Recovering From Ransomware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ebmocwen, Jan 9, 2025.

  1. Ebmocwen

    Ebmocwen Private E-2

    Hi, I have an HP laptop with Windows 10 and a couple years ago it got hit with ransomware and all my files disappeared. It wasn't so bad because it happened not long after a back up, and I was still using the computer off and on but I found it was really slow and the hard drive always seemed to be spinning. Then one day I opened the laptop and all the files were back. I did a back up again, and I installed and ran BitDefender (which did identify some malware and I let it remove what it found) but I thought I should come here and make sure I clean out the system thoroughly.
    I worked my way through the READ ME FIRST thread (got a little confused here and there :p) so I will attach the logs here. I did notice some of the tools selected a couple programs I use as malware although they are legit, such as Lightwave 3D and it's associated files, but I didn't delete anything, as instructed.
    Hope someone wouldn't mind looking over the logs and give some advice on what step to take next. Thanks :)
     

    Attached Files:

    Ebmocwen, Jan 9, 2025
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Jan 9, 2025
    #2
  3. Ebmocwen

    Ebmocwen Private E-2

    Ok, scan is complete and files are attached! Thank you for the help, it is much appreciated.
     

    Attached Files:

    Ebmocwen, Jan 11, 2025
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    My pleasure to help.

    I don't see any active malware but there are some things we should address.

    Let's start with this.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------

    • Download Revo Uninstaller Free Portable and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    Adobe Shockwave Player 12.1
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Deleting Chrome Notifications

    --------------------
    • Launch Chrome
    • Type chrome://settings/syncSetup in the address bar and hit Enter
    • Report whether the page says Turn on sync... or Turn off
    • Type chrome://settings/content/notifications and hit Enter
    • Scroll down to Allowed to send notifications
    • For any entry you are not familiar with or do not want click on the 3 horizontal dots to the right and select Remove
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
C:\Program Files\McAfee
Task: {C6F3DCC6-3CB7-4357-9CEC-F98D75E4D875} - System32\Tasks\McAfee\WPS\amwebapitriggertask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {215E1A22-7894-4B93-B978-D573CB01C018} - System32\Tasks\McAfee\WPS\AntiTrackerTask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {AE55C8F9-6A78-4532-8DD9-6045F3EEC645} - System32\Tasks\McAfee\WPS\datupdatetask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {38355A7E-73A4-4020-BB5B-063218EDF9E4} - System32\Tasks\McAfee\WPS\mcpcoscanner => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {8414FBED-F05E-44D1-944D-1E811C7E269D} - System32\Tasks\McAfee\WPS\NGMCadence => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {EB1444DE-686B-4A32-B417-65C6DDA37DE1} - System32\Tasks\McAfee\WPS\odsscheduledtask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {585B9442-2A40-45F4-ADC2-2ABBAC37ABBF} - System32\Tasks\McAfee\WPS\systemrebootedtask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
Task: {05C2E658-CF05-4FA0-9D2E-1DEDAA3AA533} - System32\Tasks\McAfee\WPS\tracker_remover => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
FW: McAfee (Enabled) {2FDD6819-222E-5E9F-F5E7-E13A2241D502}
S2 DigiRefresh; C:\Program Files\Avid\Pro Tools First\MMERefresh.exe -s [X] 
S3 digiSPTIService64; "C:\Program Files\Avid\Pro Tools First\digisptiservice64.exe" [X] 
S3 MpKsle4231fa0; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C9DF7023-CF0D-4A0D-9012-0AF7B2421B93}\MpKslDrv.sys [X] 
HKU\S-1-5-19\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File) 
HKU\S-1-5-20\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File) 
HKU\S-1-5-21-1975915644-1811057847-2465535352-1004\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File) 
HKU\S-1-5-21-1975915644-1811057847-2465535352-1005\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File) 
Task: {34511420-FD42-4F7E-9CC8-DB82D4E2C329} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION 
Task: {ED9F7FFD-68B1-4806-B147-3270EB47E8AE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe  /DeviceScanR6 (No File) 
ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File 
ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File 
ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File 
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File 
FirewallRules: [{FF4ACDE5-5565-430A-B68B-28440B08EAD5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{DFA5CB27-CC34-4A5E-98D1-5B96678C63CF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{BD948F06-081A-4AFE-9D18-9874BD2A4BFF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{4D732DB8-216E-4945-8683-D205C013194D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [UDP Query User{77C7C0D1-032C-4D71-AF54-174202CA070C}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe => No File 
FirewallRules: [TCP Query User{54DACD85-FF17-422F-88CB-4A288207F5EE}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe => No File 
FirewallRules: [{5E1BF7BE-A63F-44BF-87CF-1B89915BDE30}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{FDB821D7-C5DE-42A5-8DD5-4E11A76B3FB9}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{398E5895-5F61-4BE6-A6BC-69AD0760B16D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{25C4AAF8-4E27-49AF-A91B-EA7357254A9B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [UDP Query User{D9C22BB6-D454-494F-8ED5-4BC898D29291}C:\program files (x86)\jamulus\jamulus.exe] => (Allow) C:\program files (x86)\jamulus\jamulus.exe => No File 
FirewallRules: [TCP Query User{1CC59D99-5DBB-4F0F-B8B4-51E60D159754}C:\program files (x86)\jamulus\jamulus.exe] => (Allow) C:\program files (x86)\jamulus\jamulus.exe => No File 
FirewallRules: [{0A9290C7-7EE6-4F63-8155-A27210725E56}] => (Allow) C:\Program Files\Avid\Avid Link\AvidAppManHelper.exe => No File 
FirewallRules: [{22FE96C7-A1F0-468A-B3FD-7CF4566BCC49}] => (Allow) C:\Program Files\Avid\Avid Link\Avid Link.exe => No File 
FirewallRules: [{705FF403-0CE3-434B-A0E2-85F880CB3682}] => (Allow) C:\Program Files\Avid\Avid Link\jre\bin\java.exe => No File 
FirewallRules: [UDP Query User{3910A6DB-530B-4C96-B331-EB5590EEBDF1}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe => No File 
FirewallRules: [TCP Query User{5391481F-B50C-4F04-BF72-C7AC3424F18E}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe => No File 
FirewallRules: [{0D78D04A-32F2-4736-BDAE-B8E5387A48E7}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE => No File 
FirewallRules: [{A8E96D84-141A-4E36-95A3-CC888A159504}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe => No File 
FirewallRules: [{A4944596-6370-454E-8492-6FCD6CC3A283}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe => No File 
FirewallRules: [{61AD9F13-A882-46CF-9F86-9641423C0972}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVDMovie.exe => No File 
FirewallRules: [{7B564DE5-B736-4D8A-92B9-5037CC223A44}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVD Cinema\PowerDVDCinema.exe => No File 
FirewallRules: [{64FEBE67-558B-4BF6-BD73-233F1A1BCFDE}] => (Allow) C:\Users\ebmoc\AppData\Local\Temp\7zS6424\setup\hpznui40.exe => No File 
FirewallRules: [{93FCDEB6-CE0E-40FF-8A41-311CBB07CDD1}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File 
FirewallRules: [{529868D8-C568-467B-8458-8B6CD2E1A945}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe => No File 
FirewallRules: [{C89A7F7C-B8A9-4670-A77F-4F2D32844442}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe => No File 
FirewallRules: [{E5266013-6654-482F-9870-6411BD9224CE}] => (Allow) C:\Users\ebmoc\AppData\Roaming\uTorrent\uTorrent.exe => No File 
FirewallRules: [{93E32E13-8954-4BB9-AF77-700F128E5FA6}] => (Allow) C:\Users\ebmoc\AppData\Roaming\uTorrent\uTorrent.exe => No File 
FirewallRules: [{4ED83E31-FE90-4B45-BEF0-0E74D99FEE8B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{0693EC22-EBC4-4C79-AA9F-19F2BA9D53AA}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{FE0FACDA-E51D-4594-8217-3867D1D30A9F}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{BCC44B6C-83FC-4869-BE51-D8D853F94F97}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{7507FF59-CCCC-4FE2-B3DB-D103DDEEA54C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{FCF05594-B093-492C-87C2-89B4AC8A65C6}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{6167816C-1F4B-405A-8F4D-189360578E65}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{A570956B-C892-47D5-B1D6-0D4BB2F05928}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{CA3C90AE-3EFD-41B2-96E5-F9FB159E51A5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{B775AD89-2D85-4B63-BD46-C78231E028E4}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{31B85548-CDC4-4B5C-BAB4-23E38FC3A349}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File 
FirewallRules: [{202FB359-2B95-4905-BFD1-EAD66C42AB5C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File 
U3 aspnet_state; no ImagePath 
U1 bdvedisk; no ImagePath 
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found 
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION 
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) 
AlternateDataStreams: C:\ProgramData\PACE:F1FD6BF18E6C48B1 [217] 
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0] 
AlternateDataStreams: C:\Users\ebmoc\Desktop\FRST64.exe:MBAM.Zone.Identifier [225] 
AlternateDataStreams: C:\Users\ebmoc\Desktop\HitmanPro_x64.exe:BDU [0] 
AlternateDataStreams: C:\Users\ebmoc\Desktop\setup.exe:BDU [0] 
AlternateDataStreams: C:\Users\ebmoc\Downloads\AdwCleaner.exe:BDU [0] 
AlternateDataStreams: C:\Users\ebmoc\Downloads\expressvpn_windows_12.64.0.8_release.exe:BDU [0] 
AlternateDataStreams: C:\Users\ebmoc\Downloads\mb.exe:BDU [0] 
2025-01-08 07:15 - 2020-12-27 06:29 - 000008192 ___SH C:\DumpStack.log.tmp 
Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0025); file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0026) 
Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0037) 
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp] 
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp: 
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Shockwave removed?
    • Chrome Sync Status?
    • Chrome Notifications reviewed?
    • Fixlog
     
    Oh My!, Jan 11, 2025
    #4
  5. Ebmocwen

    Ebmocwen Private E-2

    Shockwave removed: check!
    Chrome Sync Status: I have this set to "on", so the option available was to turn it off.
    Chrome Notifications: I saw one that I didn't recognize and deleted
    Fixlog pasted below:
    Fix result of Farbar Recovery Scan Tool (x64) Version: 14-01-2025
    Ran by ebmoc (16-01-2025 07:59:58) Run:1
    Running from C:\Users\ebmoc\Desktop
    Loaded Profiles: ebmoc & CDFAccount
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    C:\Program Files\McAfee
    Task: {C6F3DCC6-3CB7-4357-9CEC-F98D75E4D875} - System32\Tasks\McAfee\WPS\amwebapitriggertask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {215E1A22-7894-4B93-B978-D573CB01C018} - System32\Tasks\McAfee\WPS\AntiTrackerTask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {AE55C8F9-6A78-4532-8DD9-6045F3EEC645} - System32\Tasks\McAfee\WPS\datupdatetask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {38355A7E-73A4-4020-BB5B-063218EDF9E4} - System32\Tasks\McAfee\WPS\mcpcoscanner => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {8414FBED-F05E-44D1-944D-1E811C7E269D} - System32\Tasks\McAfee\WPS\NGMCadence => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {EB1444DE-686B-4A32-B417-65C6DDA37DE1} - System32\Tasks\McAfee\WPS\odsscheduledtask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {585B9442-2A40-45F4-ADC2-2ABBAC37ABBF} - System32\Tasks\McAfee\WPS\systemrebootedtask => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    Task: {05C2E658-CF05-4FA0-9D2E-1DEDAA3AA533} - System32\Tasks\McAfee\WPS\tracker_remover => 1A62D23B-93C2-468A-B6B0-FFB2A23C1C0D
    FW: McAfee (Enabled) {2FDD6819-222E-5E9F-F5E7-E13A2241D502}
    S2 DigiRefresh; C:\Program Files\Avid\Pro Tools First\MMERefresh.exe -s [X]
    S3 digiSPTIService64; "C:\Program Files\Avid\Pro Tools First\digisptiservice64.exe" [X]
    S3 MpKsle4231fa0; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C9DF7023-CF0D-4A0D-9012-0AF7B2421B93}\MpKslDrv.sys [X]
    HKU\S-1-5-19\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File)
    HKU\S-1-5-20\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File)
    HKU\S-1-5-21-1975915644-1811057847-2465535352-1004\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File)
    HKU\S-1-5-21-1975915644-1811057847-2465535352-1005\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\85.0.25.0\GoogleDriveFS.exe --startup_mode (No File)
    Task: {34511420-FD42-4F7E-9CC8-DB82D4E2C329} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    Task: {ED9F7FFD-68B1-4806-B147-3270EB47E8AE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe /DeviceScanR6 (No File)
    ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File
    ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File
    ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
    FirewallRules: [{FF4ACDE5-5565-430A-B68B-28440B08EAD5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{DFA5CB27-CC34-4A5E-98D1-5B96678C63CF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{BD948F06-081A-4AFE-9D18-9874BD2A4BFF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{4D732DB8-216E-4945-8683-D205C013194D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.80.194.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [UDP Query User{77C7C0D1-032C-4D71-AF54-174202CA070C}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe => No File
    FirewallRules: [TCP Query User{54DACD85-FF17-422F-88CB-4A288207F5EE}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe => No File
    FirewallRules: [{5E1BF7BE-A63F-44BF-87CF-1B89915BDE30}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{FDB821D7-C5DE-42A5-8DD5-4E11A76B3FB9}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{398E5895-5F61-4BE6-A6BC-69AD0760B16D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{25C4AAF8-4E27-49AF-A91B-EA7357254A9B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.78.159.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [UDP Query User{D9C22BB6-D454-494F-8ED5-4BC898D29291}C:\program files (x86)\jamulus\jamulus.exe] => (Allow) C:\program files (x86)\jamulus\jamulus.exe => No File
    FirewallRules: [TCP Query User{1CC59D99-5DBB-4F0F-B8B4-51E60D159754}C:\program files (x86)\jamulus\jamulus.exe] => (Allow) C:\program files (x86)\jamulus\jamulus.exe => No File
    FirewallRules: [{0A9290C7-7EE6-4F63-8155-A27210725E56}] => (Allow) C:\Program Files\Avid\Avid Link\AvidAppManHelper.exe => No File
    FirewallRules: [{22FE96C7-A1F0-468A-B3FD-7CF4566BCC49}] => (Allow) C:\Program Files\Avid\Avid Link\Avid Link.exe => No File
    FirewallRules: [{705FF403-0CE3-434B-A0E2-85F880CB3682}] => (Allow) C:\Program Files\Avid\Avid Link\jre\bin\java.exe => No File
    FirewallRules: [UDP Query User{3910A6DB-530B-4C96-B331-EB5590EEBDF1}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe => No File
    FirewallRules: [TCP Query User{5391481F-B50C-4F04-BF72-C7AC3424F18E}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe] => (Allow) C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe => No File
    FirewallRules: [{0D78D04A-32F2-4736-BDAE-B8E5387A48E7}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE => No File
    FirewallRules: [{A8E96D84-141A-4E36-95A3-CC888A159504}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe => No File
    FirewallRules: [{A4944596-6370-454E-8492-6FCD6CC3A283}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe => No File
    FirewallRules: [{61AD9F13-A882-46CF-9F86-9641423C0972}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVDMovie.exe => No File
    FirewallRules: [{7B564DE5-B736-4D8A-92B9-5037CC223A44}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVD Cinema\PowerDVDCinema.exe => No File
    FirewallRules: [{64FEBE67-558B-4BF6-BD73-233F1A1BCFDE}] => (Allow) C:\Users\ebmoc\AppData\Local\Temp\7zS6424\setup\hpznui40.exe => No File
    FirewallRules: [{93FCDEB6-CE0E-40FF-8A41-311CBB07CDD1}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
    FirewallRules: [{529868D8-C568-467B-8458-8B6CD2E1A945}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe => No File
    FirewallRules: [{C89A7F7C-B8A9-4670-A77F-4F2D32844442}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe => No File
    FirewallRules: [{E5266013-6654-482F-9870-6411BD9224CE}] => (Allow) C:\Users\ebmoc\AppData\Roaming\uTorrent\uTorrent.exe => No File
    FirewallRules: [{93E32E13-8954-4BB9-AF77-700F128E5FA6}] => (Allow) C:\Users\ebmoc\AppData\Roaming\uTorrent\uTorrent.exe => No File
    FirewallRules: [{4ED83E31-FE90-4B45-BEF0-0E74D99FEE8B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{0693EC22-EBC4-4C79-AA9F-19F2BA9D53AA}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{FE0FACDA-E51D-4594-8217-3867D1D30A9F}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{BCC44B6C-83FC-4869-BE51-D8D853F94F97}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{7507FF59-CCCC-4FE2-B3DB-D103DDEEA54C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{FCF05594-B093-492C-87C2-89B4AC8A65C6}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{6167816C-1F4B-405A-8F4D-189360578E65}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{A570956B-C892-47D5-B1D6-0D4BB2F05928}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.67.96.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{CA3C90AE-3EFD-41B2-96E5-F9FB159E51A5}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{B775AD89-2D85-4B63-BD46-C78231E028E4}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{31B85548-CDC4-4B5C-BAB4-23E38FC3A349}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
    FirewallRules: [{202FB359-2B95-4905-BFD1-EAD66C42AB5C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3403.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
    U3 aspnet_state; no ImagePath
    U1 bdvedisk; no ImagePath
    FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
    HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
    HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    AlternateDataStreams: C:\ProgramData\PACE:F1FD6BF18E6C48B1 [217]
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
    AlternateDataStreams: C:\Users\ebmoc\Desktop\FRST64.exe:MBAM.Zone.Identifier [225]
    AlternateDataStreams: C:\Users\ebmoc\Desktop\HitmanPro_x64.exe:BDU [0]
    AlternateDataStreams: C:\Users\ebmoc\Desktop\setup.exe:BDU [0]
    AlternateDataStreams: C:\Users\ebmoc\Downloads\AdwCleaner.exe:BDU [0]
    AlternateDataStreams: C:\Users\ebmoc\Downloads\expressvpn_windows_12.64.0.8_release.exe:BDU [0]
    AlternateDataStreams: C:\Users\ebmoc\Downloads\mb.exe:BDU [0]
    2025-01-08 07:15 - 2020-12-27 06:29 - 000008192 ___SH C:\DumpStack.log.tmp
    Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0025); file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0026)
    Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0037)
    CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    Emptytemp:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.

    "C:\Program Files\McAfee" Folder move:

    Could not move "C:\Program Files\McAfee" => Scheduled to move on reboot.

    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C6F3DCC6-3CB7-4357-9CEC-F98D75E4D875}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C6F3DCC6-3CB7-4357-9CEC-F98D75E4D875}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\amwebapitriggertask => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\amwebapitriggertask" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{215E1A22-7894-4B93-B978-D573CB01C018}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{215E1A22-7894-4B93-B978-D573CB01C018}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\AntiTrackerTask => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\AntiTrackerTask" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AE55C8F9-6A78-4532-8DD9-6045F3EEC645}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE55C8F9-6A78-4532-8DD9-6045F3EEC645}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\datupdatetask => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\datupdatetask" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{38355A7E-73A4-4020-BB5B-063218EDF9E4}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38355A7E-73A4-4020-BB5B-063218EDF9E4}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\mcpcoscanner => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\mcpcoscanner" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8414FBED-F05E-44D1-944D-1E811C7E269D}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8414FBED-F05E-44D1-944D-1E811C7E269D}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\NGMCadence => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\NGMCadence" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB1444DE-686B-4A32-B417-65C6DDA37DE1}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB1444DE-686B-4A32-B417-65C6DDA37DE1}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\odsscheduledtask => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\odsscheduledtask" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{585B9442-2A40-45F4-ADC2-2ABBAC37ABBF}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{585B9442-2A40-45F4-ADC2-2ABBAC37ABBF}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\systemrebootedtask => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\systemrebootedtask" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{05C2E658-CF05-4FA0-9D2E-1DEDAA3AA533}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05C2E658-CF05-4FA0-9D2E-1DEDAA3AA533}" => removed successfully
    C:\WINDOWS\System32\Tasks\McAfee\WPS\tracker_remover => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\WPS\tracker_remover" => removed successfully
    "FW: McAfee (Enabled) {2FDD6819-222E-5E9F-F5E7-E13A2241D502}" => not found
    HKLM\System\CurrentControlSet\Services\DigiRefresh => removed successfully
    DigiRefresh => service removed successfully
    HKLM\System\CurrentControlSet\Services\digiSPTIService64 => removed successfully
    digiSPTIService64 => service removed successfully
    HKLM\System\CurrentControlSet\Services\MpKsle4231fa0 => removed successfully
    MpKsle4231fa0 => service removed successfully
    "HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleDriveFS" => removed successfully
    "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleDriveFS" => removed successfully
    "HKU\S-1-5-21-1975915644-1811057847-2465535352-1004\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleDriveFS" => removed successfully
    "HKU\S-1-5-21-1975915644-1811057847-2465535352-1005\Software\Microsoft\Windows\CurrentVersion\Run" => not found
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{34511420-FD42-4F7E-9CC8-DB82D4E2C329}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34511420-FD42-4F7E-9CC8-DB82D4E2C329}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ED9F7FFD-68B1-4806-B147-3270EB47E8AE}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ED9F7FFD-68B1-4806-B147-3270EB47E8AE}" => removed successfully
    C:\WINDOWS\System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan" => removed successfully
    HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\DriveFS 28 or later => removed successfully
    HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\DriveFS 28 or later => removed successfully
    HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\DriveFS 28 or later => removed successfully
    HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FF4ACDE5-5565-430A-B68B-28440B08EAD5}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DFA5CB27-CC34-4A5E-98D1-5B96678C63CF}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BD948F06-081A-4AFE-9D18-9874BD2A4BFF}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4D732DB8-216E-4945-8683-D205C013194D}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{77C7C0D1-032C-4D71-AF54-174202CA070C}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{54DACD85-FF17-422F-88CB-4A288207F5EE}C:\program files\windowsapps\xbmcfoundation.kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5E1BF7BE-A63F-44BF-87CF-1B89915BDE30}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FDB821D7-C5DE-42A5-8DD5-4E11A76B3FB9}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{398E5895-5F61-4BE6-A6BC-69AD0760B16D}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{25C4AAF8-4E27-49AF-A91B-EA7357254A9B}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D9C22BB6-D454-494F-8ED5-4BC898D29291}C:\program files (x86)\jamulus\jamulus.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{1CC59D99-5DBB-4F0F-B8B4-51E60D159754}C:\program files (x86)\jamulus\jamulus.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0A9290C7-7EE6-4F63-8155-A27210725E56}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{22FE96C7-A1F0-468A-B3FD-7CF4566BCC49}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{705FF403-0CE3-434B-A0E2-85F880CB3682}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{3910A6DB-530B-4C96-B331-EB5590EEBDF1}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{5391481F-B50C-4F04-BF72-C7AC3424F18E}C:\program files\windowsapps\xbmcfoundation.kodi_17.9.601.0_x86__4n2hpmxwrvr6p\kodi.exe" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0D78D04A-32F2-4736-BDAE-B8E5387A48E7}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A8E96D84-141A-4E36-95A3-CC888A159504}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A4944596-6370-454E-8492-6FCD6CC3A283}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{61AD9F13-A882-46CF-9F86-9641423C0972}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7B564DE5-B736-4D8A-92B9-5037CC223A44}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{64FEBE67-558B-4BF6-BD73-233F1A1BCFDE}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{93FCDEB6-CE0E-40FF-8A41-311CBB07CDD1}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{529868D8-C568-467B-8458-8B6CD2E1A945}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C89A7F7C-B8A9-4670-A77F-4F2D32844442}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E5266013-6654-482F-9870-6411BD9224CE}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{93E32E13-8954-4BB9-AF77-700F128E5FA6}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4ED83E31-FE90-4B45-BEF0-0E74D99FEE8B}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0693EC22-EBC4-4C79-AA9F-19F2BA9D53AA}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FE0FACDA-E51D-4594-8217-3867D1D30A9F}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BCC44B6C-83FC-4869-BE51-D8D853F94F97}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7507FF59-CCCC-4FE2-B3DB-D103DDEEA54C}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FCF05594-B093-492C-87C2-89B4AC8A65C6}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6167816C-1F4B-405A-8F4D-189360578E65}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A570956B-C892-47D5-B1D6-0D4BB2F05928}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CA3C90AE-3EFD-41B2-96E5-F9FB159E51A5}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B775AD89-2D85-4B63-BD46-C78231E028E4}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{31B85548-CDC4-4B5C-BAB4-23E38FC3A349}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{202FB359-2B95-4905-BFD1-EAD66C42AB5C}" => removed successfully
    HKLM\System\CurrentControlSet\Services\aspnet_state => removed successfully
    aspnet_state => service removed successfully
    HKLM\System\CurrentControlSet\Services\bdvedisk => removed successfully
    bdvedisk => service removed successfully
    "HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F003DA68-8256-4b37-A6C4-350FA04494DF}" => removed successfully
    HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"="0" => value restored successfully
    HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiVirus"="0" => value restored successfully
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) => Error: No automatic fix found for this entry.
    C:\ProgramData\PACE => ":F1FD6BF18E6C48B1" ADS removed successfully
    C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`28hfm" ADS removed successfully
    "C:\Users\ebmoc\Desktop\FRST64.exe" => ":MBAM.Zone.Identifier" ADS not found.
    C:\Users\ebmoc\Desktop\HitmanPro_x64.exe => ":BDU" ADS removed successfully
    C:\Users\ebmoc\Desktop\setup.exe => ":BDU" ADS removed successfully
    C:\Users\ebmoc\Downloads\AdwCleaner.exe => ":BDU" ADS removed successfully
    C:\Users\ebmoc\Downloads\expressvpn_windows_12.64.0.8_release.exe => ":BDU" ADS removed successfully
    C:\Users\ebmoc\Downloads\mb.exe => ":BDU" ADS removed successfully
    Could not move "C:\DumpStack.log.tmp" => Scheduled to move on reboot.
    Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0025); file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0026) => Error: No automatic fix found for this entry.
    Path: containerfile:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp; file:_C:\Users\ebmoc\Downloads\9576a2d0-926b-498f-b5b6-bd15a26fd76f.tmp->(SCRIPT0037) => Error: No automatic fix found for this entry.
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mfhcmdonhekjhfbjmeacdjbhlfgpjabp => removed successfully

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.


    Verification 0% complete.
    Verification 1% complete.
    Verification 1% complete.
    Verification 2% complete.
    Verification 3% complete.
    Verification 3% complete.
    Verification 4% complete.
    Verification 4% complete.
    Verification 5% complete.
    Verification 6% complete.
    Verification 6% complete.
    Verification 7% complete.
    Verification 7% complete.
    Verification 8% complete.
    Verification 9% complete.
    Verification 9% complete.
    Verification 10% complete.
    Verification 10% complete.
    Verification 11% complete.
    Verification 12% complete.
    Verification 12% complete.
    Verification 13% complete.
    Verification 13% complete.
    Verification 14% complete.
    Verification 15% complete.
    Verification 15% complete.
    Verification 16% complete.
    Verification 16% complete.
    Verification 17% complete.
    Verification 18% complete.
    Verification 18% complete.
    Verification 19% complete.
    Verification 19% complete.
    Verification 20% complete.
    Verification 21% complete.
    Verification 21% complete.
    Verification 22% complete.
    Verification 22% complete.
    Verification 23% complete.
    Verification 24% complete.
    Verification 24% complete.
    Verification 25% complete.
    Verification 25% complete.
    Verification 26% complete.
    Verification 27% complete.
    Verification 27% complete.
    Verification 28% complete.
    Verification 28% complete.
    Verification 29% complete.
    Verification 30% complete.
    Verification 30% complete.
    Verification 31% complete.
    Verification 31% complete.
    Verification 32% complete.
    Verification 33% complete.
    Verification 33% complete.
    Verification 34% complete.
    Verification 34% complete.
    Verification 35% complete.
    Verification 36% complete.
    Verification 36% complete.
    Verification 37% complete.
    Verification 37% complete.
    Verification 38% complete.
    Verification 39% complete.
    Verification 39% complete.
    Verification 40% complete.
    Verification 40% complete.
    Verification 41% complete.
    Verification 42% complete.
    Verification 42% complete.
    Verification 43% complete.
    Verification 43% complete.
    Verification 44% complete.
    Verification 45% complete.
    Verification 45% complete.
    Verification 46% complete.
    Verification 46% complete.
    Verification 47% complete.
    Verification 48% complete.
    Verification 48% complete.
    Verification 49% complete.
    Verification 49% complete.
    Verification 50% complete.
    Verification 51% complete.
    Verification 51% complete.
    Verification 52% complete.
    Verification 52% complete.
    Verification 53% complete.
    Verification 54% complete.
    Verification 54% complete.
    Verification 55% complete.
    Verification 55% complete.
    Verification 56% complete.
    Verification 57% complete.
    Verification 57% complete.
    Verification 58% complete.
    Verification 58% complete.
    Verification 59% complete.
    Verification 60% complete.
    Verification 60% complete.
    Verification 61% complete.
    Verification 61% complete.
    Verification 62% complete.
    Verification 63% complete.
    Verification 63% complete.
    Verification 64% complete.
    Verification 64% complete.
    Verification 65% complete.
    Verification 66% complete.
    Verification 66% complete.
    Verification 67% complete.
    Verification 67% complete.
    Verification 68% complete.
    Verification 69% complete.
    Verification 69% complete.
    Verification 70% complete.
    Verification 70% complete.
    Verification 71% complete.
    Verification 72% complete.
    Verification 72% complete.
    Verification 73% complete.
    Verification 73% complete.
    Verification 74% complete.
    Verification 75% complete.
    Verification 75% complete.
    Verification 76% complete.
    Verification 76% complete.
    Verification 77% complete.
    Verification 78% complete.
    Verification 78% complete.
    Verification 79% complete.
    Verification 79% complete.
    Verification 80% complete.
    Verification 81% complete.
    Verification 81% complete.
    Verification 82% complete.
    Verification 82% complete.
    Verification 83% complete.
    Verification 84% complete.
    Verification 84% complete.
    Verification 85% complete.
    Verification 85% complete.
    Verification 86% complete.
    Verification 87% complete.
    Verification 87% complete.
    Verification 88% complete.
    Verification 88% complete.
    Verification 89% complete.
    Verification 90% complete.
    Verification 90% complete.
    Verification 91% complete.
    Verification 91% complete.
    Verification 92% complete.
    Verification 93% complete.
    Verification 93% complete.
    Verification 94% complete.
    Verification 94% complete.
    Verification 95% complete.
    Verification 96% complete.
    Verification 96% complete.
    Verification 97% complete.
    Verification 97% complete.
    Verification 98% complete.
    Verification 99% complete.
    Verification 99% complete.
    Verification 100% complete.


    Windows Resource Protection found corrupt files and successfully repaired them.

    For online repairs, details are included in the CBS log file located at

    windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline

    repairs, details are included in the log file provided by the /OFFLOGFILE flag.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.19041.3636

    Image Version: 10.0.19045.5371

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 4980736 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 54880854 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
    Windows/system/drivers => 388776476 B
    Edge => 0 B
    Chrome => 847520534 B
    Firefox => 0 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 6656 B
    ProgramData => 6656 B
    Public => 6656 B
    systemprofile => 311514 B
    systemprofile32 => 311514 B
    LocalService => 40292977 B
    NetworkService => 98487913 B
    ebmoc => 289869810 B
    CDFAccount => 289879153 B
    defaultuser100000 => 289886321 B

    RecycleBin => 0 B
    EmptyTemp: => 2.1 GB temporary data Removed.

    ================================

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 16-01-2025 17:21:58)

    C:\Program Files\McAfee => Is moved successfully
    C:\DumpStack.log.tmp => Could not move

    ==== End of Fixlog 17:21:59 ====
     
    Ebmocwen, Jan 16, 2025 at 4:30 PM
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information. How is the computer running?
     
    Oh My!, Jan 16, 2025 at 8:19 PM
    #6
  7. Ebmocwen

    Ebmocwen Private E-2

    well, it seems ok. I would even say it seems to start up a little quicker. (btw I forgot to mention Windows did an update before I good run the last instructions). It still seems slow and like the hard drive is being accessed a lot. I was thinking after this step I should move to a tutorial about regular windows maintenance, like checking on what's in the start up folder and defrag the HD?? Should I worry about the items that the other programs like Malwarebytes and so on identified?
     
    Ebmocwen, Jan 17, 2025 at 9:13 AM
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    These components are quite old and there is only so much you can expect from them. Having said that, let's see what we can do.

    Please do this.

    Run a new FRST Scan and attach both reports to your reply.

    ===================================================

    Autoruns

    --------------------
    • Please download Autoruns and save it to your Desktop
    • Right click on the autoruns64 icon on your Desktop and select Run as administrator
    • Wait until the lower left hand corner of the window shows Ready
    • Hit the Ctrl + S key at the same time
    • Save the file onto your Desktop using the default File name:
    • Please zip and attach it to your reply
    ===================================================

    GSmartControl for Windows - Portable

    -------------------
    • Download GSmartControl for Windows - Portable and save it to your desktop
    • Right click on gsmartcontrol.zip icon and select Extract All... then Extract
    • Double click on the gsmartcontrol folder
    • Right click on gsmartcontrol.exe (not .manifest) and select Run as administrator
    • Allow the program to search for and list your hard drive(s)
    • Double click your drive C: drive
    • Go to the Self-tests tab
    • Make sure that the Test Type is set to Short Self-test
    • Click the Execute button
    • After the test completes, click the View Output button and copy and paste the contents in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached FRST.txt and Addition.txt reports
    • Attached Autoruns file
    • GSmart report
     
    Oh My!, Jan 17, 2025 at 9:52 AM
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds