Inactive-A Please analyze my FRST64 logs

carlosartur · May 19, 2023

Hello all,

Can somebody please help analyze my frst.log and addition.log? I've followed first 2 steps of Malware cleaner (scanned with ESET and Malwarebytes).

Any help would be greatly appreciated!

Broni · May 20, 2023

1. Please, follow forum rules. All logs have to be pasted in, not attached.
2. I need to know what the problems are.

carlosartur · May 20, 2023

Hello,
Here is the frst.txt
The problem I am having is there is a program repeatedly altering my startup settings (ESET notification), and I can't quite pin down the source or the changes being made. Any help would be greatly appreciated.

carlosartur · May 20, 2023

How do I get around the 10,000 character posting limit? I can't even post ~9000 characters which is half of my frst.log?

Broni · May 21, 2023

Try to split it in more parts.
What's the message from Eset?

carlosartur · May 21, 2023

Here's the ESET notification. It's related to the HIPS module which I had set to Automatic.

[TABLE]
[TR]
[TD]Application[/TD]
[TD]Operation[/TD]
[TD]Target[/TD]
[/TR]
[TR]
[TD]C:\Windows\System32\services.exe[/TD]
[TD]Modify startup settings[/TD]
[TD]HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Start[/TD]
[/TR]
[/TABLE]

carlosartur · May 21, 2023

Here's some logs
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-05-2023
Ran by there (administrator) on INITRID (HP Victus by HP 15L Gaming Desktop TG02-0xxx) (19-05-2023 23:38:46)
Running from C:\Users\there\Downloads\FRST64.exe
Loaded Profiles: there
Platform: Microsoft Windows 11 Home Version 22H2 22621.1702 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSServ.exe
(0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\RadeonSoftware.exe
(C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe ->) (Brave Software, Inc. -> BraveSoftware Inc.) C:\Program Files (x86)\BraveSoftware\Update\1.3.361.133\BraveCrashHandler.exe
(C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe ->) (Brave Software, Inc. -> BraveSoftware Inc.) C:\Program Files (x86)\BraveSoftware\Update\1.3.361.133\BraveCrashHandler64.exe
(C:\Program Files (x86)\Citrix\ICA Client\concentr.exe ->) (Citrix Systems, Inc. -> Cloud Software Group, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
(C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe ->) (Citrix Systems, Inc. -> Cloud Software Group, Inc.) C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe
(C:\Program Files\ESET\ESET Security\ekrn.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\egui.exe
(C:\Program Files\ESET\ESET Security\ekrn.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\eguiProxy.exe
(C:\Program Files\ESET\ESET Security\ekrn.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\eOppFrame.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> ) C:\Program Files\Malwarebytes\Anti-Malware\MBAMCrashHandler.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Program Files\Mozilla Firefox\firefox.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe
(C:\Program Files\Rockstar Games\Launcher\Launcher.exe ->) (Rockstar Games, Inc. -> Rockstar Games) C:\Program Files\Rockstar Games\Launcher\ThirdParty\Crashpad\RockstarErrorHandler.exe
(C:\Program Files\Rockstar Games\Launcher\Launcher.exe ->) (Rockstar Games, Inc. -> Take-Two Interactive Software, Inc.) C:\Program Files\Rockstar Games\Social Club\SocialClubHelper.exe <4>
(C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSServ.exe ->) (0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\AMDRSSrcExt.exe
(C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\RadeonSoftware.exe ->) (0A0B0503-04C2-4CCF-9BC2-4F164DC80FEE -> Advanced Micro Devices, Inc.) C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m\radeonsoftware\cncmd.exe
(C:\Users\there\Downloads\FRST64.exe ->) (Microsoft Corporation -> ) C:\Program Files\WindowsApps\microsoft.windowsnotepad_11.2209.6.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe <2>
(Citrix Systems, Inc. -> Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc. -> Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\AnalyticsSrv.exe
(Citrix Systems, Inc. -> Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(DriverStore\FileRepository\u0387305.inf_amd64_939f60121c4fd1e0\B387040\atiesrxx.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0387305.inf_amd64_939f60121c4fd1e0\B387040\atieclxx.exe
(explorer.exe ->) (OpenVPN Inc. -> ) C:\Program Files\OpenVPN\bin\openvpn-gui.exe
(Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe <17>
(Rockstar Games, Inc. -> Rockstar Games) C:\Program Files\Rockstar Games\Launcher\Launcher.exe
(SECOMN64.exe ->) (Sound Research Corporation -> Sound Research, Corp.) C:\Windows\System32\SECOCL64.exe
(services.exe ->) (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.) C:\Windows\System32\amdfendrsr.exe
(services.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0387305.inf_amd64_939f60121c4fd1e0\B387040\atiesrxx.exe
(services.exe ->) (Citrix Systems, Inc. -> Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\appprotection.exe
(services.exe ->) (Citrix Systems, Inc. -> Cloud Software Group, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe
(services.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Secure Data\dlpsrv.exe
(services.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\efwd.exe
(services.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\ekrn.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Program Files\HPCommRecovery\HPCommRecovery.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpanalyticscomp.inf_amd64_5bf497d20ce7fee9\x64\TouchpointAnalyticsClientService.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\AppHelperCap.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\DiagsCap.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\NetworkCap.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\SysInfoCap.exe
(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpomencustomcapcomp.inf_amd64_e711c85c03558fc4\x64\OmenCap\OmenCap.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MsMpEng.exe
(services.exe ->) (OpenVPN Inc. -> The OpenVPN Project) C:\Program Files\OpenVPN\bin\openvpnserv.exe
(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor Corp.) C:\Windows\RtkBtManServ.exe
(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_18daf79b2c8abbf6\RtkAudUService64.exe <2>
(services.exe ->) (Rockstar Games, Inc. -> Rockstar Games) C:\Program Files\Rockstar Games\Launcher\RockstarService.exe
(services.exe ->) (Sound Research Corporation -> Sound Research, Corp.) C:\Windows\System32\SECOMN64.exe
(svchost.exe ->) (Brave Software, Inc. -> BraveSoftware Inc.) C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
(svchost.exe ->) (Citrix Systems, Inc. -> Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe
==================== Registry (Whitelisted) ===================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Security\ecmds.exe [194704 2023-05-19] (ESET, spol. s r.o. -> ESET)
HKLM-x32\...\Run: [AnalyticsSrv] => C:\Program Files (x86)\Citrix\ICA Client\Receiver\AnalyticsSrv.exe [2664040 2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [2990472 2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [563080 2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\Software\Policies\...\system: [EnableActivityFeed] 0
HKLM\Software\Policies\...\system: [PublishUserActivities] 0
HKLM\Software\Policies\...\system: [UploadUserActivities] 0
HKLM\Software\Policies\...\system: [AllowClipboardHistory] 0

carlosartur · May 21, 2023

HKU\S-1-5-19\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [536152 2022-10-23] (HP Inc. -> HP Inc.)
HKU\S-1-5-19\...\RunOnce: [OMENCC_InstallationBooster] => C:\system.sav\util\OMENCC_InstallationBooster.exe [16424 2020-03-07] (HP Inc. -> )
HKU\S-1-5-20\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [536152 2022-10-23] (HP Inc. -> HP Inc.)
HKU\S-1-5-20\...\RunOnce: [OMENCC_InstallationBooster] => C:\system.sav\util\OMENCC_InstallationBooster.exe [16424 2020-03-07] (HP Inc. -> )
HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [536152 2022-10-23] (HP Inc. -> HP Inc.)
HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\Run: [OPENVPN-GUI] => C:\Program Files\OpenVPN\bin\openvpn-gui.exe [869152 2022-12-02] (OpenVPN Inc. -> )
HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\Policies\Explorer: [HideSCAMeetNow] 1
HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\MountPoints2: {baacea61-8495-11ed-adc5-9021ed69feac} - "F:\setup.exe"
HKU\S-1-5-21-1635575026-680499027-3165678348-1002\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [536152 2022-10-23] (HP Inc. -> HP Inc.)
HKU\S-1-5-21-1635575026-680499027-3165678348-1002\...\Run: [OPENVPN-GUI] => C:\Program Files\OpenVPN\bin\openvpn-gui.exe [869152 2022-12-02] (OpenVPN Inc. -> )
HKU\S-1-5-21-1635575026-680499027-3165678348-500\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [536152 2022-10-23] (HP Inc. -> HP Inc.)
HKU\S-1-5-21-1635575026-680499027-3165678348-500\...\Run: [OPENVPN-GUI] => C:\Program Files\OpenVPN\bin\openvpn-gui.exe [869152 2022-12-02] (OpenVPN Inc. -> )
HKLM\...\Windows x64\Print Processors\Canon MG2500 series Print Processor: C:\Windows\System32\spool\prtprocs\x64\CNMPDBX.DLL [30208 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\Software\...\AppCompatFlags\Custom\AuthManSvr.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\Custom\Browser.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\Custom\CDViewer.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\Custom\CtxWebBrowser.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\Custom\SelfService.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\Custom\wfica32.exe: [{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb] -> Citrix Workspace
HKLM\Software\...\AppCompatFlags\InstalledSDB\{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}: [DatabasePath] -> C:\WINDOWS\AppPatch\CustomSDB\{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb [2023-03-16]
HKLM\Software\Microsoft\Active Setup\Installed Components: [OpenVPN_UserSetup] -> reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OPENVPN-GUI /f
HKLM\Software\Microsoft\Active Setup\Installed Components: [{FCADF89D-0D43-488D-BC24-B068C474F40D}] -> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v OPENVPN-GUI /t REG_SZ /d "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{60f15951-e7ef-11ea-b28e-c4b301b9ed33}] -> C:\Program Files (x86)\Citrix\ICA Client\CitrixEnterpriseBrowser\109.1.1.29\Installer\chrmstp.exe [2023-05-19] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {17D64705-E513-49A2-9436-96B3A361A0A5} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {1AE6AE17-C7B9-4C4E-964B-9CE18F2B2765} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26308584 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Task: {39E436AA-24AF-4B86-B38C-6E72229983EC} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {3A16C3FE-F6F5-45C7-8E55-3C7B3A0053A9} - System32\Tasks\RtkAudUService64_BG => C:\WINDOWS\System32\DriverStore\FileRepository\realtekservice.inf_amd64_18daf79b2c8abbf6\RtkAudUService64.exe [1637232 2023-01-17] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
Task: {5060B792-A567-46A4-9C61-79AE57498DFE} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe [676768 2023-05-17] (Mozilla Corporation -> Mozilla Corporation) -> --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {5743DE78-576A-4036-9548-5FF9CBEB7C79} - System32\Tasks\HP\Consent Manager Launcher => C:\WINDOWS\system32\sc.exe [98304 2022-05-07] (Microsoft Windows -> Microsoft Corporation)
Task: {61FA2112-9DA5-4FB1-92F6-20FCF78E3730} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26308584 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Task: {65C9AFEF-2538-45D6-ACE8-E1C5990664A8} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore{5E14D2EF-8B86-4671-8040-DF94E5895A2E} => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [174968 2022-11-14] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {6801CBE7-D31E-483C-90BD-20FC3D0B195D} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {71A13963-E10F-4A10-AA5A-C8EC454B9F17} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [815 2022-08-18] () [File not signed]
Task: {737C32D7-97EB-4BDB-A2FA-02CCE171A4EE} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA{3A46BE0A-8164-4AA5-AE0E-62337B700246} => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [174968 2022-11-14] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {75D89315-B706-4C99-9B05-0C3ABD07D3AE} - \Microsoft\Windows\Setup\EM -> No File <==== ATTENTION
Task: {7B94A151-83E4-4F6D-9177-56E16BB1FFD8} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {801D9538-8494-4D9C-AC3A-BED5C8A59F24} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [144344 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Task: {8B731EC4-01EE-43FF-B6E5-EA48D0278331} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Update Notice => C:\Program Files (x86)\HP\HP Support Framework\Resources\BingPopup\BingPopup.exe [847392 2022-10-26] (HP Inc. -> HP Inc.)
Task: {971A7C34-C73B-403B-94D3-C8D71F703702} - System32\Tasks\klcp_update => C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe [2113024 2022-12-28] () [File not signed]
Task: {A1BDB5E4-A73A-41CC-A99F-E03B5AF8A7BC} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\Users\there\Downloads\MSERT.exe [130610640 2023-05-16] (Microsoft Corporation -> Microsoft Corporation)
Task: {B5873677-2BE4-483E-9F1C-F7FD6794DBF1} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [144344 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Task: {CB6C9929-BC97-464E-8930-2B1552C43431} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [146816 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => C:\WINDOWS\system32\MusNotification.exe (No File)
Task: {F60D741C-F5B8-43D2-992C-446DF73C8554} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [732064 2023-05-17] (Mozilla Corporation -> Mozilla Foundation)

carlosartur · May 21, 2023

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-1635575026-680499027-3165678348-1001] => 192.168.49.1:8282
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1fb7d467-cc22-40ec-8ac6-de5ddf95ceab}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{23e355b9-1089-42ed-b1bf-4c8819d427d7}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{33f9f470-46d5-4902-85ee-4b9d091b0cdc}: [DhcpNameServer] 192.168.128.1
Tcpip\..\Interfaces\{3825794b-cf5f-41ef-ad83-6ac344a07cab}: [DhcpNameServer] 192.168.109.180
Tcpip\..\Interfaces\{3959c597-93e9-425d-b8d2-46aa99f9924c}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{d5c27194-b533-4667-a372-f13dac357ab7}: [DhcpNameServer] 192.168.49.1
Tcpip\..\Interfaces\{e212d1f1-185c-4091-9f23-c06f440d8f7b}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{f458bbe0-01d0-466b-80ea-f33709d0260e}: [DhcpNameServer] 1.1.1.1 8.8.8.8 1.1.1.1 8.8.8.8

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\there\AppData\Local\Microsoft\Edge\User Data\Default [2023-05-18]
Edge Extension: (Download with JDownloader) - C:\Users\there\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ilonanfdcnaljoedndpfeflllibalflj [2022-11-24]

FireFox:
========
FF DefaultProfile: ldg0zrxt.default
FF ProfilePath: C:\Users\there\AppData\Roaming\Mozilla\Firefox\Profiles\ldg0zrxt.default [2022-11-14]
FF ProfilePath: C:\Users\there\AppData\Roaming\Mozilla\Firefox\Profiles\gyrtly5u.default-release-1684304987191 [2023-05-19]
FF Session Restore: Mozilla\Firefox\Profiles\gyrtly5u.default-release-1684304987191 -> is enabled.
FF Extension: (DuckDuckGo Privacy Essentials) - C:\Users\there\AppData\Roaming\Mozilla\Firefox\Profiles\gyrtly5u.default-release-1684304987191\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2023-05-17]
FF Extension: (ESET Password Manager) - C:\Users\there\AppData\Roaming\Mozilla\Firefox\Profiles\gyrtly5u.default-release-1684304987191\Extensions\passwordmanager@eset.com.xpi [2023-05-17] [UpdateUrl:hxxps://download.eset.com/com/eset/extensions/firefox/pwm/g2/latest/update.json]
FF Extension: (Malwarebytes Browser Guard) - C:\Users\there\AppData\Roaming\Mozilla\Firefox\Profiles\gyrtly5u.default-release-1684304987191\Extensions\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi [2023-05-17]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2022-11-14] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-11-14] (Microsoft Corporation -> Microsoft Corporation)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\eset_security_config_overlay.js [2023-05-19]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 appprotectionsvc; C:\Program Files (x86)\Citrix\ICA Client\appprotection.exe [520624 2023-03-16] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [174968 2022-11-14] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [174968 2022-11-14] (Brave Software, Inc. -> BraveSoftware Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [12540928 2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
R2 CWAUpdaterService; C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe [67504 2023-03-27] (Citrix Systems, Inc. -> Cloud Software Group, Inc.)
R2 dlpsrv; C:\Program Files\ESET\ESET Secure Data\dlpsrv.exe [707864 2022-08-24] (ESET, spol. s r.o. -> ESET)
R2 efwd; C:\Program Files\ESET\ESET Security\efwd.exe [2509944 2023-05-19] (ESET, spol. s r.o. -> ESET)
R2 ekrn; C:\Program Files\ESET\ESET Security\ekrn.exe [3650416 2023-05-19] (ESET, spol. s r.o. -> ESET)
R3 ekrnEpfw; C:\Program Files\ESET\ESET Security\ekrn.exe [3650416 2023-05-19] (ESET, spol. s r.o. -> ESET)
R2 HP Comm Recover; C:\Program Files\HPCommRecovery\HPCommRecovery.exe [891256 2020-07-30] (HP Inc. -> HP Inc.)
R2 HPAppHelperCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\AppHelperCap.exe [859072 2023-04-26] (HP Inc. -> HP Inc.)
R2 HPDiagsCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\DiagsCap.exe [857496 2023-04-26] (HP Inc. -> HP Inc.)
R2 HPNetworkCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\NetworkCap.exe [854416 2023-04-26] (HP Inc. -> HP Inc.)
R2 HPOmenCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpomencustomcapcomp.inf_amd64_e711c85c03558fc4\x64\OmenCap\OmenCap.exe [775136 2022-11-04] (HP Inc. -> HP Inc.)
R2 HPSysInfoCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_3fe14bedeb9ca7a2\x64\SysInfoCap.exe [858512 2023-04-26] (HP Inc. -> HP Inc.)
R2 HpTouchpointAnalyticsService; C:\WINDOWS\System32\DriverStore\FileRepository\hpanalyticscomp.inf_amd64_5bf497d20ce7fee9\x64\TouchpointAnalyticsClientService.exe [496208 2023-03-16] (HP Inc. -> HP Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [9255384 2023-05-19] (Malwarebytes Inc. -> Malwarebytes)
R2 OpenVPNServiceInteractive; C:\Program Files\OpenVPN\bin\openvpnserv.exe [67352 2022-12-02] (OpenVPN Inc. -> The OpenVPN Project)
R3 Rockstar Service; C:\Program Files\Rockstar Games\Launcher\RockstarService.exe [2199024 2023-05-19] (Rockstar Games, Inc. -> Rockstar Games)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\NisSrv.exe [3216064 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MsMpEng.exe [133544 2023-05-19] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 A6100; C:\WINDOWS\System32\drivers\A6100.sys [5004560 2016-02-17] (Realtek Semiconductor Corp -> Realtek Semiconductor Corporation)
R3 amdfendrmgr; C:\WINDOWS\System32\drivers\amdfendrmgr.sys [35360 2022-06-01] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)
R3 amdgpio3; C:\WINDOWS\System32\drivers\amdgpio3.sys [36928 2022-06-03] (ASMedia Technology Inc. -> Advanced Micro Devices, Inc)
R3 amdwddmg; C:\WINDOWS\System32\DriverStore\FileRepository\u0387305.inf_amd64_939f60121c4fd1e0\B387040\amdkmdag.sys [94633856 2023-01-06] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)
R2 ctxusbm; C:\WINDOWS\system32\DRIVERS\ctxusbmon.sys [156072 2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
R0 DLMFENC; C:\WINDOWS\System32\DRIVERS\DLMFENC.sys [242168 2022-09-21] (ESET, spol. s r.o. -> ESET, spol. s r.o.)
R0 DLPCRYPT; C:\WINDOWS\System32\DRIVERS\dlpcrypt.sys [121728 2022-08-24] (DESlock Limited -> DESlock Ltd.)

carlosartur · May 21, 2023

R0 dlpvdisk; C:\WINDOWS\System32\DRIVERS\dlpvdisk.sys [98296 2022-08-24] (DESlock Limited -> DESlock Ltd.)
R1 eamonm; C:\WINDOWS\System32\DRIVERS\eamonm.sys [198448 2023-05-19] (ESET, spol. s r.o. -> ESET)
R0 edevmon; C:\WINDOWS\System32\DRIVERS\edevmon.sys [118872 2023-05-19] (ESET, spol. s r.o. -> ESET)
R1 edevmonm; C:\WINDOWS\System32\DRIVERS\edevmonm.sys [122568 2023-05-19] (ESET, spol. s r.o. -> ESET)
S0 eelam; C:\WINDOWS\System32\DRIVERS\eelam.sys [16336 2022-11-09] (Microsoft Windows Early Launch Anti-malware Publisher -> ESET)
R1 ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [244920 2023-05-19] (ESET, spol. s r.o. -> ESET)
R2 ekbdflt; C:\WINDOWS\system32\DRIVERS\ekbdflt.sys [55440 2023-05-19] (ESET, spol. s r.o. -> ESET)
R2 entryprotectdrv; C:\Program Files (x86)\Citrix\ICA Client\entryprotect.sys [72064 2023-03-16] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
R1 epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [81728 2023-05-19] (ESET, spol. s r.o. -> ESET)
R1 epfwwfp; C:\WINDOWS\system32\DRIVERS\epfwwfp.sys [123008 2023-05-19] (ESET, spol. s r.o. -> ESET)
R1 epinject6; C:\Program Files (x86)\Citrix\ICA Client\epinject.sys [161832 2023-03-16] (Citrix Systems, Inc. -> )
R3 epusbfilter; C:\Program Files (x86)\Citrix\ICA Client\epusbfilter.sys [44392 2023-03-16] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [158640 2023-05-19] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R0 fse; C:\WINDOWS\System32\drivers\fse.sys [218464 2023-05-18] (Microsoft Windows -> Microsoft Corporation)
R3 HPCustomCapDriver; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapdriver.inf_amd64_a955fa431e522f5e\x64\hpcustomcapdriver.sys [25592 2021-09-15] (HP Inc. -> HP Inc.)
R3 HPOmenCustomCapDriver; C:\WINDOWS\System32\DriverStore\FileRepository\hpomencustomcapdriver.inf_amd64_326f2e1d16385daf\x64\hpomencustomcapdriver.sys [23896 2021-09-28] (HP Inc. -> HP Inc.)
R2 HpReadHWData; C:\WINDOWS\system32\drivers\HpReadHWData.sys [42920 2022-11-14] (WDKTestCert liaow,132675391035378460 -> Windows (R) Win 7 DDK provider)
R0 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [223176 2023-05-19] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\WINDOWS\System32\DRIVERS\MbamElam.sys [21480 2023-05-19] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\System32\DRIVERS\farflt11.sys [233216 2023-05-19] (Malwarebytes Inc. -> Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [77752 2023-05-19] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [239544 2023-05-19] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [181984 2023-05-19] (Malwarebytes Inc. -> Malwarebytes)
S1 npcap; C:\WINDOWS\system32\DRIVERS\npcap.sys [77336 2022-08-19] (Insecure.Com LLC -> Insecure.Com LLC.)
S4 npcap_wifi; C:\WINDOWS\system32\DRIVERS\npcap.sys [77336 2022-08-19] (Insecure.Com LLC -> Insecure.Com LLC.)
R1 rtf64; C:\WINDOWS\system32\DRIVERS\rtf64x64.sys [62352 2021-12-10] (Realtek Semiconductor Corp. -> Realtek)
S3 ssbthid; C:\WINDOWS\System32\drivers\ssbthid.sys [39864 2022-07-06] (Microsoft Windows Hardware Compatibility Publisher -> SteelSeries ApS)
S3 ssdevfactory; C:\WINDOWS\System32\drivers\ssdevfactory.sys [42912 2022-07-06] (Microsoft Windows Hardware Compatibility Publisher -> SteelSeries ApS)
S3 sshid; C:\WINDOWS\System32\drivers\sshid.sys [43960 2022-08-17] (Microsoft Windows Hardware Compatibility Publisher -> SteelSeries ApS)
R3 tap0901; C:\WINDOWS\System32\drivers\tap0901.sys [39920 2022-12-26] (Microsoft Windows Hardware Compatibility Publisher -> The OpenVPN Project)
R0 VDLPToken2; C:\WINDOWS\System32\DRIVERS\vdlptkn2.sys [135672 2022-08-24] (DESlock Limited -> DESlock Ltd.)
S3 vmbusproxy; C:\WINDOWS\system32\drivers\vmbusproxy.sys [94208 2022-12-27] (Microsoft Windows -> )
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [49616 2023-05-19] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [498944 2023-05-19] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [99608 2023-05-19] (Microsoft Windows -> Microsoft Corporation)
R3 wintun; C:\WINDOWS\System32\drivers\wintun.sys [38176 2022-12-26] (WireGuard LLC -> WireGuard LLC)
U3 aspnet_state; no ImagePath
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-05-19 23:37 - 2023-05-19 23:38 - 000039625 _____ C:\Users\there\Downloads\Addition.txt
2023-05-19 23:36 - 2023-05-19 23:39 - 000031426 _____ C:\Users\there\Downloads\FRST.txt
2023-05-19 23:36 - 2023-05-19 23:38 - 000000000 ____D C:\FRST
2023-05-19 23:35 - 2023-05-19 23:36 - 002382336 _____ (Farbar) C:\Users\there\Downloads\FRST64.exe
2023-05-19 23:20 - 2023-05-19 23:20 - 000233216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt11.sys
2023-05-19 23:20 - 2023-05-19 23:20 - 000181984 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2023-05-19 22:26 - 2023-05-19 22:26 - 000000000 ____D C:\Users\there\OneDrive\Documents\Custom Office Templates
2023-05-19 21:52 - 2023-05-19 23:21 - 000000000 ____D C:\Users\there\AppData\Local\Malwarebytes
2023-05-19 21:52 - 2023-05-19 21:52 - 000002040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2023-05-19 21:52 - 2023-05-19 21:52 - 000002028 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2023-05-19 21:52 - 2023-05-19 21:52 - 000000000 ____D C:\Users\there\AppData\Local\mbam
2023-05-19 21:50 - 2023-05-19 21:50 - 002638680 _____ (Malwarebytes) C:\Users\there\Downloads\MBSetup.exe
2023-05-19 21:50 - 2023-05-19 21:50 - 000000000 ____D C:\ProgramData\Malwarebytes
2023-05-19 21:50 - 2023-05-19 21:50 - 000000000 ____D C:\Program Files\Malwarebytes
2023-05-19 21:44 - 2023-05-19 21:44 - 000130337 _____ C:\Users\there\Downloads\getservices.zip
2023-05-19 16:48 - 2023-05-19 22:29 - 000000000 ____D C:\Users\there\AppData\Local\Citrix
2023-05-19 16:48 - 2023-05-19 16:48 - 000002541 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix Workspace.lnk
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\Users\there\AppData\Roaming\ICAClient
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\Users\there\AppData\Local\ToastNotificationManagerCompat
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\Users\there\AppData\Local\Sentry
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\Users\there\AppData\Local\IsolatedStorage
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\ProgramData\Citrix
2023-05-19 16:48 - 2023-05-19 16:48 - 000000000 ____D C:\Program Files (x86)\Citrix
2023-05-19 16:44 - 2023-05-19 16:47 - 289667504 _____ (Cloud Software Group, Inc.) C:\Users\there\Downloads\CitrixWorkspaceApp.exe
2023-05-19 00:14 - 2023-05-19 00:19 - 000000000 ____D C:\Users\there\AppData\Local\FSDART
2023-05-19 00:14 - 2023-05-19 00:17 - 000000000 ____D C:\ProgramData\F-Secure
2023-05-19 00:14 - 2023-05-19 00:14 - 000000000 ____D C:\Users\there\AppData\Local\F-Secure
2023-05-18 23:58 - 2023-05-18 23:58 - 000000000 ___HD C:\$WinREAgent
2023-05-18 21:50 - 2023-05-19 23:23 - 000000000 ____D C:\Program Files (x86)\Rockstar Games
2023-05-17 02:41 - 2023-05-16 21:48 - 087389168 _____ (Rockstar Games Inc.) C:\Users\there\Downloads\Rockstar-Games-Launcher.exe
2023-05-17 02:38 - 2023-05-19 01:12 - 000000000 ____D C:\Program Files\Mozilla Firefox
2023-05-16 21:48 - 2023-05-19 23:23 - 000000000 ____D C:\ProgramData\Rockstar Games
2023-05-16 21:48 - 2023-05-19 23:23 - 000000000 ____D C:\Program Files\Rockstar Games
2023-05-16 21:48 - 2023-05-16 21:48 - 000000000 ____D C:\Users\there\AppData\Local\Rockstar Games

carlosartur · May 21, 2023

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-05-19 23:30 - 2022-12-25 17:30 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2023-05-19 23:30 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SystemTemp
2023-05-19 23:27 - 2022-12-25 18:31 - 000829944 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2023-05-19 23:27 - 2022-05-07 01:22 - 000000000 ____D C:\WINDOWS\INF
2023-05-19 23:22 - 2022-05-07 01:24 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2023-05-19 23:21 - 2022-10-21 22:18 - 000000000 ____D C:\Users\there\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rockstar Games
2023-05-19 23:20 - 2022-12-25 18:29 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2023-05-19 23:20 - 2022-12-25 18:27 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2023-05-19 23:20 - 2021-06-25 14:10 - 000012288 ___SH C:\DumpStack.log.tmp
2023-05-19 23:19 - 2022-05-07 01:17 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2023-05-19 23:17 - 2022-12-26 23:58 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2023-05-19 23:16 - 2022-12-25 18:27 - 000001607 _____ C:\WINDOWS\system32\config\VSMIDK
2023-05-19 22:26 - 2023-01-04 10:08 - 000000000 ____D C:\Users\there\AppData\Roaming\Microsoft\Excel
2023-05-19 21:52 - 2023-01-04 10:08 - 000000000 ____D C:\Users\there\AppData\Roaming\Microsoft\Office
2023-05-19 21:52 - 2022-05-07 01:24 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2023-05-19 21:22 - 2022-11-14 21:48 - 000000000 ____D C:\Users\there\AppData\Local\D3DSCache
2023-05-19 19:57 - 2022-05-07 01:17 - 000000000 ____D C:\WINDOWS\CbsTemp
2023-05-19 16:51 - 2022-11-14 21:46 - 000000000 ____D C:\Users\there\AppData\Local\VirtualStore
2023-05-19 16:50 - 2022-11-14 21:34 - 000002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2023-05-19 16:50 - 2022-11-14 21:34 - 000002283 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2023-05-19 16:50 - 2022-05-07 01:24 - 000000000 ___HD C:\Program Files\WindowsApps
2023-05-19 16:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\AppReadiness
2023-05-19 16:48 - 2022-11-29 06:20 - 000000000 ____D C:\ProgramData\Package Cache
2023-05-19 01:19 - 2022-11-14 21:34 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2023-05-19 01:12 - 2022-11-14 19:10 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2023-05-19 01:12 - 2022-10-21 22:13 - 000000000 ___SD C:\Users\there\AppData\Roaming\Microsoft\Protect
2023-05-19 01:11 - 2023-02-07 02:55 - 000244920 _____ (ESET) C:\WINDOWS\system32\Drivers\ehdrv.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000198448 _____ (ESET) C:\WINDOWS\system32\Drivers\eamonm.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000123008 _____ (ESET) C:\WINDOWS\system32\Drivers\epfwwfp.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000122568 _____ (ESET) C:\WINDOWS\system32\Drivers\edevmonm.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000118872 _____ (ESET) C:\WINDOWS\system32\Drivers\edevmon.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000081728 _____ (ESET) C:\WINDOWS\system32\Drivers\epfw.sys
2023-05-19 01:11 - 2023-02-07 02:55 - 000055440 _____ (ESET) C:\WINDOWS\system32\Drivers\ekbdflt.sys
2023-05-19 00:20 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SystemResources
2023-05-19 00:20 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\Sgrm
2023-05-19 00:20 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2023-05-19 00:20 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\bcastdvr
2023-05-19 00:00 - 2022-11-24 15:37 - 000000000 ____D C:\Program Files\Blue Iris 5
2023-05-18 23:59 - 2022-12-25 18:29 - 003211776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2023-05-18 23:29 - 2022-12-25 18:13 - 000000000 ____D C:\Users\there\AppData\Roaming\Microsoft\Spelling
2023-05-18 23:29 - 2022-11-14 21:38 - 000000000 ____D C:\Users\there\AppData\Local\Packages
2023-05-18 23:28 - 2022-12-25 18:27 - 000669216 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ___SD C:\WINDOWS\system32\UNP
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ___RD C:\WINDOWS\PrintDialog
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\UUS
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\WinMetadata
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\setup
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\oobe
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SystemApps
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\WinMetadata
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\ShellExperiences
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\setup
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\PerceptionSimulation
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\oobe
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\es-MX
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\Dism
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\appraiser
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\ShellExperiences
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\ShellComponents
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\Provisioning
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2023-05-18 23:27 - 2022-05-07 01:24 - 000000000 ____D C:\Program Files\Common Files\System
2023-05-18 22:12 - 2022-05-07 02:10 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\OEMDefaultAssociations.dll
2023-05-18 22:12 - 2022-05-07 02:10 - 000023775 _____ C:\WINDOWS\system32\OEMDefaultAssociations.xml
2023-05-18 22:12 - 2022-05-07 01:25 - 000209920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msclmd.dll
2023-05-18 22:12 - 2022-05-07 01:25 - 000076800 _____ (Khronos Group) C:\WINDOWS\SysWOW64\opencl.dll
2023-05-18 22:12 - 2022-05-07 01:24 - 000249856 _____ (Microsoft Corporation) C:\WINDOWS\system32\msclmd.dll
2023-05-18 22:12 - 2022-05-07 01:24 - 000118784 _____ (Khronos Group) C:\WINDOWS\system32\opencl.dll
2023-05-18 21:55 - 2022-11-14 21:46 - 000000000 ____D C:\Users\there\AppData\Local\AMD
2023-05-18 21:52 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2023-05-18 21:50 - 2022-11-14 21:35 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2023-05-18 21:50 - 2022-11-14 21:35 - 000000000 ____D C:\WINDOWS\addins
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\lv-LV
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\lt-LT
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\et-EE
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\SysWOW64\es-MX
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\lv-LV
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\lt-LT
2023-05-18 21:50 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\et-EE
2023-05-18 21:49 - 2023-02-07 00:37 - 000000000 ____D C:\Users\there\AppData\Roaming\Movavi Video Editor 23
2023-05-18 21:49 - 2022-11-24 18:32 - 000000000 ____D C:\Users\there\AppData\Local\Softdeluxe
2023-05-18 21:49 - 2022-11-14 21:59 - 000000000 ____D C:\Users\there\AppData\Local\BraveSoftware
2023-05-18 21:27 - 2022-11-14 20:57 - 000000000 ____D C:\WINDOWS\system32\MRT
2023-05-18 21:26 - 2022-11-14 20:57 - 159583304 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2023-05-18 21:23 - 2022-12-25 18:29 - 000003366 _____ C:\WINDOWS\system32\Tasks\RtkAudUService64_BG
2023-05-18 21:21 - 2022-05-07 01:24 - 000000000 ____D C:\WINDOWS\system32\SecurityHealth
2023-05-17 02:40 - 2022-12-25 18:29 - 000003588 _____ C:\WINDOWS\system32\Tasks\OneDrive Reporting Task-S-1-5-21-1635575026-680499027-3165678348-1001
2023-05-17 02:40 - 2022-12-25 18:29 - 000003362 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1635575026-680499027-3165678348-1001
2023-05-17 02:40 - 2022-11-14 21:48 - 000002386 _____ C:\Users\there\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2023-05-17 02:29 - 2022-12-25 18:29 - 000000000 ____D C:\WINDOWS\system32\Tasks\Mozilla
2023-05-17 02:29 - 2022-10-24 03:28 - 000000000 ____D C:\Users\there\AppData\LocalLow\Mozilla
2023-05-16 22:53 - 2022-11-14 19:10 - 000001012 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2023-05-16 22:27 - 2022-11-14 21:28 - 000000000 ____D C:\Program Files\Microsoft Update Health Tools
2023-05-16 21:52 - 2022-12-25 17:59 - 000000000 ____D C:\found.000

==================== Files in the root of some directories ========

2022-11-29 06:31 - 2022-11-29 08:01 - 000000435 _____ () C:\Users\there\AppData\Local\zenmap.exe.log

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

carlosartur · May 21, 2023

Here's the first part of Additions
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-05-2023
Ran by there (19-05-2023 23:39:47)
Running from C:\Users\there\Downloads
Microsoft Windows 11 Home Version 22H2 22621.1702 (X64) (2022-12-25 22:30:00)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

admin (S-1-5-21-1635575026-680499027-3165678348-1002 - Administrator - Disabled) => C:\Users\admin
DefaultAccount (S-1-5-21-1635575026-680499027-3165678348-503 - Limited - Disabled)
Guest (S-1-5-21-1635575026-680499027-3165678348-501 - Limited - Disabled)
there (S-1-5-21-1635575026-680499027-3165678348-1001 - Administrator - Enabled) => C:\Users\there
user (S-1-5-21-1635575026-680499027-3165678348-500 - Administrator - Enabled) => C:\Users\Administrator
WDAGUtilityAccount (S-1-5-21-1635575026-680499027-3165678348-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET Security (Enabled - Up to date) {DF8BEACB-94C9-218A-73AD-A78362A8C516}
AV: Malwarebytes (Enabled - Up to date) {0D452135-A081-B000-D6B6-132E52638543}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Kaspersky Anti-Virus (Enabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
FW: ESET Firewall (Enabled) {E7B06BEE-DEA6-20D2-58F2-0EB69C7B826D}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 22.01 (x64) (HKLM\...\7-Zip) (Version: 22.01 - Igor Pavlov)
AMD Ryzen Master SDK (HKLM\...\{DBD50508-5F75-416B-995D-C42433A00944}) (Version: 2.8.0.1925 - Advanced Micro Devices, Inc.)
Angry IP Scanner (HKLM-x32\...\Angry IP Scanner) (Version: 3.7.6 - Angry IP Scanner)
BCR Plug-in (HKLM-x32\...\{0F81987E-8B34-460E-ACD7-7FA8CF510F81}) (Version: 23.3.0.38 - Citrix Systems, Inc.) Hidden
Blue Iris 5 (HKLM\...\{554787D6-0E04-4FDC-8364-321890588742}) (Version: 5.6.5.9 - Perspective Software)
Citrix Authentication Manager (HKLM-x32\...\{BBE8F98C-795B-476B-B549-BF573185926D}) (Version: 23.3.1.9 - Cloud Software Group, Inc.) Hidden
Citrix Web Helper (HKLM-x32\...\{9C315F67-EB93-48FB-AC81-6F115C9931D8}) (Version: 23.3.0.49 - Cloud Software Group, Inc.) Hidden
Citrix Workspace (HKLM\...\{dcdaa2fd-eaac-4ab0-9ece-f3df127a6c45}.sdb) (Version: - )
Citrix Workspace 2303 (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 23.3.0.55 - Cloud Software Group, Inc.)
Citrix Workspace Inside (HKLM-x32\...\{20F3853B-FBB9-4601-988B-03C2EE7C90CA}) (Version: 23.3.0.18 - Citrix Systems, Inc.) Hidden
Citrix Workspace(DV) (HKLM-x32\...\{7BC5DEEA-4B7A-4A66-B758-DB410CB07186}) (Version: 23.3.0.38 - Citrix Systems, Inc.) Hidden
Citrix Workspace(USB) (HKLM-x32\...\{FF53B509-0A7C-4319-B782-A285234C423D}) (Version: 23.3.0.38 - Citrix Systems, Inc.) Hidden
ESET Premium Line Encryption (HKLM\...\{764DBB66-954B-498B-A8F0-5674FF309BAC}) (Version: 2.0.0.29 - ESET) Hidden
ESET Security (HKLM\...\{AC01C534-2ECB-460E-9D4E-D4D158076F50}) (Version: 16.1.14.0 - ESET, spol. s r.o.)
K-Lite Mega Codec Pack 17.3.7 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 17.3.7 - KLCP)
LibreOffice 7.5.0.3 (HKLM\...\{AE6E3BD6-832E-486F-B040-B06228F447F5}) (Version: 7.5.0.3 - The Document Foundation)
Malwarebytes version 4.5.29.268 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.29.268 - Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.15831.20208 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 113.0.1774.50 - Microsoft Corporation)
Microsoft Edge WebView2 Runtime (HKLM-x32\...\Microsoft EdgeWebView) (Version: 113.0.1774.42 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\OneDriveSetup.exe) (Version: 23.086.0423.0001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1635575026-680499027-3165678348-1002\...\OneDriveSetup.exe) (Version: 21.050.0310.0001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1635575026-680499027-3165678348-500\...\OneDriveSetup.exe) (Version: 21.050.0310.0001 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{43D501A5-E5E3-46EC-8F33-9E15D2A2CBD5}) (Version: 5.70.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (HKLM-x32\...\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}) (Version: 14.30.30704.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31332 (HKLM-x32\...\{a98dc6ff-d360-4878-9f0a-915eba86eaf3}) (Version: 14.32.31332.0 - Microsoft Corporation)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (HKLM\...\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}) (Version: 14.30.30704 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (HKLM\...\{662A0088-6FCD-45DD-9EA7-68674058AED5}) (Version: 14.30.30704 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31332 (HKLM-x32\...\{8972AC25-452E-4FFE-945A-EB9E28C20322}) (Version: 14.32.31332 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31332 (HKLM-x32\...\{AEAA18F7-9C96-4A43-BC07-8B88A4913EEB}) (Version: 14.32.31332 - Microsoft Corporation) Hidden
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 113.0.1 (x64 en-US)) (Version: 113.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 102.5.0 - Mozilla)
Mozilla Thunderbird (x64 en-US) (HKLM\...\Mozilla Thunderbird 102.5.0 (x64 en-US)) (Version: 102.5.0 - Mozilla)
Nmap 7.93 (HKLM-x32\...\Nmap) (Version: 7.93 - Nmap Project)
Npcap (HKLM-x32\...\NpcapInst) (Version: 1.71 - Nmap Project)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15726.20202 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15831.20184 - Microsoft Corporation) Hidden
Online Plug-in (HKLM-x32\...\{AEC747AF-26CC-461F-92BE-F85908596F3C}) (Version: 23.3.0.38 - Citrix Systems, Inc.) Hidden
OpenVPN 2.5.8-I604 amd64 (HKLM\...\{FCADF89D-0D43-488D-BC24-B068C474F40D}) (Version: 2.5.040 - OpenVPN, Inc.)
Rockstar Games Launcher (HKLM-x32\...\Rockstar Games Launcher) (Version: 1.0.72.1513_C - Rockstar Games)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 2.1.8.4 - Rockstar Games)
Self-service Plug-in (HKLM-x32\...\{77B21DE1-4E61-4D2A-B269-278DE583D79C}) (Version: 23.3.0.49 - Cloud Software Group, Inc.) Hidden

Packages:
=========
AMD Radeon Software -> C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.22.20037.0_x64__0a9344xs7nr4m [2022-12-25] (Advanced Micro Devices Inc.) [Startup Task]
AV1 Video Extension -> C:\Program Files\WindowsApps\microsoft.av1videoextension_1.1.52074.0_x64__8wekyb3d8bbwe [2022-11-29] (Microsoft Corporation)
Energy Star -> C:\Program Files\WindowsApps\AD2F1837.HPInc.EnergyStar_1.2.0.0_x64__v10z8vjag6ke6 [2022-11-29] (HP Inc.)
ESET Context Menu -> C:\Program Files\ESET\ESET Security [2023-05-19] (0)
HP Audio Center -> C:\Program Files\WindowsApps\AD2F1837.HPAudioCenter_1.40.284.0_x64__v10z8vjag6ke6 [2023-05-18] (HP Inc.)
HP Enhanced Lighting -> C:\Program Files\WindowsApps\AD2F1837.HPEnhance_1.2.17.0_x64__v10z8vjag6ke6 [2022-11-29] (HP Inc.)
HP PC Hardware Diagnostics Windows -> C:\Program Files\WindowsApps\ad2f1837.hppchardwarediagnosticswindows_1.8.3.0_x64__v10z8vjag6ke6 [2022-11-29] (HP Inc.)
HP Privacy Settings -> C:\Program Files\WindowsApps\AD2F1837.HPPrivacySettings_1.1.54.0_x64__v10z8vjag6ke6 [2022-11-29] (HP Inc.)
Microsoft Whiteboard -> C:\Program Files\WindowsApps\Microsoft.Whiteboard_52.11010.438.0_x64__8wekyb3d8bbwe [2022-11-29] (Microsoft Corporation)
OMEN Gaming Hub -> C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6 [2022-11-29] (HP Inc.) [Startup Task]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ESD Shell Icon Overlay Identifier] -> {AF106685-9C86-48AF-8524-8F485C459E17} => C:\Program Files\ESET\ESET Secure Data\esdovrly.dll [2022-08-24] (DESlock Limited -> DESlock Limited)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2023-05-19] (ESET, spol. s r.o. -> ESET)

carlosartur · May 21, 2023

ContextMenuHandlers2: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2023-05-19] (ESET, spol. s r.o. -> ESET)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-05-19] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [ESET Security Shell] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2023-05-19] (ESET, spol. s r.o. -> ESET)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-05-19] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [VIDC.HFYU] => C:\WINDOWS\system32\huffyuv.dll [55296 2005-01-21] () [File not signed]

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2022-11-07 17:31 - 2022-11-07 17:31 - 002574336 _____ (Citrix Systems, Inc.) [File not signed] C:\Program Files (x86)\Citrix\ICA Client\sslsdk_b.dll

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\there\Downloads\FRST64.exe:MBAM.Zone.Identifier [117]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\HP\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2022-10-26] (HP Inc. -> HP Inc.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2022-11-14] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\HP\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2022-10-26] (HP Inc. -> HP Inc.)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-12-28] (Microsoft Corporation -> Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2023-03-27] (Citrix Systems, Inc. -> Citrix Systems, Inc.)

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2021-06-05 08:08 - 2021-06-05 08:08 - 000000824 _____ C:\WINDOWS\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1635575026-680499027-3165678348-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\web\wallpaper\HP Backgrounds\backgroundDefault.jpg
HKU\S-1-5-21-1635575026-680499027-3165678348-1002\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-1635575026-680499027-3165678348-500\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\Web\Wallpaper\HP Backgrounds\backgroundDefault.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

carlosartur · May 21, 2023

Network Binding:
=============
OpenVPN TAP-Windows6: Realtek LightWeight Filter (NDIS6.40) -> nt_rtf64 (enabled)
Ethernet: Realtek LightWeight Filter (NDIS6.40) -> nt_rtf64 (enabled)
Wi-Fi: Realtek LightWeight Filter (NDIS6.40) -> nt_rtf64 (enabled)
Ethernet 5: Realtek LightWeight Filter (NDIS6.40) -> nt_rtf64 (enabled)

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\StartupApproved\Run: => "HPSEU_Host_Launcher"
HKU\S-1-5-21-1635575026-680499027-3165678348-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1635575026-680499027-3165678348-1002\...\StartupApproved\Run: => "HPSEU_Host_Launcher"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{DB1A7A05-62B4-4A19-8E95-507471A1E503}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22308.1003.1743.8209_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{A59A5B07-AEEF-4A9B-B478-7E5242857987}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22308.1003.1743.8209_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [UDP Query User{E4B9E1AC-1176-4BB5-AFFD-44246B596B6D}C:\users\there\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\there\appdata\local\jdownloader 2.0\jdownloader2.exe => No File
FirewallRules: [TCP Query User{C183F3D8-F63F-445D-B7E0-4B23F87B266F}C:\users\there\appdata\local\jdownloader 2.0\jdownloader2.exe] => (Allow) C:\users\there\appdata\local\jdownloader 2.0\jdownloader2.exe => No File
FirewallRules: [UDP Query User{2C39BA19-59C5-4B73-9D1F-9B9FBF1245A2}C:\program files\blue iris 5\blueiris.exe] => (Block) C:\program files\blue iris 5\blueiris.exe (Perspective Software -> Perspective Software)
FirewallRules: [TCP Query User{AD47AB74-2964-4867-B889-E9B50D56CC6B}C:\program files\blue iris 5\blueiris.exe] => (Block) C:\program files\blue iris 5\blueiris.exe (Perspective Software -> Perspective Software)
FirewallRules: [{3DC519B4-8062-4A2A-B3CD-B00F57DB1726}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\OmenCommandCenterBackground.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{8BEBAAD8-1598-4918-AB36-64D40643FE23}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\OmenCommandCenterBackground.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{1EDC4EC9-5399-4D6A-9F48-02F0B63BD889}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{82773818-A6F1-48DF-9689-CFDD88783539}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{966080D2-AC8F-4A35-AE11-90E6982CF765}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{720EFEC5-DF11-4FBB-B47F-F5870D7405D7}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{7DD0B0C0-A271-40E2-8F7E-02E4497F76E5}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{3FAAE192-3175-455C-B4DF-AB8499298400}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{92C1D4D6-988C-4BBC-BA67-0E13B31757D2}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{FF6AC78E-E1EC-44C3-AD71-A3EC2FB5A16F}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{A4B21D80-BC6B-4603-98D8-D62BDF723AAD}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{4397B66E-BF7C-45E0-906F-EB86C9DD2F80}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{3250CDDD-4611-4560-912C-62751F442BF2}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{99597676-0849-49B7-99E5-7D9AF4B341BA}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{FD914804-E9EE-4260-89DC-4162619FE749}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{52045775-4008-442C-AD98-7A57914B46F8}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2211.6.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe (ED346674-0FA1-4272-85CE-3187C9C86E26 -> HP Inc.)
FirewallRules: [{5A72EEE6-85D4-4059-AF68-3629690D1432}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{848129EC-1109-4A9F-B7CC-46C2CAAC0F55}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{C3DCA6A1-E2F8-4AC0-9FF7-0DDC7607E8A8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{13546F32-FCAE-4BBA-A89B-F86108380D57}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.14.52.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe => No File
FirewallRules: [{DB81931A-9A56-4BF7-A83C-FAD39D6BD17C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.14.52.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe => No File
FirewallRules: [{4A7F20DA-4C75-4E26-A36F-65C219DE245D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.14.52.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe => No File
FirewallRules: [{1501C61F-333C-4B68-9422-E8A2EF03FB29}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.14.52.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe => No File
FirewallRules: [{36838827-F2A3-4D66-985D-B1BFECC82B79}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{4A0DD5B2-2DC3-42B8-A334-B7AB8D5C672A}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{3FAA57C0-23E9-4F16-AAE9-EE39BC0EC02A}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{66D759BD-F7C3-4E94-B890-ED290F043164}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{37226AFB-06B6-46BD-9BC0-0B7E15CFD331}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{CB60C710-6FF1-4765-BA2B-A3342D00D941}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{DB74DFFD-7CD0-4FB1-AC54-F5CD7E12BA03}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{1F5F2667-4260-4A7D-8FEC-EFC4D468BB0D}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{CF9667AC-1C36-41FE-AD8E-6057616887D0}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{10996239-D9CC-4372-B934-560E7005F797}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File

carlosartur · May 21, 2023

FirewallRules: [{B09765CE-9609-4AFD-A9E8-A2804817C55F}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{BEBFAC1C-EA93-47E3-95DE-B8399B943141}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{8938888D-3715-4A6E-BE6C-04A0743FA158}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{4B3FB887-14BD-463C-ACAE-AEC016D46197}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\HP.Omen.OmenCommandCenter.exe => No File
FirewallRules: [{D3D23051-401B-4D47-8697-0BAE81A05EDF}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\OmenCommandCenterBackground.exe => No File
FirewallRules: [{A12D80AC-7938-4735-B62F-41424A0C1D2D}] => (Allow) C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2111.4.0_x64__v10z8vjag6ke6\win32\OmenCommandCenterBackground.exe => No File
FirewallRules: [{128ADAAE-105C-4659-9656-58A38D3CA939}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.18.4200.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe (Microsoft Corporation -> )
FirewallRules: [{7EA55525-94AE-464F-80F2-BEEF2380D063}] => (Allow) C:\Program Files\WindowsApps\Microsoft.MinecraftEducationEdition_1.18.4200.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe (Microsoft Corporation -> )
FirewallRules: [{819A004B-EF01-4F72-9E19-B731B0DAC1D9}] => (Allow) C:\Program Files (x86)\Citrix\ICA Client\CitrixEnterpriseBrowser\CitrixEnterpriseBrowser.exe (Citrix Systems, Inc. -> Citrix Systems, Inc.)
FirewallRules: [{B517C77A-063E-4FD1-8848-8B6BB3C4425E}] => (Allow) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\113.0.1774.42\msedgewebview2.exe (Microsoft Corporation -> Microsoft Corporation)

==================== Restore Points =========================

18-05-2023 21:34:46 Windows Modules Installer

==================== Faulty Device Manager Devices ============

Name: Microsoft Kernel Debug Network Adapter
Description: Microsoft Kernel Debug Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: kdnic
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: ========================

Application errors:
==================
Error: (05/19/2023 11:25:03 PM) (Source: Firefox Default Browser Agent) (EventID: 2) (User: )
Description: Event-ID 2

Error: (05/19/2023 11:20:36 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\INITRID$ via https://AMD-KeyId-52fb59e29aa83a962fb9eef0fe5b4811de6b751e.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-52fb59e29aa83a962fb9eef0fe5b4811de6b751e.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Sat, 20 May 2023 03:20:37 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 2e146e62-b031-41a7-ae54-71c141d103ca

Method: GET(234ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (05/19/2023 11:20:36 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for Local system via https://AMD-KeyId-52fb59e29aa83a962fb9eef0fe5b4811de6b751e.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-52fb59e29aa83a962fb9eef0fe5b4811de6b751e.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Sat, 20 May 2023 03:20:35 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 602e12d5-1060-4ba6-aca3-0c1a718f4b71

Method: GET(1000ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (05/19/2023 09:37:57 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {D5E72827-9EDB-40CB-9625-00E46482D441}

Error: (05/19/2023 09:37:41 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {D5E72827-9EDB-40CB-9625-00E46482D441}

Error: (05/19/2023 09:37:09 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {2B4D3454-CEB2-4199-933D-3AF2E225CCEC}

Error: (05/19/2023 09:21:41 PM) (Source: Application Hang) (EventID: 1002) (User: NT AUTHORITY)
Description: The program Launcher.exe version 1.0.72.1513 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Error: (05/19/2023 07:59:53 PM) (Source: Microsoft Security Client) (EventID: 3002) (User: )
Description: Event-ID 3002

System errors:
=============
Error: (05/19/2023 11:22:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Microsoft Update Health Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (05/19/2023 11:22:27 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft Update Health Service service to connect.

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service UdkUserSvc_4dd74 with arguments "Unavailable" in order to run the server:
WindowsUdk.UI.Shell.ViewCoordinator

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service UdkUserSvc_4dd74 with arguments "Unavailable" in order to run the server:
WindowsUdk.UI.Shell.ViewCoordinator

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

Error: (05/19/2023 11:19:18 PM) (Source: DCOM) (EventID: 10005) (User: INITRID)
Description: DCOM got error "1084" attempting to start the service UdkUserSvc_4dd74 with arguments "Unavailable" in order to run the server:
WindowsUdk.UI.Shell.ViewCoordinator

Windows Defender:
================
Date: 2023-05-19 21:32:26
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2023-05-16 22:51:02
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Event[0]

Date: 2023-05-19 23:17:34
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2023-05-19 01:15:01
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.381.3231.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19900.2
Error code: 0x80240022
Error description: The program can't check for definition updates.

Date: 2023-05-19 01:15:01
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.381.3231.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19900.2
Error code: 0x80240022
Error description: The program can't check for definition updates.

Date: 2023-05-16 22:53:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.381.3231.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19900.2
Error code: 0x80072ee2
Error description: The operation timed out

carlosartur · May 21, 2023

Date: 2023-05-16 22:53:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.381.3231.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.19900.2
Error code: 0x80072ee2
Error description: The operation timed out

CodeIntegrity:
===============
Date: 2023-05-19 23:36:28
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe) attempted to load \Device\HarddiskVolume3\Program Files\ESET\ESET Security\eamsi.dll that did not meet the Custom 3 / Antimalware signing level requirements.

==================== Memory info ===========================

BIOS: AMI F.02 03/11/2022
Motherboard: HP 89D8
Processor: AMD Ryzen 5 5600G with Radeon Graphics
Percentage of memory in use: 80%
Total physical RAM: 7519.07 MB
Available physical RAM: 1489.29 MB
Total Virtual: 16223.07 MB
Available Virtual: 6732.31 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:277.92 GB) (Free:166.18 GB) (Model: SK hynix BC711 HFM512GD3JX013N) NTFS
Drive d: (External Probox IV) (Fixed) (Total:931.29 GB) (Free:931 GB) (Model: WDC WD1002FAEX-00Z3A0) NTFS

\\?\Volume{f0e08666-28ed-41d4-95a9-aee522347e12}\ () (Fixed) (Total:0.59 GB) (Free:0.04 GB) NTFS
\\?\Volume{3d40e297-cdb9-43fd-8865-75b1e6b63d95}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.17 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: A75352BF)
Partition 1: (Not Active) - (Size=931.3 GB) - (Type=0F Extended)

==========================================================
Disk: 1 (Size: 476.9 GB) (Disk ID: 855263B7)

Partition: GPT.

==================== End of Addition.txt =======================

Broni · May 21, 2023

I don't see anything malicious there, but let's run couple more scans...

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

Close all the running programs
Double click on downloaded setup.exe file to install the program.
Click on Start Scan button.
Click on another Start Scan button.
Wait until the Status box shows Scan Finished
Click on Remove Selected.
Wait until the Status box shows Deleting Finished.
Click on Report and copy/paste the content of the Notepad into your next reply.
RKreport.txt could also be found on your desktop.
If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
Then click Finish.
Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
Restart your computer when prompted to do so.
The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8/10 users right-click and select Run As Administrator
The tool will start to update the database if one is required.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Logfile button.
A window will open which lists the logs of your scans.
Click on the Scan tab.
Double-click the most recent scan which will be at the top of the list....the log will appear.
Review the results...see note below
After reviewing the log, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

carlosartur · May 21, 2023

Thank you Broni!!

RogueKiller detected a rogue Proxy Server hidden in windows registry, and a trojan that was hiding as a folder called "Found.000". So my system was likely compromised, which I could tell via the ESET Startup changes notification.

I've deleted them and run Adware, and I think my system is clean now.

It's alarming to me that both Malwarebytes AND ESET missed the Trojan and Proxy server from above. Looks like I'll be keeping RogueKiller and upgrading to a paid subscription!

Broni · May 22, 2023

I doubt your system was compromised, but I'd like to see those logs.

carlosartur · May 22, 2023

Here's the rogue killer scan / results report. Let me know what you think.

Program : RogueKiller Anti-Malware
Version : 15.9.0.0
x64 : Yes
Program Date : Apr 24 2023
Location : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium : No
Company : Adlice Software
Website : https://www.adlice.com/
Contact : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 11 (10.0.22621) 64-bit
64-bit OS : Yes
Startup : 0
WindowsPE : No
User : there
User is Admin : Yes
Date : 2023/05/21 22:12:53
Type : Removal
Aborted : No
Scan Mode : Standard
Duration : 164
Found items : 4
Total scanned : 56494
Signatures Version : 20230516_120553
Truesight Driver : Yes
Updates Count : 4
Arguments : -minimize

************************* Warnings *************************

************************* Removal *************************
[PUM.Proxy (Potentially Malicious)] HKEY_USERS\S-1-5-21-1635575026-680499027-3165678348-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer -- -> Deleted
[+] scan_what : 1
[+] vendors : PUM.Proxy
[+] Name : HKEY_USERS\S-1-5-21-1635575026-680499027-3165678348-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer
[+] Type : Registry
[+] file_vtscore : 0
[+] file_vttotal : 0
[+] is_malicious : Yes
[+] detection_level : 4
[+] id : 0
[+] status : 3
[+] status_str : Deleted
[+] removed : Yes
[+] status_choice : 2
[+] malpe_score : 0

[Tr.Gen (Malicious)] found.000 -- %SystemDrive%\found.000 -> Deleted
[+] scan_what : 1
[+] vendors : Tr.Gen
[+] Name : found.000
[+] value : %SystemDrive%\found.000
[+] Type : File/Folder
[+] file_vtscore : 0
[+] file_vttotal : 0
[+] is_malicious : Yes
[+] detection_level : 2
[+] id : 1
[+] status : 3
[+] status_str : Deleted
[+] removed : Yes
[+] status_choice : 2
[+] malpe_score : 0

Broni · May 23, 2023

Keep going.

carlosartur · May 25, 2023

Can you clarify? Do you need me to post more logs and if so which ones?

Broni · May 25, 2023

You were supposed to post 3 logs and you posted just one.

Broni · May 30, 2023

Still with me?

Broni · Jun 4, 2023

This topic is marked as abandoned and closed due to inactivity.

This member will NOT be eligible to receive any more help in malware removal forum.

Inactive-A Please analyze my FRST64 logs

Posts: 17 +0

Attachments

Posts: 56,041 +516

Posts: 17 +0

Posts: 17 +0

Posts: 56,041 +516

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 17 +0

Posts: 56,041 +516

Posts: 17 +0

Posts: 56,041 +516

Posts: 17 +0

Posts: 56,041 +516

Posts: 17 +0

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 56,041 +516

Similar threads