Inactive-A Virus/malware Check Cant solve the network sharing

[azeem11122]

Im having issue with all my server and some of my network systems that I cant access the file sharing of any PC or server it was working fine before and I have checked by passing Switch and Microtik as well still cant access server's sharing file I have searched and restart the necessary services and options to make sure that pc has sharing on and no password. I get the ping request but I can not access the system by ip in run such as \\192.168.88.163.
it was working fine but I guess my servers are infected. I scanned via window defender and I get only the following

Category: Tool
Description: This program has potentially unwanted behavior.
Recommended action: Remove this software immediately.
Items:
containerfile:C:\Windows\debug\netsvc.exe
file:C:\Windows\debug\netsvc.exe->(UPX)


I did tried to allow this and also tried to re-install the role of sharing file but not fixed my issue.
I have run the Farbar Recovery Scan Tool and im attaching the log files here FRST.txt & Addition.
p.s I have tried to disable the firewall and they try to connect sharing still the issue is same.
there is no port which is blocking the incoming connection I double checked.

is there anyone who can help me? I dont wish to install a new window as there are alot of setting is running on my other servers which needed to be fix.

im getting feeling that my srvhost file or netsvc is curropt or have some issue or whatever I dont know.
I did tried to uninstall and re-install the file sharing services from network area connection properties.

following services are running as well.

Computer Browser
DNS Clint
Function Discovery Resource Publication
Function Discovery Provider Host
Link-Layer Topology Discovery Mapper
Net.Tcp Port Sharing Service
Network List Service
Remote Registry
SSDP Discovery
TCP/IP NetBIOS Helper
UPnP Device Host
Workstation

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================

Please observe forum rules.
All logs have to pasted not attached.

 

[azeem11122]

FRST LOGS
============================================================
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-02-2020
Ran by Administrator (administrator) on NETMON (Dell Inc. OptiPlex 755) (24-02-2020 14:57:44)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Apache Software Foundation) [File not signed] D:\xampp\apache\bin\httpd.exe
(Apache Software Foundation) [File not signed] D:\xampp\apache\bin\httpd.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Company -> HP) C:\Windows\System32\HPSIsvc.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\CISVC.EXE
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(www.microsoft.com) [File not signed] C:\Windows\debug\winlogonr.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271168 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3998977143-2418715955-457950580-500\...\MountPoints2: {07f0a36c-a4c0-11e6-8c7b-001e4fbe1867} - G:\SISetup.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\79.0.3945.130\Installer\chrmstp.exe [2020-01-23] (Google LLC -> Google LLC)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
Lsa: [Notification Packages] scecli rassfm

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {7DB4756D-BE06-4ACF-A0C3-78BCC9CEB998} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-10-28] (Google Inc -> Google Inc.)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {FA1DE0F8-D61C-4529-818F-DE45934E87BB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-10-28] (Google Inc -> Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{f238d9a2-7d51-4d22-9a91-67c737517278} <==== ATTENTION (Restriction - IP)
Hosts: 192.168.88.68 sehatdemo.sehat.com.pk
Tcpip\Parameters: [DhcpNameServer] 192.168.88.193 8.8.8.8
Tcpip\..\Interfaces\{8141C687-539D-4F28-A0DC-065B7D642930}: [DhcpNameServer] 192.168.88.193 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-3998977143-2418715955-457950580-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
SearchScopes: HKU\S-1-5-21-3998977143-2418715955-457950580-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

FireFox:
========
FF DefaultProfile: d4yshoyg.default
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\d4yshoyg.default [2020-02-24]

Chrome:
=======
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default [2020-02-24]
CHR Extension: (Slides) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-05-28]
CHR Extension: (Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-05-28]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-28]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-28]
CHR Extension: (Sheets) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-05-28]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-02-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-12-30]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-08-17]
CHR Extension: (Chrome Media Router) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-12-30]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apache2.2; D:\xampp\apache\bin\httpd.exe [18432 2011-09-10] (Apache Software Foundation) [File not signed]
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
R2 HPSIService; C:\Windows\system32\HPSIsvc.exe [126520 2011-05-11] (Hewlett-Packard Company -> HP)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6562472 2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [12600 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [291696 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-11] (Microsoft Windows -> Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation -> Microsoft Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-04-04] (Microsoft Windows Hardware Compatibility Publisher -> Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation -> Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [131144 2016-12-20] (Oracle Corporation -> Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [205440 2016-12-20] (Oracle Corporation -> Oracle Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-02-24 14:57 - 2020-02-24 15:01 - 000011433 _____ C:\Users\Administrator\Desktop\FRST.txt
2020-02-24 14:56 - 2020-02-24 14:59 - 000000000 ____D C:\FRST
2020-02-24 14:56 - 2020-02-24 14:56 - 002279424 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2020-02-24 14:33 - 2020-02-24 14:29 - 000015872 _____ C:\Windows\system32\netsvc.exe
2020-02-24 14:33 - 2020-02-24 14:29 - 000015872 _____ C:\Windows\netsvc.exe
2020-02-24 14:26 - 2020-02-24 15:01 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\2
2020-02-24 14:03 - 2020-02-24 14:03 - 005197739 _____ C:\Users\Administrator\AppData\Local\Temp\tmpaddon-b5e787
2020-02-24 14:03 - 2020-02-24 14:03 - 000491261 _____ C:\Users\Administrator\AppData\Local\Temp\tmpaddon
2020-02-24 14:01 - 2020-02-24 14:01 - 000000000 ____D C:\ProgramData\Mozilla
2020-02-24 11:41 - 2020-02-24 11:37 - 001445888 _____ (Option^Explicit Software Solutions) C:\Users\Administrator\Desktop\WinsockxpFix.exe
2020-02-21 17:46 - 2020-02-21 17:46 - 000001447 _____ C:\Users\azeem.amir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2020-02-21 17:46 - 2020-02-21 17:46 - 000001413 _____ C:\Users\azeem.amir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2020-02-21 17:34 - 2020-02-21 20:48 - 000153328 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2020-02-21 17:34 - 2020-02-21 17:34 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2020-02-21 17:34 - 2020-02-21 17:34 - 000001867 _____ C:\ProgramData\Desktop\Malwarebytes.lnk
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Users\Administrator\Desktop\Malwarebytes Premium 3.7.1.2839 + keygen - Crackingpatching
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Obsidium
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Program Files\Malwarebytes
2020-02-21 17:20 - 2020-02-21 17:27 - 000000000 ____D C:\Program Files (x86)\Malwarebytes
2020-02-21 17:20 - 2020-02-21 17:20 - 000000000 ____D C:\Windows\system32\Drivers\etc\BACKUP
2020-02-21 17:19 - 2020-02-21 17:13 - 065980814 _____ C:\Users\Administrator\Desktop\Malwarebytes Anti-Malware Premium 3.8.3.2965 Repack [4REALTORRENTZ.COM].zip
2020-02-20 11:53 - 2020-02-20 11:53 - 000290528 _____ C:\Windows\Minidump\022020-12807-01.dmp

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-02-24 14:59 - 2009-07-14 09:49 - 000020944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-02-24 14:59 - 2009-07-14 09:49 - 000020944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-02-24 14:24 - 2009-07-14 10:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-02-24 14:22 - 2017-03-28 11:09 - 000000000 ____D C:\Users\Administrator\.VirtualBox
2020-02-24 14:11 - 2016-10-28 14:09 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla
2020-02-24 14:08 - 2009-07-14 08:20 - 000000000 ____D C:\Windows\inf
2020-02-24 14:07 - 2018-03-14 20:56 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2020-02-24 14:06 - 2009-07-14 10:07 - 000000000 ____D C:\Windows\system32\ServerManager
2020-02-24 14:01 - 2016-10-28 14:09 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2020-02-24 14:01 - 2016-10-25 12:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2020-02-24 13:08 - 2017-06-17 08:09 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\msdtadmin
2020-02-24 13:08 - 2009-07-14 08:20 - 000000000 ____D C:\Windows\system32\NDF
2020-02-24 11:25 - 2016-10-19 13:58 - 000002154 ____H C:\Users\Administrator\Documents\Default.rdp
2020-02-24 10:39 - 2016-10-20 01:48 - 000000000 ____D C:\Users\Administrator
2020-02-22 09:58 - 2016-10-19 15:14 - 000002958 __RSH C:\ProgramData\ntuser.pol
2020-02-22 09:57 - 2016-10-19 13:58 - 000000128 _____ C:\Windows\system32\config\netlogon.ftl
2020-02-21 17:46 - 2016-11-24 16:55 - 000000000 ____D C:\Users\azeem.amir
2020-02-20 11:53 - 2018-09-11 19:20 - 279776962 _____ C:\Windows\MEMORY.DMP
2020-02-17 15:08 - 2018-09-13 10:55 - 000000000 ____D C:\Program Files (x86)\HostMonitor
2020-02-05 09:43 - 2016-10-28 14:14 - 000003334 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2020-02-05 09:43 - 2016-10-28 14:14 - 000003206 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore

==================== Files in the root of some directories ========

2016-10-20 15:00 - 2016-10-20 15:00 - 000589506 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI00AE.txt
2016-10-20 15:00 - 2016-10-20 15:00 - 000016126 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI00AE.txt

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2020-02-17 00:14
==================== End of FRST.txt ========================



Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-02-2020
Ran by Administrator (24-02-2020 15:11:48)
Running from C:\Users\Administrator\Desktop
Windows Server 2008 R2 Enterprise Service Pack 1 (X64) (2016-10-19 20:47:45)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3998977143-2418715955-457950580-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-3998977143-2418715955-457950580-501 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Advanced Host Monitor 10 (HKLM-x32\...\HostMonitor 10) (Version: - )
AstroGrep (HKLM-x32\...\AstroGrep) (Version: 4.4.5 - AstroComma, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 79.0.3945.130 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.441 - Google LLC) Hidden
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
Malwarebytes Anti-Malware versione 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Malwarebytes version 3.7.1.2839 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.7.1.2839 - Malwarebytes)
Microsoft .NET Framework 4.5 RC (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50501 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.0.1526.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 74.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 74.0 (x86 en-US)) (Version: 74.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 74.0.0.7356 - Mozilla)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.1 - Notepad++ Team)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Update 15.3.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 15.3.33 - NVIDIA Corporation)
Oracle VM VirtualBox 5.1.12 (HKLM\...\{C212962C-71C4-4D9F-B8E0-D2CD00C8B8FE}) (Version: 5.1.12 - Oracle Corporation)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
XAMPP 1.7.7 (HKLM-x32\...\xampp) (Version: - )

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2014-07-02] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-02-01] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:CIMV2\__TimerInstruction->__IStagingTimer::
WMI:CIMV2\__TimerInstruction->__AStagingTimer::
WMI:CIMV2\__AbsoluteTimerInstruction->__AStagingTimer::
WMI:CIMV2\__IntervalTimerInstruction->__IStagingTimer::
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__FilterToConsumerBinding->ActiveScriptEventConsumer.Name=\"__StagingConsumer\"",Filter="__EventFilter.Name=\"__StagingFilter\"::
WMI:subscription\__FilterToConsumerBinding->ActiveScriptEventConsumer.Name=\"__StagingConsumer\"",Filter="__EventFilter.Name=\"__StartupFilter\"::
WMI:subscription\__TimerInstruction->__atimer1::
WMI:subscription\__TimerInstruction->__itimer1::
WMI:subscription\__AbsoluteTimerInstruction->__atimer1::
WMI:subscription\__IntervalTimerInstruction->__itimer1::
WMI:subscription\__EventFilter->__StartupFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320]
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\__EventFilter->__StagingFilter::[Query => SELECT * FROM __TimerEvent WHERE TimerID = '__IStagingTimer' OR TimerID = '__AStagingTimer']
WMI:subscription\ActiveScriptEventConsumer->__StagingConsumer::[ScriptText => function s(e){var t=new ActiveXObject("ADODB.Stream");t.Type=1,t.Open(),t.Write(e),t.Position=0,t.Type=2,t.CharSet="UTF-16LE";var n=t.ReadText(),r=[];for(var I=0;I<n.length;I++){var s=n.charCodeAt(I);r.push(s&255),r.push(s>>8&255)}return r}function o(e){var e=s(e),t=e.slice(0,32),n=e.slice(32),r=""; (the data entry has 907 more characters).]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]

==================== Loaded Modules (Whitelisted) =============

2011-09-10 14:31 - 2011-09-10 14:31 - 000133120 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libapr-1.dll
2011-09-10 14:31 - 2011-09-10 14:31 - 000027136 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libapriconv-1.dll
2011-09-10 14:32 - 2011-09-10 14:32 - 000179712 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libaprutil-1.dll
2011-09-10 14:34 - 2011-09-10 14:34 - 000266752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libhttpd.dll
2011-09-10 14:45 - 2011-09-10 14:45 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_actions.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000014336 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_alias.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_asis.so
2011-09-10 14:34 - 2011-09-10 14:34 - 000012288 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_auth_basic.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000025600 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_auth_digest.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000009728 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authn_default.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authn_file.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000009728 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_default.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000012800 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_groupfile.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000011776 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_host.so
2011-09-10 14:43 - 2011-09-10 14:43 - 000010752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_user.so
2011-09-10 14:43 - 2011-09-10 14:43 - 000029184 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_autoindex.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000019968 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_cgi.so
2011-09-10 14:35 - 2011-09-10 14:35 - 000072192 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dav.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000016896 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dav_lock.so
2011-09-10 14:50 - 2011-09-10 14:50 - 000011776 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dir.so
2011-09-10 14:41 - 2011-09-10 14:41 - 000010752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_env.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000016384 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_headers.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000035840 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_include.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000019456 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_info.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000024064 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_isapi.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000020992 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_log_config.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000016896 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_mime.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000028160 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_negotiation.so
2011-09-10 14:38 - 2011-09-10 14:38 - 000059904 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_proxy.so
2011-09-10 14:38 - 2011-09-10 14:38 - 000029184 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_proxy_ajp.so
2011-09-10 14:41 - 2011-09-10 14:41 - 000048640 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_rewrite.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000013312 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_setenvif.so
2011-09-10 14:52 - 2011-09-10 14:52 - 000117248 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_ssl.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000019456 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_status.so
2011-09-10 14:10 - 2011-09-10 14:10 - 001098240 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] D:\xampp\apache\bin\LIBEAY32.dll
2011-09-10 14:12 - 2011-09-10 14:12 - 000237568 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] D:\xampp\apache\bin\SSLEAY32.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000060928 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_bz2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000044544 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_exif.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 001057280 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_gd2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000039936 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_gettext.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000818688 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_imap.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 002062336 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mbstring.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000035328 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mysql.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000088064 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mysqli.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000022528 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_mysql.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000022016 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_odbc.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000514560 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_sqlite.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000251904 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_soap.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000034304 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sockets.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000246272 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sqlite.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000526848 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sqlite3.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000063488 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_xmlrpc.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000026624 _____ (The PHP Group) [File not signed] D:\xampp\php\php5apache2_2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 005908480 _____ (The PHP Group) [File not signed] D:\xampp\php\php5ts.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer trusted/restricted ==========

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 07:34 - 2020-02-24 12:07 - 000000861 _____ C:\Windows\system32\drivers\etc\hosts
192.168.88.68 sehatdemo.sehat.com.pk

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3998977143-2418715955-457950580-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.88.193 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [{5BE6F2BB-88E5-4611-BF24-2D9A0050C49F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{36D806A2-46AF-47CA-9AA0-3DC9B3587728}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:97.56 GB) (Free:2.74 GB) (3%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Serial Port
Description: PCI Serial Port
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: ========================

Application errors:
==================
Error: (02/24/2020 02:57:40 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:32 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:31 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:29 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:29 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:25 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:25 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Error: (02/24/2020 02:57:23 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.


System errors:
=============
Error: (02/24/2020 02:39:24 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (02/24/2020 02:36:48 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain DC due to the following:
There are currently no logon servers available to service the logon request.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/24/2020 02:28:22 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (02/24/2020 02:26:39 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2020 02:26:38 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft Software Printer Driver required for printer OneNote is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2020 02:26:38 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2020 02:26:37 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2020 02:26:36 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.


==================== Memory info ===========================

BIOS: Dell Inc. A09 03/11/2008
Motherboard: Dell Inc. 0GM819
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of memory in use: 94%
Total physical RAM: 2013.61 MB
Available physical RAM: 112.02 MB
Total Virtual: 4027.22 MB
Available Virtual: 575.55 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:2.74 GB) NTFS
Drive d: (primery1) (Fixed) (Total:833.85 GB) (Free:378.52 GB) NTFS
Drive z: (ERP & Web Bk(M)) (Network) (Total:5394 GB) (Free:0.63 GB) NTFS

\\?\Volume{d2939cbc-963c-11e6-a19d-806e6f6e6963}\ () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: D118D118)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=833.8 GB) - (Type=0F Extended)

==================== End of Addition.txt =======================

 

[azeem11122]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================

Please observe forum rules.
All logs have to pasted not attached.

I have posted the logs

 

[Broni]

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

• Close all the running programs
• Double click on downloaded setup.exe file to install the program.
• Click on Start Scan button.
• Click on another Start Scan button.
• Wait until the Status box shows Scan Finished
• Click on Remove Selected.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.
• The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• Review the results...see note below
• After reviewing the log, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
• To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

 

[azeem11122]

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

• Close all the running programs
• Double click on downloaded setup.exe file to install the program.
• Click on Start Scan button.
• Click on another Start Scan button.
• Wait until the Status box shows Scan Finished
• Click on Remove Selected.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.
• The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• Review the results...see note below
• After reviewing the log, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
• To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

I have run 2 following are the logs

Rouge killer is still downloading

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/24/20
Scan Time: 4:52 PM
Log File: 2af1ca7a-56fc-11ea-9443-001e4fbe1867.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.19736
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: \

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 261399
Threats Detected: 7
Threats Quarantined: 0
Time Elapsed: 2 min, 18 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Generic.Malware/Suspicious, C:\WINDOWS\DEBUG\NETSVC.EXE, No Action By User, 0, 392686, , , ,

Module: 1
Generic.Malware/Suspicious, C:\WINDOWS\DEBUG\NETSVC.EXE, No Action By User, 0, 392686, , , ,

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
Trojan.Agent, C:\WINDOWS\DEBUG\winlogonr.exe, No Action By User, 485, 207050, 1.0.19736, , ame,
Generic.Malware/Suspicious, C:\WINDOWS\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
Generic.Malware/Suspicious, C:\WINDOWS\DEBUG\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
RiskWare.BitCoinMiner, C:\$RECYCLE.BIN\S-1-5-21-3998977143-2418715955-457950580-500\$RBAG7PJ.RAR, No Action By User, 841, 702669, 1.0.19736, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)




Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/24/20
Scan Time: 5:03 PM
Log File: b8eaae72-56fd-11ea-bca0-001e4fbe1867.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.19736
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: \

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 261390
Threats Detected: 4
Threats Quarantined: 0
Time Elapsed: 1 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
Generic.Malware/Suspicious, C:\WINDOWS\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
RiskWare.BitCoinMiner, C:\$RECYCLE.BIN\S-1-5-21-3998977143-2418715955-457950580-500\$RBAG7PJ.RAR, No Action By User, 841, 702669, 1.0.19736, , ame,
Generic.Malware/Suspicious, C:\WINDOWS\DEBUG\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)









# -------------------------------
# Malwarebytes AdwCleaner 8.0.2.0
# -------------------------------
# Build: 01-27-2020
# Database: 2020-02-17.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 02-24-2020
# Duration: 00:00:27
# OS: Windows Server 2008 R2 Enterprise
# Scanned: 34851
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner[S00].txt - [1424 octets] - [24/02/2020 16:52:21]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S01].txt ##########
I will post that log as well once I install and run


yet the problem still exist

 

[Broni]

Your Malwarebytes log says "No Action By User "next to each item found by MBAM.
You need to let MBAM fix those issues and then post new log.
I still need RoqueKiller log.

 

[azeem11122]

Your Malwarebytes log says "No Action By User "next to each item found by MBAM.
You need to let MBAM fix those issues and then post new log.
I still need RoqueKiller log.

RogueKiller Anti-Malware V14.2.1.0 (x64) [Feb 24 2020] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200224_141123, Driver : Loaded
Mode : Custom Scan, Scan -- Date : 2020/02/25 12:16:09 (Duration : 00:12:15)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

[azeem11122]

Generic.Malware/Suspicious, C:\WINDOWS\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,
RiskWare.BitCoinMiner, C:\$RECYCLE.BIN\S-1-5-21-3998977143-2418715955-457950580-500\$RBAG7PJ.RAR, No Action By User, 841, 702669, 1.0.19736, , ame,
Generic.Malware/Suspicious, C:\WINDOWS\DEBUG\NETSVC.EXE, No Action By User, 0, 392686, 1.0.19736, , shuriken,



after this I have removed the C:\WINDOWS\DEBUG\ folder as it should not be there.
and then I performed a new scan today as well following is the log



Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/25/20
Scan Time: 12:37 PM
Log File: b21bd9be-57a1-11ea-b212-001e4fbe1867.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.19786
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: \

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 261396
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 4 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[Broni]

Good

Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

• Double click to run it.
• Press Scan button.
• Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

 

[azeem11122]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2020
Ran by Administrator (administrator) on NETMON (Dell Inc. OptiPlex 755) (25-02-2020 15:31:28)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Adlice -> ) C:\Program Files\RogueKiller\RogueKiller64.exe
(Adlice -> ) C:\Program Files\RogueKiller\RogueKillerSvc.exe
(Apache Software Foundation) [File not signed] D:\xampp\apache\bin\httpd.exe
(Apache Software Foundation) [File not signed] D:\xampp\apache\bin\httpd.exe
(Hewlett-Packard Company -> HP) C:\Windows\System32\HPSIsvc.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\CISVC.EXE
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271168 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3998977143-2418715955-457950580-500\...\MountPoints2: {07f0a36c-a4c0-11e6-8c7b-001e4fbe1867} - G:\SISetup.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\79.0.3945.130\Installer\chrmstp.exe [2020-01-23] (Google LLC -> Google LLC)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2011-12-07] (Microsoft Windows -> Microsoft Corporation)
Lsa: [Notification Packages] scecli rassfm

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {7DB4756D-BE06-4ACF-A0C3-78BCC9CEB998} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-10-28] (Google Inc -> Google Inc.)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {FA1DE0F8-D61C-4529-818F-DE45934E87BB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-10-28] (Google Inc -> Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.88.193 8.8.8.8
Tcpip\..\Interfaces\{8141C687-539D-4F28-A0DC-065B7D642930}: [DhcpNameServer] 192.168.88.193 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-3998977143-2418715955-457950580-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3998977143-2418715955-457950580-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

FireFox:
========
FF DefaultProfile: d4yshoyg.default
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\d4yshoyg.default [2020-02-25]

Chrome:
=======
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default [2020-02-24]
CHR Extension: (Slides) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-05-28]
CHR Extension: (Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-05-28]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-28]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-28]
CHR Extension: (Sheets) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-05-28]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-02-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-12-30]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-08-17]
CHR Extension: (Chrome Media Router) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-12-30]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apache2.2; D:\xampp\apache\bin\httpd.exe [18432 2011-09-10] (Apache Software Foundation) [File not signed]
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
R2 HPSIService; C:\Windows\system32\HPSIsvc.exe [126520 2011-05-11] (Hewlett-Packard Company -> HP)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6960640 2020-02-24] (Malwarebytes Inc -> Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [12600 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [291696 2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
R2 rkrtservice; C:\Program Files\RogueKiller\RogueKillerSvc.exe [16647736 2020-02-24] (Adlice -> )
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [153312 2020-02-24] (Malwarebytes Corporation -> Malwarebytes)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-11] (Microsoft Windows -> Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [214496 2020-02-25] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [226448 2020-02-25] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [73584 2020-02-25] (Malwarebytes Corporation -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-02-25] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [109168 2020-02-25] (Malwarebytes Inc -> Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation -> Microsoft Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-04-04] (Microsoft Windows Hardware Compatibility Publisher -> Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation -> Microsoft Corporation)
S3 RkFlt; C:\Windows\System32\drivers\rkflt.sys [40800 2020-02-25] (Adlice -> )
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\truesight.sys [28272 2020-02-25] (Adlice -> )
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [131144 2016-12-20] (Oracle Corporation -> Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [205440 2016-12-20] (Oracle Corporation -> Oracle Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-02-25 15:31 - 2020-02-25 15:32 - 000011661 _____ C:\Users\Administrator\Desktop\FRST.txt
2020-02-25 15:31 - 2020-02-25 15:31 - 000000000 ____D C:\Users\Administrator\Desktop\FRST-OlderVersion
2020-02-25 15:30 - 2020-02-25 15:32 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\2
2020-02-25 13:12 - 2020-02-25 14:47 - 000028272 _____ C:\Windows\system32\Drivers\truesight.sys
2020-02-25 12:39 - 2020-02-25 12:39 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\IGDump
2020-02-25 12:37 - 2020-02-25 14:47 - 000073584 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2020-02-25 12:37 - 2020-02-25 12:37 - 000226448 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2020-02-25 12:37 - 2020-02-25 12:37 - 000109168 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2020-02-25 12:36 - 2020-02-25 14:47 - 000248968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2020-02-25 12:36 - 2020-02-25 12:36 - 000214496 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2020-02-25 12:15 - 2020-02-25 14:47 - 000040800 _____ C:\Windows\system32\Drivers\rkflt.sys
2020-02-25 12:14 - 2020-02-25 12:15 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\is-B79JA.tmp
2020-02-25 12:14 - 2020-02-25 12:14 - 047658504 _____ (Adlice Software ) C:\Users\Administrator\AppData\Local\Temp\as_3F23.tmp.exe
2020-02-25 12:14 - 2020-02-25 12:14 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\as_3F23.tmp
2020-02-25 12:13 - 2020-02-25 12:15 - 000000858 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2020-02-25 12:13 - 2020-02-25 12:15 - 000000858 _____ C:\ProgramData\Desktop\RogueKiller.lnk
2020-02-25 12:12 - 2020-02-25 12:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2020-02-25 12:12 - 2020-02-25 12:15 - 000000000 ____D C:\Program Files\RogueKiller
2020-02-25 12:12 - 2020-02-25 12:13 - 000000000 ____D C:\ProgramData\RogueKiller
2020-02-25 12:12 - 2020-02-24 17:43 - 047641808 _____ (Adlice Software ) C:\Users\Administrator\Desktop\RogueKiller_setup.exe
2020-02-25 10:26 - 2020-02-25 10:26 - 000285536 _____ C:\Windows\Minidump\022520-12994-01.dmp
2020-02-25 09:37 - 2020-02-25 12:19 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\1
2020-02-24 16:52 - 2020-02-24 16:52 - 000001948 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2020-02-24 16:52 - 2020-02-24 16:52 - 000001948 _____ C:\ProgramData\Desktop\Malwarebytes.lnk
2020-02-24 16:52 - 2020-02-24 16:52 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\mbam
2020-02-24 16:52 - 2020-02-24 16:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2020-02-24 16:51 - 2020-02-24 16:52 - 000000000 ____D C:\AdwCleaner
2020-02-24 16:51 - 2020-02-24 16:51 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2020-02-24 16:51 - 2020-02-24 16:51 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-02-24 16:51 - 2020-02-24 16:47 - 008356016 _____ (Malwarebytes) C:\Users\Administrator\Desktop\AdwCleaner.exe
2020-02-24 16:50 - 2020-02-24 16:44 - 001924728 _____ (Malwarebytes) C:\Users\Administrator\Desktop\MBSetup.exe
2020-02-24 16:49 - 2020-02-24 16:50 - 000041723 _____ C:\Users\Administrator\AppData\Local\Temp\Uninstall Log 2020-02-24 #001.txt
2020-02-24 14:56 - 2020-02-25 15:31 - 002279424 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2020-02-24 14:56 - 2020-02-25 15:31 - 000000000 ____D C:\FRST
2020-02-24 14:06 - 2020-02-24 17:45 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2020-02-24 14:03 - 2020-02-24 14:03 - 005197739 _____ C:\Users\Administrator\AppData\Local\Temp\tmpaddon-b5e787
2020-02-24 14:03 - 2020-02-24 14:03 - 000491261 _____ C:\Users\Administrator\AppData\Local\Temp\tmpaddon
2020-02-24 14:01 - 2020-02-24 14:01 - 000000000 ____D C:\ProgramData\Mozilla
2020-02-24 11:41 - 2020-02-24 11:37 - 001445888 _____ (Option^Explicit Software Solutions) C:\Users\Administrator\Desktop\WinsockxpFix.exe
2020-02-21 17:46 - 2020-02-21 17:46 - 000001447 _____ C:\Users\azeem.amir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2020-02-21 17:46 - 2020-02-21 17:46 - 000001413 _____ C:\Users\azeem.amir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Users\Administrator\Desktop\Malwarebytes Premium 3.7.1.2839 + keygen - Crackingpatching
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Obsidium
2020-02-21 17:34 - 2020-02-21 17:34 - 000000000 ____D C:\Program Files\Malwarebytes
2020-02-21 17:20 - 2020-02-21 17:27 - 000000000 ____D C:\Program Files (x86)\Malwarebytes
2020-02-21 17:20 - 2020-02-21 17:20 - 000000000 ____D C:\Windows\system32\Drivers\etc\BACKUP
2020-02-21 17:19 - 2020-02-21 17:13 - 065980814 _____ C:\Users\Administrator\Desktop\Malwarebytes Anti-Malware Premium 3.8.3.2965 Repack [4REALTORRENTZ.COM].zip
2020-02-20 11:53 - 2020-02-20 11:53 - 000290528 _____ C:\Windows\Minidump\022020-12807-01.dmp

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-02-25 14:54 - 2009-07-14 09:49 - 000020944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-02-25 14:54 - 2009-07-14 09:49 - 000020944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-02-25 14:46 - 2009-07-14 10:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-02-25 12:19 - 2016-10-28 14:09 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla
2020-02-25 10:26 - 2018-09-11 19:20 - 216915650 _____ C:\Windows\MEMORY.DMP
2020-02-25 10:26 - 2018-09-11 19:20 - 000000000 ____D C:\Windows\Minidump
2020-02-25 10:13 - 2017-03-28 11:09 - 000000000 ____D C:\Users\Administrator\.VirtualBox
2020-02-24 18:10 - 2009-07-14 08:20 - 000000000 ____D C:\Windows\rescache
2020-02-24 17:45 - 2016-10-25 12:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2020-02-24 14:08 - 2009-07-14 08:20 - 000000000 ____D C:\Windows\inf
2020-02-24 14:06 - 2009-07-14 10:07 - 000000000 ____D C:\Windows\system32\ServerManager
2020-02-24 14:01 - 2016-10-28 14:09 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2020-02-24 13:08 - 2017-06-17 08:09 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\msdtadmin
2020-02-24 13:08 - 2009-07-14 08:20 - 000000000 ____D C:\Windows\system32\NDF
2020-02-24 11:25 - 2016-10-19 13:58 - 000002154 ____H C:\Users\Administrator\Documents\Default.rdp
2020-02-24 10:39 - 2016-10-20 01:48 - 000000000 ____D C:\Users\Administrator
2020-02-22 09:58 - 2016-10-19 15:14 - 000002958 __RSH C:\ProgramData\ntuser.pol
2020-02-22 09:57 - 2016-10-19 13:58 - 000000128 _____ C:\Windows\system32\config\netlogon.ftl
2020-02-21 17:46 - 2016-11-24 16:55 - 000000000 ____D C:\Users\azeem.amir
2020-02-17 15:08 - 2018-09-13 10:55 - 000000000 ____D C:\Program Files (x86)\HostMonitor
2020-02-05 09:43 - 2016-10-28 14:14 - 000003334 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2020-02-05 09:43 - 2016-10-28 14:14 - 000003206 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore

==================== Files in the root of some directories ========

2016-10-20 15:00 - 2016-10-20 15:00 - 000589506 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI00AE.txt
2016-10-20 15:00 - 2016-10-20 15:00 - 000016126 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI00AE.txt

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2020-02-17 00:14
==================== End of FRST.txt ========================




Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-02-2020
Ran by Administrator (25-02-2020 15:32:58)
Running from C:\Users\Administrator\Desktop
Windows Server 2008 R2 Enterprise Service Pack 1 (X64) (2016-10-19 20:47:45)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3998977143-2418715955-457950580-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-3998977143-2418715955-457950580-501 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Advanced Host Monitor 10 (HKLM-x32\...\HostMonitor 10) (Version: - )
AstroGrep (HKLM-x32\...\AstroGrep) (Version: 4.4.5 - AstroComma, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 79.0.3945.130 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.441 - Google LLC) Hidden
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
Malwarebytes version 4.0.4.49 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.0.4.49 - Malwarebytes)
Microsoft .NET Framework 4.5 RC (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50501 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.0.1526.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 74.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 74.0 (x86 en-US)) (Version: 74.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 74.0.0.7356 - Mozilla)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.1 - Notepad++ Team)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Update 15.3.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 15.3.33 - NVIDIA Corporation)
Oracle VM VirtualBox 5.1.12 (HKLM\...\{C212962C-71C4-4D9F-B8E0-D2CD00C8B8FE}) (Version: 5.1.12 - Oracle Corporation)
RogueKiller version 14.2.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 14.2.1.0 - Adlice Software)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
XAMPP 1.7.7 (HKLM-x32\...\xampp) (Version: - )

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2020-02-24] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2012-03-26] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2014-07-02] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2020-02-24] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2014-08-27] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:CIMV2\__TimerInstruction->__AStagingTimer::
WMI:CIMV2\__TimerInstruction->__IStagingTimer::
WMI:CIMV2\__AbsoluteTimerInstruction->__AStagingTimer::
WMI:CIMV2\__IntervalTimerInstruction->__IStagingTimer::
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__FilterToConsumerBinding->ActiveScriptEventConsumer.Name=\"__StagingConsumer\"",Filter="__EventFilter.Name=\"__StagingFilter\"::
WMI:subscription\__FilterToConsumerBinding->ActiveScriptEventConsumer.Name=\"__StagingConsumer\"",Filter="__EventFilter.Name=\"__StartupFilter\"::
WMI:subscription\__TimerInstruction->__atimer1::
WMI:subscription\__TimerInstruction->__itimer1::
WMI:subscription\__AbsoluteTimerInstruction->__atimer1::
WMI:subscription\__IntervalTimerInstruction->__itimer1::
WMI:subscription\__EventFilter->__StartupFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320]
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\__EventFilter->__StagingFilter::[Query => SELECT * FROM __TimerEvent WHERE TimerID = '__IStagingTimer' OR TimerID = '__AStagingTimer']
WMI:subscription\ActiveScriptEventConsumer->__StagingConsumer::[ScriptText => function s(e){var t=new ActiveXObject("ADODB.Stream");t.Type=1,t.Open(),t.Write(e),t.Position=0,t.Type=2,t.CharSet="UTF-16LE";var n=t.ReadText(),r=[];for(var I=0;I<n.length;I++){var s=n.charCodeAt(I);r.push(s&255),r.push(s>>8&255)}return r}function o(e){var e=s(e),t=e.slice(0,32),n=e.slice(32),r=""; (the data entry has 907 more characters).]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
ShortcutWithArgument: C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\d249d9ddd424b688\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory=Default

==================== Loaded Modules (Whitelisted) =============

2011-09-10 14:31 - 2011-09-10 14:31 - 000133120 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libapr-1.dll
2011-09-10 14:31 - 2011-09-10 14:31 - 000027136 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libapriconv-1.dll
2011-09-10 14:32 - 2011-09-10 14:32 - 000179712 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libaprutil-1.dll
2011-09-10 14:34 - 2011-09-10 14:34 - 000266752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\bin\libhttpd.dll
2011-09-10 14:45 - 2011-09-10 14:45 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_actions.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000014336 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_alias.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_asis.so
2011-09-10 14:34 - 2011-09-10 14:34 - 000012288 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_auth_basic.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000025600 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_auth_digest.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000009728 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authn_default.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000011264 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authn_file.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000009728 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_default.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000012800 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_groupfile.so
2011-09-10 14:44 - 2011-09-10 14:44 - 000011776 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_host.so
2011-09-10 14:43 - 2011-09-10 14:43 - 000010752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_authz_user.so
2011-09-10 14:43 - 2011-09-10 14:43 - 000029184 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_autoindex.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000019968 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_cgi.so
2011-09-10 14:35 - 2011-09-10 14:35 - 000072192 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dav.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000016896 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dav_lock.so
2011-09-10 14:50 - 2011-09-10 14:50 - 000011776 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_dir.so
2011-09-10 14:41 - 2011-09-10 14:41 - 000010752 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_env.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000016384 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_headers.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000035840 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_include.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000019456 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_info.so
2011-09-10 14:40 - 2011-09-10 14:40 - 000024064 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_isapi.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000020992 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_log_config.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000016896 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_mime.so
2011-09-10 14:39 - 2011-09-10 14:39 - 000028160 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_negotiation.so
2011-09-10 14:38 - 2011-09-10 14:38 - 000059904 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_proxy.so
2011-09-10 14:38 - 2011-09-10 14:38 - 000029184 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_proxy_ajp.so
2011-09-10 14:41 - 2011-09-10 14:41 - 000048640 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_rewrite.so
2011-09-10 14:42 - 2011-09-10 14:42 - 000013312 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_setenvif.so
2011-09-10 14:52 - 2011-09-10 14:52 - 000117248 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_ssl.so
2011-09-10 14:45 - 2011-09-10 14:45 - 000019456 _____ (Apache Software Foundation) [File not signed] D:\xampp\apache\modules\mod_status.so
2011-09-10 14:10 - 2011-09-10 14:10 - 001098240 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] D:\xampp\apache\bin\LIBEAY32.dll
2011-09-10 14:12 - 2011-09-10 14:12 - 000237568 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] D:\xampp\apache\bin\SSLEAY32.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000060928 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_bz2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000044544 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_exif.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 001057280 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_gd2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000039936 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_gettext.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000818688 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_imap.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 002062336 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mbstring.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000035328 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mysql.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000088064 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_mysqli.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000022528 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_mysql.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000022016 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_odbc.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000514560 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_pdo_sqlite.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000251904 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_soap.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000034304 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sockets.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000246272 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sqlite.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000526848 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_sqlite3.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000063488 _____ (The PHP Group) [File not signed] D:\xampp\php\ext\php_xmlrpc.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 000026624 _____ (The PHP Group) [File not signed] D:\xampp\php\php5apache2_2.dll
2011-08-23 14:59 - 2011-08-23 14:59 - 005908480 _____ (The PHP Group) [File not signed] D:\xampp\php\php5ts.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer trusted/restricted ==========

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 07:34 - 2020-02-24 17:43 - 000000852 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3998977143-2418715955-457950580-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.88.193 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [{256A184A-FD61-4958-B4D1-46FE4BD98BD0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{186EA7A6-E717-4105-ACB9-087FC486EADB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:97.56 GB) (Free:2.5 GB) (3%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Microsoft Teredo Tunneling Adapter
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Serial Port
Description: PCI Serial Port
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: ========================

Application errors:
==================
Error: (02/25/2020 02:48:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/25/2020 01:14:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/25/2020 12:50:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 4.0.0.553, time stamp: 0x5e3e03ac
Faulting module name: Qt5Qml.dll, version: 5.13.2.0, time stamp: 0x5e3cc1ad
Exception code: 0xc0000005
Fault offset: 0x00000000001011d2
Faulting process id: 0xe30
Faulting application start time: 0x01d5ebae577eb81f
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Qml.dll
Report Id: 82a12efa-57a3-11ea-a729-001e4fbe1867

Error: (02/25/2020 12:50:33 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 4.0.0.553, time stamp: 0x5e3e03ac
Faulting module name: Qt5Qml.dll, version: 5.13.2.0, time stamp: 0x5e3cc1ad
Exception code: 0xc0000005
Fault offset: 0x00000000001011d2
Faulting process id: 0xe30
Faulting application start time: 0x01d5ebae577eb81f
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Qml.dll
Report Id: 7fe6718f-57a3-11ea-a729-001e4fbe1867

Error: (02/25/2020 12:20:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 4.0.0.553, time stamp: 0x5e3e03ac
Faulting module name: Qt5Qml.dll, version: 5.13.2.0, time stamp: 0x5e3cc1ad
Exception code: 0xc0000005
Fault offset: 0x00000000001011d2
Faulting process id: 0x774
Faulting application start time: 0x01d5ebab8ddc1dbc
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Qml.dll
Report Id: 431cbde5-579f-11ea-a729-001e4fbe1867

Error: (02/25/2020 12:20:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 4.0.0.553, time stamp: 0x5e3e03ac
Faulting module name: Qt5Qml.dll, version: 5.13.2.0, time stamp: 0x5e3cc1ad
Exception code: 0xc0000005
Fault offset: 0x00000000001011d2
Faulting process id: 0x774
Faulting application start time: 0x01d5ebab8ddc1dbc
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Qml.dll
Report Id: 3eefcd6e-579f-11ea-a729-001e4fbe1867

Error: (02/25/2020 12:19:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: malwarebytes_assistant.exe, version: 4.0.0.553, time stamp: 0x5e3e0241
Faulting module name: Qt5Core.dll, version: 5.13.2.0, time stamp: 0x5e3cb983
Exception code: 0xc0000005
Fault offset: 0x000000000020d435
Faulting process id: 0xbe4
Faulting application start time: 0x01d5ebabf26e713d
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 365e8801-579f-11ea-a729-001e4fbe1867

Error: (02/25/2020 10:28:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (02/25/2020 03:30:39 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:38 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:36 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:35 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Microsoft Software Printer Driver required for printer OneNote is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:30 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver AnyDesk v4 Printer Driver required for printer AnyDesk Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:29 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:28 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Amyuni Document Converter 400 required for printer ABS PDF Driver v400 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/25/2020 03:30:28 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver HP LaserJet Professional M1212nf MFP required for printer NPI49C24B (HP LaserJet Professional M1212nf MFP) is unknown. Contact the administrator to install the driver before you log in again.


CodeIntegrity:
===================================

Date: 2020-02-25 15:32:40.845
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 15:32:40.813
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 15:32:05.698
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 15:32:05.667
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 15:32:05.635
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 15:32:05.604
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because the set of per-page image hashes could not be found on the system.

Date: 2020-02-25 14:47:28.057
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2020-02-25 14:47:28.010
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\rkflt.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

BIOS: Dell Inc. A09 03/11/2008
Motherboard: Dell Inc. 0GM819
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of memory in use: 93%
Total physical RAM: 2013.61 MB
Available physical RAM: 127.54 MB
Total Virtual: 4027.22 MB
Available Virtual: 726.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:2.5 GB) NTFS
Drive d: (primery1) (Fixed) (Total:833.85 GB) (Free:378.53 GB) NTFS
Drive z: (ERP & Web Bk(M)) (Network) (Total:5393.99 GB) (Free:567.91 GB) NTFS

\\?\Volume{d2939cbc-963c-11e6-a19d-806e6f6e6963}\ () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: D118D118)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=833.8 GB) - (Type=0F Extended)

==================== End of Addition.txt =======================

 

[Broni]

All clean.

Last scans.

Download Security Check from here or here and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender
• Other Services

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

Download Sophos Free Virus Removal Tool and save it to your desktop.

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View log file... (bottom left hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program

 

[azeem11122]

Before I do this

All clean.

Last scans.

Download Security Check from here or here and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender
• Other Services

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

Download Sophos Free Virus Removal Tool and save it to your desktop.

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View log file... (bottom left hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program

before I do this my system keep giving me blue screen now

 

[Broni]

I need more info.
When it happens?
What's the error mesage?
Did you try to restart computer?

 

[Broni]

Still with me?

 

[Broni]

This topic is marked as abandoned and closed due to inactivity.

This member will NOT be eligible to receive any more help in malware removal forum.