VBS/Ramnit.gen!C
ID: 2147651565
Severity: Severe
Category: Virus
Path: containerfile:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA; file:_C:\Users\Turtel437\AppData\Local\Mozilla\Firefox\Profiles\i93fcehp.default-release\cache2\entries\12D1B97554026F7F055EB19389399BA680BC4DBA->(GZip)->(UTF-8)
Detection Origin: Local machine
Detection Type: Generic
Detection Source: User
Process Name: Unknown
Action: Clean
Action Status: No additional actions required
Error Code: 0x8007065b
Error description: Function failed during execution.
Signature Version: AV: 1.323.780.0, AS: 1.323.780.0, NIS: 1.323.780.0
Engine Version: AM: 1.1.17400.5, NIS: 1.1.17400.5

CodeIntegrity:
===================================

Date: 2020-09-09 19:52:27.462
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 19:22:27.452
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 18:52:27.439
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 18:49:28.032
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 18:43:27.729
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 18:13:27.720
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\sqlncli11.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2020-09-09 17:47:57.835
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\klbackupdisk.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2020-09-09 17:47:57.834
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\kl1.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

BIOS: Dell Inc. 2.3.5 09/27/2018
Motherboard: Dell Inc. 00RG5V
Processor: Intel(R) Xeon(R) E-2134 CPU @ 3.50GHz
Percentage of memory in use: 66%
Total physical RAM: 16098.62 MB
Available physical RAM: 5381.8 MB
Total Virtual: 18530.62 MB
Available Virtual: 7911.63 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:114.4 GB) (Free:69.32 GB) NTFS
Drive d: (DATA1) (Fixed) (Total:108.51 GB) (Free:75.71 GB) NTFS
Drive e: (DATA2) (Fixed) (Total:542.53 GB) (Free:509.11 GB) NTFS
Drive f: (DATA3) (Fixed) (Total:994.95 GB) (Free:994.69 GB) NTFS
Drive g: (DATA4) (Fixed) (Total:325.52 GB) (Free:325.32 GB) NTFS

\\?\Volume{43cf4b5f-976c-4b84-80f0-e847357b2d0d}\ (Recovery) (Fixed) (Total:0.49 GB) (Free:0.47 GB) NTFS
\\?\Volume{153c8ccc-4e61-4339-89c0-32a55d011914}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Protective MBR) (Size: 223.5 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 1 (Protective MBR) (Size: 1863 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================
 
It seemt in proces explorer app that coinminer tries to run some command or connect somewhere using sqlservr.exe => sqlcmd.exe PID 1256 => conhost.exe 7564 and then eset NOD/ Microsoft malware block/delete it





but I cant find from where it is started/executed





When windows task manager - processes is open, everythings if fine because it trojan is killed itself
 
redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2
  • Close all the running programs
  • Double click on downloaded setup.exe file to install the program.
  • Click on Start Scan button.
  • Click on another Start Scan button.
  • Wait until the Status box shows Scan Finished
  • Click on Remove Selected.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
redtarget.gif
Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.
redtarget.gif
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.
 
Status
Not open for further replies.

Similar threads

Jimmy2x
New HTTP/2 vulnerability leaves servers in danger of devastating DoS attacks, even from a single TCP connection
Replies
4
Views
118
bviktor
B
B
Solved Infected ddos attack?
2
Replies
26
Views
6K
Broni
Broni
J
Solved Win32/Skeeyah.B!rfn and Win32/Fuerboos.D!cl infection
2
Replies
27
Views
7K
Broni
Broni

Latest posts

Back