Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old February 6th, 2022, 01:02 PM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
Bing redirect virus

On duckduckgo when I click a link in the "shopping" section on the search-results page it redirects to a link that starts with "https://www.bing.com/aclick?ld=". The page fails to load anyway. This happens on all three browsers I use (brave, firefox, epic). I searched this and I know "bring redirect virus" is common, except with other people it seems not restricted to just the "shopping" section.
Thankyou.
Reply With Quote
  #2  
Old February 6th, 2022, 10:06 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Hi marmites,

Let's take a look.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Reply With Quote
  #3  
Old February 7th, 2022, 01:33 AM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
FRST.xtx

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-02-2022
Ran by asldkjf (administrator) on DESKTOP-D59TRQN (07-02-2022 08:37:20)
Running from C:\Users\asldkjf\Downloads
Loaded Profiles: asldkjf
Platform: Microsoft Windows 10 Enterprise LTSC Version 1809 17763.1757 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AIRVPN -> ) C:\Program Files\AirVPN\Eddie-Service-Elevated.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe <13>
(F.lux Software LLC -> f.lux Software LLC) C:\Users\asldkjf\AppData\Local\FluxSoftware\Flux\f lux.exe
(Henry++) [File not signed] C:\Program Files\simplewall\simplewall.exe
(Intel(R) Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\lms .inf_amd64_b93ea7bff86fc280\LMS.exe
(Intel(R) Rapid Storage Technology -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iaa hcic.inf_amd64_48973fc6c96c696a\RstMwService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1750_no ne_56c6269799364882\TiWorker.exe
(Microsoft Windows Hardware Compatibility Publisher -> Creative Technology Ltd) C:\Windows\SysWOW64\CtHelper.exe
(Nextcloud GmbH -> Nextcloud GmbH) C:\Program Files\QloudData\qlouddata.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe <2>

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Focusrite Notifier] => C:\Program Files\Focusriteusb\Focusrite Notifier.exe [5029376 2020-06-03] (Focusrite Audio Engineering, Ltd.) [File not signed]
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.e xe [500936 2015-04-28] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
HKLM-x32\...\Run: [AsioThk32Reg] => REGSVR32.EXE /S CTASIO.DLL (No File)
HKLM-x32\...\Run: [CTHelper] => C:\Windows\SysWOW64\CTHELPER.EXE* [29776 2018-08-14] () [File not signed]
HKLM-x32\...\Run: [UpdReg] => C:\WINDOWS\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.) [File not signed]
HKLM-x32\...\Run: [HuionTablet] => C:\Program Files\HuionTablet\HuionTablet.exe [1659888 2021-10-28] (Shenzhen Huion Animation Technology Co.,LTD -> ShenZhen Huion Animation Technology Co.Ltd.)
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\...\Policies\Explorer: [NoOnlinePrintsWizard] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Run: [QloudData] => C:\Program Files\QloudData\qlouddata.exe [2482496 2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Run: [f.lux] => C:\Users\asldkjf\AppData\Local\FluxSoftware\Flux\f lux.exe [1515848 2021-06-18] (F.lux Software LLC -> f.lux Software LLC)
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Run: [simplewall] => C:\Program Files\simplewall\simplewall.exe [749056 2021-12-03] (Henry++) [File not signed]
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Run: [Epic Privacy Browser Installer] => C:\Users\asldkjf\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe [509096 2021-10-26] (Google Inc (TEST) -> Epic Privacy Browser) [File not signed]
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\RunOnce: [Application Restart #1] => C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe [2471880 2022-02-02] (Brave Software, Inc. -> Brave Software, Inc.)
HKU\S-1-5-21-461047945-4258226643-924543775-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\PhotoScreensaver.scr [571904 2021-02-13] (Microsoft Windows -> Microsoft Corporation)
HKLM\...\Windows x64\Print Processors\Canon MG2500 series Print Processor: C:\Windows\System32\spool\prtprocs\x64\CNMPDBX.DLL [30208 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\...\Print\Monitors\Canon BJ Language Monitor MG2500 series: C:\WINDOWS\system32\CNMLMBX.DLL [391168 2013-03-24] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\98.1.35.100\Installer\chrmstp. exe [2022-02-03] (Brave Software, Inc. -> Brave Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TREZOR Bridge.lnk [2021-10-26]
ShortcutTarget: TREZOR Bridge.lnk -> C:\Program Files (x86)\TREZOR Bridge\trezord.exe (SatoshiLabs, s.r.o. -> )
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2365D515-3974-4430-A6C3-514F85044E8B} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-10-19] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {6B434463-D1E5-43DC-8525-2753DB5BC0ED} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
Task: {8D99A90D-A6BA-4396-B2AA-4305BAB399A2} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-10-19] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {A3315324-9992-4B6C-89C4-F0B5E6A6FCD9} - System32\Tasks\Intel PTT EK Recertification => C:\WINDOWS\System32\DriverStore\FileRepository\icl sclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKR ecertification.exe [918288 2020-04-22] (Intel(R) Trust Services -> Intel(R) Corporation)
Task: {C87A10C5-F385-4394-8ADD-045C5D2587C5} - System32\Tasks\klcp_update => C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe [1907712 2021-09-17] () [File not signed]
Task: {E17B68FF-4234-4C81-A636-FF92701C7371} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump :5 --MOZ_LOG_FILE C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\ba ckgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {E1FC423A-EDAD-4B1C-9C6F-9517301F0BFA} - System32\Tasks\Microsoft\Windows\PowerShell\Schedu ledJobs\Chocolatey Daily Upgrade => powershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -Command "Import-Module PSScheduledJob; $jobDef = [Microsoft.PowerShell.ScheduledJob.ScheduledJobDefi nition]::LoadFromStore('Chocolatey Daily Upgrade', 'C:\Users\asldkjf\AppData\Local\Microsoft\Windows\ PowerShell\ScheduledJobs'); $jobDef.Run()"
Task: {FBB8CDAE-BFAF-4E27-B7D0-590EDE2F7934} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\explorer.exe /NOUACCHECK

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask .job => C:\WINDOWS\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{15ba3c92-8379-498a-b7e0-95965184f679}: [DhcpNameServer] 192.168.1.1
HKLM\System\...\Parameters\PersistentRoutes: [104.96.147.3,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [111.221.29.177,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [111.221.29.253,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [131.253.40.37,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [134.170.115.60,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [134.170.165.248,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [134.170.185.70,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [131.253.40.109,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [134.170.30.202,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [137.116.81.24,255.255.255.255,0.0.0.0,1]
PersistentRoutes: There are 175 PersistentRoutes.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-461047945-4258226643-924543775-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

FireFox:
========
FF DefaultProfile: pptwjx4v.default
FF DefaultProfile: rv6gjf1g.default
FF ProfilePath: C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\pptwjx4v.default [2021-10-20]
FF ProfilePath: C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release [2022-02-06]
FF user.js: detected! => C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release\user.js [2022-02-06]
FF Homepage: Mozilla\Firefox\Profiles\3vvplmou.default-release -> about:blank
FF NetworkProxy: Mozilla\Firefox\Profiles\3vvplmou.default-release -> type", 0
FF Extension: (HTTPS Everywhere) - C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release\Extensions\https-everywhere@eff.org.xpi [2021-10-21]
FF Extension: (uBlock Origin) - C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release\Extensions\uBlock0@raymondhill.net.xpi [2021-10-21]
FF Extension: (NoScript) - C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2021-10-21]
FF Extension: (Easy Youtube Video Downloader Express) - C:\Users\asldkjf\AppData\Roaming\Mozilla\Firefox\P rofiles\3vvplmou.default-release\Extensions\{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi [2021-10-24]
FF ProfilePath: C:\Users\asldkjf\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\rv6gjf1g.default [2021-11-24]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDet ect64.dll [2015-03-09] (Adobe Systems Incorporated -> Adobe Systems)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDet ect32.dll [2015-03-09] (Adobe Systems Incorporated -> Adobe Systems)
FF Plugin HKU\S-1-5-21-461047945-4258226643-924543775-1001: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=3 -> C:\Users\asldkjf\AppData\Local\Epic Privacy Browser\Installer\1.3.29.13\npEpicUpdate3.dll [2021-10-26] (Google Inc (TEST) -> Epic Privacy Browser) [File not signed]
FF Plugin HKU\S-1-5-21-461047945-4258226643-924543775-1001: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=9 -> C:\Users\asldkjf\AppData\Local\Epic Privacy Browser\Installer\1.3.29.13\npEpicUpdate3.dll [2021-10-26] (Google Inc (TEST) -> Epic Privacy Browser) [File not signed]

Brave:
=======
BRA Profile: C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default [2022-02-07]
BRA DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}&t=braveed
BRA DefaultSearchKeyword: Default -> :d
BRA DefaultSuggestURL: Default -> hxxps://ac.duckduckgo.com/ac/?q={searchTerms}&type=list
BRA Extension: (Dark Mode - Night Eye) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\alncdjedloppbablonallfbkei knmkdi [2022-01-20]
BRA Extension: (uBlock Origin) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjb keiagm [2022-01-14]
BRA Extension: (NoScript) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\doojmbjmlfjjnbmnoijecmcbfe oakpjm [2022-02-04]
BRA Extension: (HTTPS Everywhere) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonp mejbdp [2021-10-21]
BRA Extension: (Brave Local Data Files Updater) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal [2022-02-06]
BRA Extension: (Brave NTP background images) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\aoojcmojmmcbpfgoecoadbdpnagfchel [2021-12-15]
BRA Extension: (Wallet Data Files Updater) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\BraveWallet [2021-12-01]
BRA Extension: (Brave Ad Block Updater (Default)) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\cffkpbalmllkdoenhmdmpbkajipdjfam [2022-02-07]
BRA Extension: (Brave NTP sponsored images) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\hlcinbnbfgoealjpgmoacabdkapmjjfj [2022-02-06]
BRA Extension: (Brave SpeedReader Updater) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\jicbkmdloagakknpihibphagfckhjdih [2021-10-19]
BRA Extension: (Brave HTTPS Everywhere Updater) - C:\Users\asldkjf\AppData\Local\BraveSoftware\Brave-Browser\User Data\oofiananboodjbbmdelgdommihjbkfag [2022-02-02]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-10-19] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162456 2021-10-19] (Brave Software, Inc. -> BraveSoftware Inc.)
R2 EddieElevationService; C:\Program Files\AirVPN\Eddie-Service-Elevated.exe [872680 2021-03-11] (AIRVPN -> )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7972536 2022-02-06] (Malwarebytes Inc -> Malwarebytes)
S4 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [6270832 2021-02-13] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [160176 2022-02-06] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 Focusriteusb; C:\WINDOWS\System32\drivers\Focusriteusb.sys [123456 2020-06-02] (WDKTestCert builds,132265248139626354 -> Focusrite Audio Engineering Ltd.)
R3 FocusriteusbSwRoot; C:\WINDOWS\System32\drivers\FocusriteusbSwRoot.sys [92568 2020-06-02] (WDKTestCert builds,132265248139626354 -> Focusrite Audio Engineering Ltd.)
R3 Focusriteusb_AUDIO; C:\WINDOWS\system32\drivers\FocusriteusbAudio.sys [87912 2020-06-02] (WDKTestCert builds,132265248139626354 -> Focusrite Audio Engineering Ltd.)
R3 Focusriteusb_MIDI; C:\WINDOWS\system32\drivers\FocusriteusbMidi.sys [49808 2020-06-02] (WDKTestCert builds,132265248139626354 -> Focusrite Audio Engineering Ltd.)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [220568 2022-02-06] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\WINDOWS\System32\DRIVERS\MbamElam.sys [19912 2022-02-06] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\System32\DRIVERS\farflt.sys [194480 2022-02-06] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [69040 2022-02-06] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [248992 2022-02-06] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [156792 2022-02-06] (Malwarebytes Inc -> Malwarebytes)
R3 tap0901; C:\WINDOWS\System32\drivers\tap0901.sys [39920 2019-10-23] (Microsoft Windows Hardware Compatibility Publisher -> The OpenVPN Project)
R3 vmulti; C:\WINDOWS\System32\drivers\vmulti.sys [10752 2018-03-16] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)
U4 diagnosticshub.standardcollector.service; no ImagePath
U4 DiagTrack; no ImagePath
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
U4 lfsvc; no ImagePath
U4 PcaSvc; no ImagePath
U4 WbioSrvc; no ImagePath
U4 WdBoot; no ImagePath
U4 WdFilter; no ImagePath
U4 WdNisDrv; no ImagePath
U4 WdNisSvc; no ImagePath
U4 WinDefend; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-02-07 08:37 - 2022-02-07 08:37 - 000017663 _____ C:\Users\asldkjf\Downloads\FRST.txt
2022-02-07 08:36 - 2022-02-07 08:37 - 000000000 ____D C:\FRST
2022-02-07 08:36 - 2022-02-07 08:36 - 002311680 _____ (Farbar) C:\Users\asldkjf\Downloads\FRST64.exe
2022-02-06 22:39 - 2022-02-06 22:39 - 000194480 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2022-02-06 22:39 - 2022-02-06 22:39 - 000156792 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2022-02-06 22:39 - 2022-02-06 22:39 - 000069040 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2022-02-06 22:37 - 2022-02-06 22:37 - 000000000 ____D C:\Users\asldkjf\AppData\Local\mbam
2022-02-06 22:36 - 2022-02-06 22:37 - 000000000 ____D C:\AdwCleaner
2022-02-06 22:36 - 2022-02-06 22:36 - 008540344 _____ (Malwarebytes) C:\Users\asldkjf\Downloads\adwcleaner_8.3.1.exe
2022-02-06 22:33 - 2022-02-06 22:33 - 000000080 ___SH C:\bootTel.dat
2022-02-06 22:05 - 2022-02-06 22:05 - 000002033 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2022-02-06 22:05 - 2022-02-06 22:05 - 000002021 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2022-02-06 22:04 - 2022-02-06 22:04 - 000248992 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2022-02-06 22:04 - 2022-02-06 22:04 - 000220568 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2022-02-06 22:04 - 2022-02-06 22:04 - 000160176 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2022-02-06 22:04 - 2022-02-06 22:04 - 000019912 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamElam.sys
2022-02-06 22:03 - 2022-02-06 22:03 - 000000000 ____D C:\ProgramData\Malwarebytes
2022-02-06 22:03 - 2022-02-06 22:03 - 000000000 ____D C:\Program Files\Malwarebytes
2022-02-06 22:02 - 2022-02-06 22:02 - 002911928 _____ (Malwarebytes) C:\Users\asldkjf\Downloads\MBSetup.exe
2022-02-05 12:40 - 2022-02-05 12:40 - 048670739 _____ C:\Users\asldkjf\Desktop\health-biology books combined.txt
2022-02-05 12:29 - 2022-02-05 12:29 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\Bluefive software
2022-02-05 12:29 - 2022-02-05 12:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TXTcollector
2022-02-05 12:29 - 2022-02-05 12:29 - 000000000 ____D C:\Program Files (x86)\TXTcollector
2022-02-05 12:29 - 2000-07-09 19:15 - 000106496 _____ (Marco Bellinaso) C:\WINDOWS\SysWOW64\mbprgbar.ocx
2022-02-05 12:29 - 2000-05-02 00:02 - 000110592 _____ (Common Controls Replacement Project (CCRP)) C:\WINDOWS\SysWOW64\ccrpbds6.dll
2022-02-04 09:54 - 2022-02-04 09:54 - 000000000 ____D C:\Users\asldkjf\AppData\Local\calibre-parallel
2022-01-28 08:53 - 2022-01-29 08:09 - 000000000 ____D C:\Program Files\Mozilla Firefox
2022-01-23 21:15 - 2022-01-23 21:15 - 000001298 _____ C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\qbittorrent.lnk
2022-01-23 14:59 - 2022-01-23 14:59 - 000000000 ____D C:\Program Files\qBittorrent
2022-01-17 09:44 - 2022-01-28 11:44 - 000000000 ____D C:\WINDOWS\system32\Tasks\Mozilla

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-02-07 08:23 - 2021-10-19 18:38 - 000000000 ____D C:\Users\asldkjf\AppData\LocalLow\Mozilla
2022-02-07 08:20 - 2021-10-19 19:20 - 000000000 ___SD C:\Users\asldkjf\nextcloud
2022-02-06 23:04 - 2021-10-20 12:22 - 000033800 _____ C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000000-00001102-00000008-10241102}.rfx
2022-02-06 23:04 - 2021-10-20 12:22 - 000033800 _____ C:\WINDOWS\system32\BMXState-{00000004-00000000-00000000-00001102-00000008-10241102}.rfx
2022-02-06 23:04 - 2021-10-20 12:22 - 000029040 _____ C:\WINDOWS\system32\BMXCtrlState-{00000004-00000000-00000000-00001102-00000008-10241102}.rfx
2022-02-06 23:04 - 2021-10-20 12:22 - 000029040 _____ C:\WINDOWS\system32\BMXBkpCtrlState-{00000004-00000000-00000000-00001102-00000008-10241102}.rfx
2022-02-06 23:04 - 2021-10-20 12:22 - 000011564 _____ C:\WINDOWS\system32\DVCState-{00000004-00000000-00000000-00001102-00000008-10241102}.rfx
2022-02-06 23:04 - 2021-10-19 19:16 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\QloudData
2022-02-06 23:03 - 2021-10-20 18:02 - 000000000 ____D C:\Users\asldkjf\AppData\Local\Eddie
2022-02-06 22:49 - 2021-10-20 12:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2022-02-06 22:44 - 2021-10-20 12:13 - 000000000 ____D C:\WINDOWS\INF
2022-02-06 22:44 - 2021-10-19 18:27 - 000795992 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2022-02-06 22:39 - 2021-10-20 12:22 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2022-02-06 22:38 - 2021-10-20 12:09 - 000032768 _____ C:\WINDOWS\system32\config\BBI
2022-02-06 22:35 - 2021-10-30 11:38 - 000000000 ____D C:\Users\asldkjf\AppData\Local\Spotify
2022-02-06 22:34 - 2021-10-30 11:35 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\Spotify
2022-02-06 22:34 - 2021-10-20 12:22 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2022-02-06 22:32 - 2021-10-19 21:30 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\MusicBee
2022-02-06 22:13 - 2021-10-20 15:36 - 000000000 ____D C:\Program Files\Monero GUI Wallet
2022-02-06 22:04 - 2021-10-20 12:14 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2022-02-05 20:49 - 2021-12-19 19:17 - 000000000 ____D C:\Users\asldkjf\Calibre Library
2022-02-04 16:41 - 2021-10-19 18:31 - 000000000 ____D C:\Users\asldkjf
2022-02-03 11:58 - 2021-10-19 18:42 - 000002364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2022-02-01 19:06 - 2021-12-19 19:17 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\calibre
2022-02-01 17:59 - 2021-12-19 19:17 - 000000000 ____D C:\Users\asldkjf\AppData\Local\calibre-cache
2022-02-01 17:52 - 2021-10-20 17:59 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\Ledger Live
2022-01-29 08:09 - 2021-10-20 14:07 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2022-01-28 11:44 - 2021-10-22 11:39 - 000001026 _____ C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\firefox.lnk
2022-01-28 11:44 - 2021-10-20 14:07 - 000001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2022-01-24 08:09 - 2021-12-08 16:13 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\audacity
2022-01-23 15:44 - 2021-11-22 11:22 - 000000000 ____D C:\Users\asldkjf\AppData\Roaming\qBittorrent

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================
Reply With Quote
  #4  
Old February 7th, 2022, 01:34 AM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2022
Ran by asldkjf (07-02-2022 08:37:44)
Running from C:\Users\asldkjf\Downloads
Microsoft Windows 10 Enterprise LTSC Version 1809 17763.1757 (X64) (2021-10-19 07:23:58)
Boot Mode: Normal
================================================== ========


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-461047945-4258226643-924543775-500 - Administrator - Disabled)
asldkjf (S-1-5-21-461047945-4258226643-924543775-1001 - Administrator - Enabled) => C:\Users\asldkjf
DefaultAccount (S-1-5-21-461047945-4258226643-924543775-503 - Limited - Disabled)
Guest (S-1-5-21-461047945-4258226643-924543775-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-461047945-4258226643-924543775-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4K Stogram (HKLM\...\{2D1D79D2-5890-4F1E-98F8-482910FF4A70}) (Version: 4.2.1.4000 - Open Media LLC)
7-Zip 19.00 (x64) (HKLM\...\7-Zip) (Version: 19.00 - Igor Pavlov)
Adobe Premiere Pro CC 2015 (HKLM-x32\...\{38C72D42-0672-43B1-9E05-E7631684F9A1}) (Version: 9.0.0 - Adobe Systems Incorporated)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.10 - Michael Tippach)
Audacity 3.0.5 (HKLM\...\Audacity_is1) (Version: 3.0.5 - Audacity Team)
Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 98.1.35.100 - Brave Software Inc)
calibre (HKLM-x32\...\{2E4F4E6C-9196-4A8B-AA7B-5462E2DC4E40}) (Version: 5.29.0 - Kovid Goyal)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: - Canon Inc.)
Canon MG2500 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2500_series) (Version: 1.02 - Canon Inc.)
Creative System Information (HKLM-x32\...\SysInfo) (Version: 1.10 - Creative Technology Limited)
Dynamic Application Loader Host Interface Service (HKLM\...\{E7365856-8EFD-47D8-AFE4-0627FDA221B5}) (Version: 1.0.0.0 - Intel Corporation) Hidden
Eddie - OpenVPN UI (HKLM-x32\...\AirVPN) (Version: - AirVPN - hxxps://airvpn.org)
Epic Privacy Browser (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Epic Privacy Browser) (Version: 91.0.4472.124 - Epic)
f.lux (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Flux) (Version: - f.lux Software LLC)
Firefly 1.2.0 (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\5892dd0c-8983-51d7-b337-6e1d1da9ad4b) (Version: 1.2.0 - IOTA Foundation)
FL Studio 10 (HKLM-x32\...\FL Studio 10) (Version: - Image-Line)
Focusrite Usb 4.65.5.658 (HKLM\...\Focusrite Usb_is1) (Version: 4.65.5.658 - Focusrite Audio Engineering, Ltd.)
FormatFactory 5.9.0.0 (HKLM-x32\...\FormatFactory) (Version: 5.9.0.0 - Free Time)
Ghost Desktop 2.0.11 (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\64e6a2da-bfec-5ed6-bebf-c46eea19ac90) (Version: 2.0.11 - Ghost contributors)
GNU Privacy Guard (HKLM-x32\...\GnuPG) (Version: 2.2.28 - The GnuPG Project)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.101.0 - Google LLC) Hidden
Gpg4win (3.1.16) (HKLM-x32\...\Gpg4win) (Version: 3.1.16 - The Gpg4win Project)
HuionTablet (HKLM-x32\...\HuionTablet) (Version: 15.4.1.354 - Shenzhen Huion Animation Technology Co.,LTD)
IL Download Manager (HKLM-x32\...\IL Download Manager) (Version: - Image-Line)
Intel(R) Chipset Device Software (HKLM-x32\...\{b666e502-9089-483b-9816-0774ccc9cb61}) (Version: 10.1.18295.8201 - Intel(R) Corporation)
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 2011.14.0.1511 - Intel Corporation)
IrfanView 4.58 (64-bit) (HKLM\...\IrfanView64) (Version: 4.58 - Irfan Skiljan)
K-Lite Codec Pack 16.4.6 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 16.4.6 - KLCP)
Ledger Live 2.34.3 (HKLM\...\c62032b2-0bca-5abc-b458-fd67cfc9e49b) (Version: 2.34.3 - Ledger Live Team)
LibreOffice 7.2.2.2 (HKLM\...\{51F1B587-D4A5-41C0-A4E8-A64BBD343F23}) (Version: 7.2.2.2 - The Document Foundation)
LPD8 Editor (HKLM-x32\...\LPD8Editor) (Version: - )
Malwarebytes version 4.5.2.157 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.2.157 - Malwarebytes)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.28.29325 (HKLM-x32\...\{33628a12-6787-4b9f-95a1-92449f69fae0}) (Version: 14.28.29325.2 - Microsoft Corporation)
Monero GUI Wallet version 0.17.2.3 (HKLM\...\Monero GUI Wallet_is1) (Version: 0.17.2.3 - The Monero Developer Community)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 96.0.3 (x64 en-US)) (Version: 96.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 93.0 - Mozilla)
MusicBee 3.4.7805 (HKLM-x32\...\MusicBee) (Version: 3.4.7805 - Steven Mayall)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 8.1.5 - Notepad++ Team)
Novation USB Midi 2.22.0.10 (HKLM\...\Novation USB Midi Driver_is1) (Version: 2.22.0.10 - Novation DMS, Ltd.)
NVIDIA Graphics Driver 359.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 359.21 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 27.1.3 - OBS Project)
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
qBittorrent 4.4.0 (HKLM-x32\...\qBittorrent) (Version: 4.4.0 - The qBittorrent project)
QloudData (HKLM\...\{3B8C53BC-A0AF-4156-838E-76D00A1FB9EC}) (Version: 3.3.6.20211104 - Nextcloud GmbH)
Shotcut (HKLM\...\Shotcut) (Version: 21.09.20 - Meltytech, LLC)
simplewall (HKLM\...\simplewall) (Version: 3.6.1 - Henry++)
SoulseekQt version 2019.7.22 (HKLM-x32\...\{8A4E1646-488C-4E5B-AC31-F784400E8D2D}_is1) (Version: 2019.7.22 - Soulseek LLC)
Sound Blaster Audigy 5_Audigy Rx (HKLM-x32\...\{81440118-F1CE-4C87-BC8B-F1EB8D3FA190}) (Version: 1.0 - Creative Technology Limited)
Spotify (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\Spotify) (Version: 1.1.78.765.g5ea20b00 - Spotify AB)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.3.3 - Krzysztof Kowalczyk)
Sync 1.3.1 (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\e2300f21-b4fa-51fc-b56b-9fe4494aa9a7) (Version: 1.3.1 - vechain.org)
TAP-Windows 9.24.2 (HKLM\...\TAP-Windows) (Version: 9.24.2 - OpenVPN Technologies, Inc.)
Trezor Suite 21.10.2 (HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\978be57b-9286-5cd7-a60b-54c81352a986) (Version: 21.10.2 - SatoshiLabs)
TXTcollector (HKLM-x32\...\TXTcollector_is1) (Version: 2.0.2 - Bluefive software)
Waves.Exchange 1.0.0 (HKLM\...\{f9a1fbd2-842d-5f6a-98a9-d3cc73527c2a}) (Version: 1.0.0 - Elfronus Company LTD)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-461047945-4258226643-924543775-1001_Classes\CLSID\{c22e92cd-6dc5-4b86-aaf5-544f972d58e8} -> [QloudData] => C:\Users\asldkjf\nextcloud [2021-10-19 19:20]
ShellIconOverlayIdentifiers: [ QloudDataError] -> {ECED25DF-4C43-4C3D-9DF2-2DD4A34264BB} => C:\Program Files\QloudData\shellext\NCOverlays.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ShellIconOverlayIdentifiers: [ QloudDataOK] -> {85B0E8DF-011A-4C8C-9F71-044F664AB689} => C:\Program Files\QloudData\shellext\NCOverlays.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ShellIconOverlayIdentifiers: [ QloudDataOKShared] -> {233AEF17-DC5E-46AF-ADA0-CA44CEA852B2} => C:\Program Files\QloudData\shellext\NCOverlays.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ShellIconOverlayIdentifiers: [ QloudDataSync] -> {75B6942D-C993-456A-B634-D6B4902587E5} => C:\Program Files\QloudData\shellext\NCOverlays.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ShellIconOverlayIdentifiers: [ QloudDataWarning] -> {050838D8-07CC-499A-9DC2-8027CAAE3FE7} => C:\Program Files\QloudData\shellext\NCOverlays.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-22] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2021-09-27] (Notepad++ -> )
ContextMenuHandlers1: [FormatFactoryShell] -> {A3888923-CFD3-4A6B-89BF-08E6B95716E8} => C:\Program Files (x86)\FormatFactory\ShellEx_108.dll [2020-08-04] (Free Time) [File not signed]
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-02-06] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers3: [QloudDataContextMenuHandler] -> {5ED47245-050C-4BB9-923B-6CC8D74F1C1D} => C:\Program Files\QloudData\shellext\NCContextMenu.dll [2021-11-04] (Nextcloud GmbH -> Nextcloud GmbH)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-22] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [FormatFactoryShell] -> {A3888923-CFD3-4A6B-89BF-08E6B95716E8} => C:\Program Files (x86)\FormatFactory\ShellEx_108.dll [2020-08-04] (Free Time) [File not signed]
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2015-12-17] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-22] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-02-06] (Malwarebytes Corporation -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [msacm.vorbis] => C:\Windows\SysWOW64\vorbis.acm [1554944 2009-09-15] (HMS hxxp://hp.vector.co.jp/authors/VA012897/) [File not signed]

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Image-Line\FL Studio 10\Image-Line website.lnk -> hxxp://www.image-line.com
Shortcut: C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Image-Line\FL Studio 10\Advanced\Diagnostic.lnk -> hxxp://diagnostic.image-line.com
Shortcut: C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Image-Line\FL Studio 10\Additional\Download Deckadance.lnk -> hxxp://www.deckadance.com
Shortcut: C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Image-Line\FL Studio 10\Additional\SynthMaker website.lnk -> hxxp://www.synthmaker.co.uk

==================== Loaded Modules (Whitelisted) =============

2021-11-04 15:21 - 2021-11-04 15:21 - 000099328 _____ () [File not signed] C:\Program Files\QloudData\qlouddatasync_vfs_cfapi.dll
2021-11-04 15:21 - 2021-11-04 15:21 - 000030208 _____ () [File not signed] C:\Program Files\QloudData\qlouddatasync_vfs_suffix.dll
2021-10-20 20:34 - 2015-09-02 17:48 - 000010240 _____ (Creative Technology Ltd) [File not signed] C:\WINDOWS\system32\CTDCRES.DLL
2020-08-04 20:46 - 2020-08-04 20:46 - 000341504 _____ (Free Time) [File not signed] C:\Program Files (x86)\FormatFactory\ShellEx_108.dll
2021-10-19 19:30 - 2019-02-22 03:00 - 000078336 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2021-11-04 15:21 - 2021-11-04 15:21 - 005972464 _____ (The Qt Company Oy -> The Qt Company Ltd.) [File not signed] C:\Program Files\QloudData\Qt5Core.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2022-01-01 12:56 - 2022-01-01 12:56 - 000008582 _____ C:\WINDOWS\system32\drivers\etc\hosts
0.0.0.0 nullroute
0.0.0.0 fe2.update.microsoft.com.akadns.net
0.0.0.0 survey.watson.microsoft.com
0.0.0.0 watson.microsoft.com
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 vortex.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nsatc.net
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 telemetry.microsoft.com
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 watson.live.com
0.0.0.0 statsfe2.ws.microsoft.com
0.0.0.0 corpext.msitadfs.glbdns2.microsoft.com
0.0.0.0 www.windowssearch.com
0.0.0.0 ssw.live.com
0.0.0.0 sls.update.microsoft.com.akadns.net

There are 198 more lines.


==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-461047945-4258226643-924543775-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\asldkjf\AppData\Roaming\Microsoft\Windows \Themes\TranscodedWallpaper
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer => (SmartScreenEnabled: Off)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\StartupFolder: => "TREZOR Bridge.lnk"
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run: => "Focusrite Notifier"
HKLM\...\StartupApproved\Run: => "KeePass 2 PreLoad"
HKLM\...\StartupApproved\Run32: => "HuionTablet"
HKU\S-1-5-21-461047945-4258226643-924543775-1001\...\StartupApproved\Run: => "Epic Privacy Browser Installer"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{064D30C5-441C-4D75-A54A-96D3A7158861}] => (Block) C:\WINDOWS\System32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{C5827F51-B380-4198-8B48-1AD0CCE5E2A8}] => (Block) C:\WINDOWS\System32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{C4654763-BD63-4714-A64C-7A7494CCF8F9}] => (Block) C:\WINDOWS\System32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{FAD7E063-628B-4ADA-963E-6B6148291292}] => (Block) C:\WINDOWS\System32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{0AC03FED-6B74-4532-8059-31E8E2AB50D6}] => (Block) C:\Windows\explorer.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{47CD861C-3D89-4C7E-8D0D-3BA95D374C4A}] => (Block) C:\Windows\ImmersiveControlPanel\SystemSettings.ex e (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{691C114F-3404-4063-88F8-C7AB388AC03A}] => (Block) C:\Windows\System32\backgroundTaskHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{126AA00B-243E-4CB0-BEE2-3166AE0139E3}] => (Block) C:\Windows\System32\BackgroundTransferHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{B1BE97F9-914B-4904-8BBA-5D881822A069}] => (Block) C:\Windows\System32\browser_broker.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{B7BA4B27-D7B4-4AD7-A927-30CAD40EA140}] => (Block) C:\Windows\System32\CompatTelRunner.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{87E41525-ED52-4192-A864-401469987223}] => (Block) C:\Windows\System32\dmclient.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{7EAC99D0-9B11-4E40-9C1D-AE8B9E4DB282}] => (Block) C:\Windows\System32\lsass.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{24AD7227-CB3B-407B-8C6D-F13C005AAF02}] => (Block) C:\Windows\System32\msfeedssync.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{00DE1F75-FAC5-4863-AC24-D7AA90DBFF6E}] => (Block) C:\Windows\System32\rundll32.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{D953C15E-0930-4F3E-B53D-5E44FC7B6945}] => (Block) C:\Windows\System32\SettingSyncHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{7058AFA6-E959-4368-A127-7961100399DC}] => (Block) C:\Windows\System32\SIHClient.exe (Microsoft Windows Publisher -> Microsoft Corporation)
FirewallRules: [{2A1FB7DD-D050-4391-B643-93EB1C59BE64}] => (Block) C:\Windows\System32\smartscreen.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{BD5195A7-3B31-4628-8845-644B487CBC60}] => (Block) C:\Windows\System32\taskhostw.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{8FE2430F-5B53-4102-957D-83F8EB0B2C60}] => (Block) C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{08158578-D3A6-4475-9673-5734046BFA25}] => (Block) C:\Windows\System32\WerFault.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{DFF09363-BB63-4A36-9584-11E724B37A0A}] => (Block) C:\Windows\System32\wermgr.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{A7DCC5CF-E1D0-4A53-9A44-457699D6A84E}] => (Block) C:\Windows\System32\wsqmcons.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{E7AFDB25-A464-4794-A3D2-0F1EE3D5E207}] => (Block) C:\Windows\System32\WWAHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{E4E9E0C8-142C-4D4B-AB2E-0170FD173E47}] => (Block) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw 5n1h2txyewy\SearchUI.exe => No File
FirewallRules: [{94F91AB0-6273-4446-A117-113BBFC9CA80}] => (Block) C:\Windows\SysWOW64\backgroundTaskHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{BB84B7C4-A9D9-4145-BEE0-D67F1F7D31D1}] => (Block) C:\Windows\SysWOW64\BackgroundTransferHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{BE7F2A61-0DD3-4CC2-9339-8386C55D60A4}] => (Block) C:\Windows\SysWOW64\msfeedssync.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{D98B4B92-7F28-48F7-B61C-2E551D42840C}] => (Block) C:\Windows\SysWOW64\rundll32.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{655B2D75-B672-4647-B42D-F1D4FA10F6F1}] => (Block) C:\Windows\SysWOW64\SettingSyncHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{4BB99F80-BA47-48CD-8382-2A322342FAB6}] => (Block) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{F8798E32-911C-4ECC-A64B-59E6DC32848B}] => (Block) C:\Windows\SysWOW64\WerFault.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{BB25C72A-3A54-4DE3-A680-E8BF182F863E}] => (Block) C:\Windows\SysWOW64\wermgr.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{ED94336D-640B-412F-AAD6-13FF02F00493}] => (Block) C:\Windows\SysWOW64\WWAHost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{71E6592B-D1CD-489D-A74C-00865E16E17F}] => (Block) C:\WINDOWS\SystemApps\Microsoft.PPIProjection_cw5n 1h2txyewy\Receiver.exe => No File
FirewallRules: [{058D42A2-2F15-4382-9DBB-9A0B63F59F74}] => (Block) C:\WINDOWS\SystemApps\Microsoft.PPIProjection_cw5n 1h2txyewy\Receiver.exe => No File
FirewallRules: [{59EDB8D5-6E0D-4549-9B90-54E1FE214E1B}] => (Block) C:\WINDOWS\SystemApps\ContactSupport_cw5n1h2txyewy \ContactSupport.exe => No File
FirewallRules: [{6F290C31-7776-442C-8D6A-84DDEFEADC15}] => (Block) C:\WINDOWS\SystemApps\ContactSupport_cw5n1h2txyewy \ContactSupport.exe => No File
FirewallRules: [{D8416323-3018-476B-B56F-3C70A00B6989}] => (Block) C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw 5n1h2txyewy\SearchUI.exe => No File
FirewallRules: [{A14D61D5-AFF1-40C8-8695-65161CC64188}] => (Block) C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw 5n1h2txyewy\SearchUI.exe => No File
FirewallRules: [{A2007C19-F6BA-43B1-BF5E-9D97E32784A9}] => (Block) C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1 708.2831.0_x64__8wekyb3d8bbwe\PilotshubApp.exe => No File
FirewallRules: [{6B8B9BCA-5563-480F-961A-1451BBA2FFE7}] => (Block) C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1 708.2831.0_x64__8wekyb3d8bbwe\PilotshubApp.exe => No File
FirewallRules: [{0B405E1D-246C-4C24-9F7C-D46D90B28E55}] => (Block) C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.8625 .21151.0_x64__8wekyb3d8bbwe\onenoteim.exe => No File
FirewallRules: [{1A61DCC9-5ED9-4B0C-8B54-D886F9595269}] => (Block) C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.8625 .21151.0_x64__8wekyb3d8bbwe\onenoteim.exe => No File
FirewallRules: [{B3EE049B-9872-4FC0-B706-DF6503F029DF}] => (Block) C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39 091.16340.0_x64__8wekyb3d8bbwe\Microsoft.Photos.ex e => No File
FirewallRules: [{44899B09-9782-481A-933D-9E2089D9A2FD}] => (Block) C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39 091.16340.0_x64__8wekyb3d8bbwe\Microsoft.Photos.ex e => No File
FirewallRules: [TCP Query User{1E66D613-C357-4997-AEF0-B222414F1DFC}C:\users\asldkjf\appdata\roaming\spot ify\spotify.exe] => (Allow) C:\users\asldkjf\appdata\roaming\spotify\spotify.e xe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{35732775-865C-484F-8895-AE797352AFFB}C:\users\asldkjf\appdata\roaming\spot ify\spotify.exe] => (Allow) C:\users\asldkjf\appdata\roaming\spotify\spotify.e xe (Spotify AB -> Spotify Ltd)
FirewallRules: [{9631CC41-4FE2-4D21-A78F-B8400ECAAB52}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{3CDC1F88-413C-4BBC-BE59-C8F09F7345A9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{4F7C0222-AA5D-47DB-AA23-C35201914FFE}] => (Allow) C:\Users\asldkjf\AppData\Local\Epic Privacy Browser\Application\epic.exe (Hidden Reflex Authors) [File not signed]
FirewallRules: [{641FE2CA-19F9-458A-BE31-FCA0F4A87FE5}] => (Allow) C:\Program Files (x86)\FormatFactory\FormatFactory.exe (暇光软件科技(上海)有限公司 -> Free Time Co., Ltd.)
FirewallRules: [{1BA12319-F3FC-4CB5-A138-506DC2C0D62F}] => (Allow) C:\Program Files (x86)\FormatFactory\FormatFactory.exe (暇光软件科技(上海)有限公司 -> Free Time Co., Ltd.)
FirewallRules: [{F0CAD873-81B7-4539-BFAB-527EC360AC11}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [File not signed]
FirewallRules: [{B2F31D38-6A11-4F95-B601-2D0B250FF68A}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [File not signed]
FirewallRules: [{9B7B2953-BCB6-4D4D-853A-2CC4B9E6FBBE}] => (Allow) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc. -> Brave Software, Inc.)

==================== Restore Points =========================


==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (02/07/2022 08:42:09 AM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
].


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: 13
Snapshot Context: 13
Execution Context: Coordinator

Error: (02/07/2022 08:42:09 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: 13
Snapshot Context: 13
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
].


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: -1
Snapshot Context: -1
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: -1
Snapshot Context: -1
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
].


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Check If Volume Is Supported by Provider
Add a Volume to a Shadow Copy Set

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: 29
Snapshot Context: 29
Execution Context: Coordinator
Provider ID: {00000000-0000-0000-0000-000000000000}
Volume Name: \\?\Volume{a1fad4da-0000-0000-0000-501f00000000}\
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Check If Volume Is Supported by Provider
Add a Volume to a Shadow Copy Set

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: 29
Snapshot Context: 29
Execution Context: Coordinator
Provider ID: {00000000-0000-0000-0000-000000000000}
Volume Name: \\?\Volume{a1fad4da-0000-0000-0000-501f00000000}\
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
].


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: -1
Snapshot Context: -1
Execution Context: Coordinator

Error: (02/07/2022 08:37:25 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
Obtain a callable interface for this provider
List interfaces for all providers supporting this context
Query Shadow Copies

Context:
Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
Snapshot Context: -1
Snapshot Context: -1
Execution Context: Coordinator


System errors:
=============
Error: (02/07/2022 08:42:04 AM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-D59TRQN)
Description: The server {4BD3E4E1-7BD4-4A2B-9964-496400DE5193} did not register with DCOM within the required timeout.

Error: (02/07/2022 08:40:04 AM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-D59TRQN)
Description: The server {4575438F-A6C8-4976-B0FE-2F26B80D959E} did not register with DCOM within the required timeout.

Error: (02/07/2022 08:21:55 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-D59TRQN)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user DESKTOP-D59TRQN\asldkjf SID (S-1-5-21-461047945-4258226643-924543775-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (02/07/2022 08:21:09 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-D59TRQN)
Description: Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neu tral_cw5n1h2txyewy!CortanaUI as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_c w5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m 3btvepj.mca

Error: (02/07/2022 08:21:05 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-D59TRQN)
Description: Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neu tral_cw5n1h2txyewy!CortanaUI as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_c w5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m 3btvepj.mca

Error: (02/07/2022 08:21:01 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-D59TRQN)
Description: Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neu tral_cw5n1h2txyewy!CortanaUI as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_c w5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m 3btvepj.mca

Error: (02/07/2022 08:20:57 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-D59TRQN)
Description: Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neu tral_cw5n1h2txyewy!CortanaUI as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_c w5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m 3btvepj.mca

Error: (02/07/2022 08:20:53 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-D59TRQN)
Description: Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neu tral_cw5n1h2txyewy!CortanaUI as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_c w5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m 3btvepj.mca


==================== Memory info ===========================

BIOS: American Megatrends Inc. P1.00 04/07/2020
Motherboard: ASRock Z490 Extreme4
Processor: Intel(R) Core(TM) i7-10700KF CPU @ 3.80GHz
Percentage of memory in use: 18%
Total physical RAM: 16288.97 MB
Available physical RAM: 13221.51 MB
Total Virtual: 18720.97 MB
Available Virtual: 15579.03 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:445.85 GB) (Free:131.24 GB) NTFS
Drive e: (asldkjf) (Fixed) (Total:1863 GB) (Free:476.78 GB) NTFS

\\?\Volume{a1fad4da-0000-0000-0000-100000000000}\ (gfhg) (Fixed) (Total:0.49 GB) (Free:0.46 GB) NTFS
\\?\Volume{a1fad4da-0000-0000-0000-b0956f000000}\ () (Fixed) (Total:0.8 GB) (Free:0.34 GB) NTFS

==================== MBR & Partition Table ====================

================================================== ========
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 447.1 GB) (Disk ID: A1FAD4DA)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=445.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=819 MB) - (Type=27)

================================================== ========
Disk: 1 (Protective MBR) (Size: 1863 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================
Reply With Quote
  #5  
Old February 7th, 2022, 10:25 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'Quote') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
Quote:
start:
Hosts
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\...\Policies\Explorer: [NoOnlinePrintsWizard] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-461047945-4258226643-924543775-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
U4 diagnosticshub.standardcollector.service; no ImagePath
U4 DiagTrack; no ImagePath
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
U4 lfsvc; no ImagePath
U4 PcaSvc; no ImagePath
U4 WbioSrvc; no ImagePath
U4 WdBoot; no ImagePath
U4 WdFilter; no ImagePath
U4 WdNisDrv; no ImagePath
U4 WdNisSvc; no ImagePath
U4 WinDefend; no ImagePath
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press theFix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt
>> Please post the Fixlog.txt in your reply.
Reply With Quote
  #6  
Old February 8th, 2022, 01:57 AM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
Fix result of Farbar Recovery Scan Tool (x64) Version: 05-02-2022
Ran by asldkjf (08-02-2022 11:51:47) Run:1
Running from C:\Users\asldkjf\Downloads
Loaded Profiles: asldkjf
Boot Mode: Normal
==============================================

fixlist content:
*****************
start:
Hosts
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\...\Policies\Explorer: [NoOnlinePrintsWizard] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-461047945-4258226643-924543775-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
U4 diagnosticshub.standardcollector.service; no ImagePath
U4 DiagTrack; no ImagePath
U4 dmwappushservice; no ImagePath
U4 dmwappushsvc; no ImagePath
U4 lfsvc; no ImagePath
U4 PcaSvc; no ImagePath
U4 WbioSrvc; no ImagePath
U4 WdBoot; no ImagePath
U4 WdFilter; no ImagePath
U4 WdNisDrv; no ImagePath
U4 WdNisSvc; no ImagePath
U4 WinDefend; no ImagePath
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
*****************

Hosts => Error: No automatic fix found for this entry.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\NoAutorun" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\AllowOnlineTips" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\NoInternetOpenWith" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\NoOnlinePrintsWizard" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\NoPublishingWizard" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\\NoWebServices" => removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
HKU\S-1-5-21-461047945-4258226643-924543775-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
HKLM\System\CurrentControlSet\Services\diagnostics hub.standardcollector.service => removed successfully
diagnosticshub.standardcollector.service => service removed successfully
HKLM\System\CurrentControlSet\Services\DiagTrack => removed successfully
DiagTrack => service removed successfully
HKLM\System\CurrentControlSet\Services\dmwappushse rvice => removed successfully
dmwappushservice => service removed successfully
HKLM\System\CurrentControlSet\Services\dmwappushsv c => removed successfully
dmwappushsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\lfsvc => removed successfully
lfsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\PcaSvc => removed successfully
PcaSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\WbioSrvc => removed successfully
WbioSrvc => service removed successfully
HKLM\System\CurrentControlSet\Services\WdBoot => removed successfully
WdBoot => service removed successfully
HKLM\System\CurrentControlSet\Services\WdFilter => removed successfully
WdFilter => service removed successfully
HKLM\System\CurrentControlSet\Services\WdNisDrv => removed successfully
WdNisDrv => service removed successfully
HKLM\System\CurrentControlSet\Services\WdNisSvc => removed successfully
WdNisSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\WinDefend => removed successfully
WinDefend => service removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896" => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896" => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896" => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896" => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\"Local Page"="C:\Windows\System32\blank.htm" => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\"Local Page"="C:\Windows\SysWOW64\blank.htm" => value restored successfully


The system needed a reboot.

==== End of Fixlog 11:51:47 ====
Reply With Quote
  #7  
Old February 8th, 2022, 02:05 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
I made a mistake so I need you to run a new fixlist.txt fix, using the following script:


Start:
Hosts:
Finish:
Reply With Quote
  #8  
Old February 8th, 2022, 02:13 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Be sure to reboot after.
Reply With Quote
  #9  
Old February 8th, 2022, 11:43 PM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
Here it is. Thanks.


Fix result of Farbar Recovery Scan Tool (x64) Version: 05-02-2022
Ran by asldkjf (09-02-2022 09:40:58) Run:2
Running from C:\Users\asldkjf\Downloads
Loaded Profiles: asldkjf
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start:
Hosts:
Finish:
*****************

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
Finish: => Error: No automatic fix found for this entry.

==== End of Fixlog 09:40:58 ====
Reply With Quote
  #10  
Old February 9th, 2022, 12:07 AM
marmites marmites is offline
Senior Member
 
Join Date: Sep 2007
O/S: Windows 10 Enterprise
Location: Melbourne, Australia
Posts: 131
Wow it seems to be fixed now. Thanks a lot I love this website.
Reply With Quote
  #11  
Old February 9th, 2022, 01:23 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Very good. You can delete FRST and all the files we created to remove our work there.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
redirect virus excelsior07 Malware Removal 28 November 27th, 2012 07:55 AM
Redirect virus excelsior07 Windows Vista 1 November 17th, 2012 12:06 AM
Redirect virus has me garenzo Malware Removal 20 June 17th, 2010 12:23 AM
redirect to Bing, can't download programs from net silentsnow Windows 7 4 January 20th, 2010 03:07 AM
Possible Redirect virus aspall Malware Removal 9 November 16th, 2007 05:42 PM


All times are GMT +1. The time now is 11:55 PM.