The computer behaves suspiciously(maybe RaT or dropper i think)

Hello, Everyone!

I need help: The computer behaves suspiciously.

I get the impression that it is controlled remotely through some kind of backdoor.

Firstly, I have not had it go into sleep mode for about 3-4 months, none of the settings helped. Secondly, some strange ports are open on the computer and router, there is a suspicion that it is time to either flash tp-link archer c60 to custom firmware or throw it away.

 

Результат сканирования Farbar Recovery Scan Tool (FRST) (x64) Версия: 10-11-2024 02

I wanted to look at the task scheduler log now, but the logs were either lost or access was disabled. The built-in Windows antivirus and Kaspersky antivirus are silent.

Hi rubyheart ,
My name is Dennis and I will assist you with your computer problems.
Please read through these guidelines before we start.

• Back up any important data, as a precaution, before starting this process.
• If you are unsure about anything then please ask. This makes the task much easier in the long run.
• Do not run any other tools or make changes to your system during the removal process.
• Please do not start a new topic and keep all replies in this thread.
• Follow the instructions in the sequence advised.
• Copy and paste the logs into the reply. I will advise if anything needs to be added as an attachment.
• Here at Bleeping Computer we are mostly volunteers, so please be patient with us. I’ll try to respond within 24 hours. You will be advised if it is expected to be longer than 48 hours.
• Please let me know if you are going to be delayed in responding. If you do not reply after 5 days, I’ll assume you do not want to continue and will close the topic.
• Sometimes things might seem to be resolved, but there may still need to be more checks necessary, so please wait until I give the all clear.

Please give me some time to examine your logs and I will get back to you as soon as possible.

Dennis

There is some cleanup to be done and also a few items I'd like to check
When we have done this we can run through any remaining concerns.
Firstly I have some observations for you to consider.
1) I see that you have Peer 2 Peer torrent software installed. It is likely that if you continue to use this, you will become infected, as malicious Worms, Trojans & Ransomware can spread across P2P file sharing networks
It would be wise to uninstall Peer 2 Peer programs, but  that choice is up to you. If you choose to remove the program, you can do so via Start >Settings >Apps>Apps & Features.
However if you still wish to keep it, please do not use until we are finished and your computer is clean and updated.
2) You have Office 2013 installed which is no longer supported and therefore represents and increasing security risk.
3) We can reset policy to default, which should enable you to regain full permissions.
4) Please check your Downloads folder and Desktop and remove any items you do not recognise or are unsure about.
5) Hola is known to be a PUP/adware extension and I suggest that you consider removing.
To do this:

• Open a new tab in Edge.
• Type edge://extensions/ in the address bar and press Enter to open the Extensions page.
• You will see a complete list of installed extensions.
• Click on the Remove option below the extension’s description.
• A popup window will open in the top right corner.
• Click on the Remove button to confirm.

------------------------------------------------------------------------------------
Could you please run this FRST script next.
As a part of this I have included the Emptytemp: command.
Note: This will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
Important: This script was written specifically for you, for use only on this machine. Running this on another machine may cause damage to your operating system

• Right click on the FRST icon and select Run as administrator.
• Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
• It is not necessary to paste the information anywhere as FRST will do this for you.

Start::
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Ограничение ? <==== ВНИМАНИЕ
Policies: C:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
File: C:\Users\ltvn.adm\AppData\Local\Controld\ctrld.exe
File: C:\Users\ltvn.adm\Desktop\goodbyedpi-0.2.2\x86_64\WinDivert64.sys
Folder: C:\WINDOWS\system32\Drivers\mde
2024-11-11 09:55 - 2024-11-11 12:48 - 001013552 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
2024-11-11 08:27 - 2024-06-29 10:02 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [9372]
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (Нет файла)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> Нет файла
FirewallRules: [TCP Query User{FD473402-BB57-4A86-BB94-EE0700DD6947}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
FirewallRules: [UDP Query User{5AB0D409-C41B-427E-967B-2AB644116EDC}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Emptytemp:
End::

• Click on the Fix button just once and wait.
• If the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.
Also advise how your computer is running now

Результаты исправления Farbar Recovery Scan Tool (x64) Версия: 10-11-2024 02
Запущено с помощью ltvn.adm (14-11-2024 16:55:17) Run:4
Запущено из C:\Users\ltvn.adm\Desktop\_Utilities
Загруженные профили: ltvn.adm
Режим загрузки: Normal
==============================================

fixlist содержимое:
*****************

HKLM\...\Drivers32: [VIDC.X264] => C:\Windows\system32\x264vfw64.dll [3799552 2017-07-30] (x264vfw project) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.LAGS] => C:\Windows\system32\lagarith.dll [148992 2011-12-07] () [Файл не подписан]
HKLM\...\Drivers32: [VIDC.XVID] => C:\Windows\system32\xvidvfw.dll [310784 2019-12-28] () [Файл не подписан]
HKLM\...\Drivers32: [msacm.ac3acm] => C:\Windows\system32\ac3acm.acm [180736 2012-07-21] (fccHandler) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.X264] => C:\Windows\SysWOW64\x264vfw.dll [3850240 2017-07-30] (x264vfw project) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.LAGS] => C:\Windows\SysWOW64\lagarith.dll [216064 2011-12-07] () [Файл не подписан]
HKLM\...\Drivers32: [VIDC.XVID] => C:\Windows\SysWOW64\xvidvfw.dll [284160 2019-12-28] () [Файл не подписан]
HKLM\...\Drivers32: [msacm.ac3acm] => C:\Windows\SysWOW64\ac3acm.acm [122880 2012-07-21] (fccHandler) [Файл не подписан]
HKU\S-1-5-21-620569670-1499795328-534050024-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2018-07-18] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2021-08-17] (Microsoft Corporation -> Microsoft Corporation)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{F9C5C994-F6B9-4D75-B3E7-AD01B84073E9}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
K-Lite Mega Codec Pack 18.5.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 18.5.0 - KLCP)
Launcher Prerequisites (x64) (HKLM-x32\...\{43a03b9c-4770-409c-a999-587b60700b63}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
FirewallRules: [{7023D1B1-AD28-42B7-8409-E952F1A001E9}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [Файл не подписан]
FirewallRules: [{5C203FAE-9A4F-489C-9CF3-99AE50F1573B}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [Файл не подписан]
S3 EasyAntiCheat_EOS; C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe [955816 2024-04-21] (EasyAntiCheat Oy -> Epic Games, Inc.)
dge DefaultProfile: Default
Edge Profile: C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default [2024-09-08]
Edge HomePage: Default -> hxxps://google.ru/
Edge DefaultSearchURL: Default -> hxxps://yandex.ru/{yandex:searchPath}?text={searchTerms}&{yandex:referralID}
Edge DefaultSearchKeyword: Default -> yandex.ru
Edge DefaultNewTabURL: Default -> hxxps://www.yandex.ru/chrome/newtab
Edge DefaultSuggestURL: Default -> hxxps://suggest.yandex.ru/suggest-ff.cgi?part={searchTerms}
Edge Extension: (Steam Inventory Helper) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl [2024-09-08]
Edge Extension: (Hola VPN - Your Website Unblocker) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2024-08-12]
Edge Extension: (Pride) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gpahbdchbfofplfeaeipcphhbdhdpnae [2024-09-08]
Edge Extension: (Dark Reader) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ifoakfbpdcdoeenechcleahebpibofpc [2024-09-04]
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-04-07]
Edge Extension: (uBlock Origin) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\odfafepnkmbhccpbejgmiehpchacaeak [2024-08-08]

Edge Profile: C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1 [2024-08-16]
Edge Extension: (Google Документы офлайн) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2024-08-16]
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-08-16]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation -> Microsoft Corporation)
R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [51120 2016-12-21] (CHENGDU AOMEI Tech Co., Ltd. -> )
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [171952 2016-12-21] (CHENGDU AOMEI Tech Co., Ltd. -> )
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [38320 2017-09-01] (CHENGDU AOMEI Tech Co., Ltd. -> )
S3 AsrDrv102; C:\Windows\SysWOW64\Drivers\AsrDrv102.sys [22248 2024-08-13] (ASROCK Incorporation -> ASRock Incorporation) [Файл не подписан]
S3 HWiNFO_187; \??\C:\Users\ltvn.adm\AppData\Local\Temp\HWiNFO64A_187.SYS [X] <==== ВНИМАНИЕ
S3 ThrottleStop; \??\C:\Users\ltvn.adm\AppData\Local\Temp\ThrottleStop.sys [X] <==== ВНИМАНИЕ
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.1
Tcpip\..\Interfaces\{29f16c65-8176-4a4a-b767-e559d0edd17c}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{911b7043-1409-4574-925a-8d43fc0bc74d}: [DhcpNameServer] 192.168.0.1 192.168.0.1
Tcpip\..\Interfaces\{bd227b35-ebc6-476e-9efa-ef40a6b18cd4}: [NameServer] 1.1.1.1,9.9.9.9
Tcpip\..\Interfaces\{e644a866-43a1-4e41-b70c-3d4dd3ff32d1}: [DhcpNameServer] 192.168.0.1
HKU\S-1-5-21-620569670-1499795328-534050024-1001\...\MountPoints2: {9d78227d-434b-11ef-9749-a8a159718017} - "I:\SETUP.EXE"




*****************

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.X264" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.LAGS" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.XVID" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\msacm.ac3acm" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.X264" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.LAGS" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\VIDC.XVID" => не найдено
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\\msacm.ac3acm" => не найдено
HKU\S-1-5-21-620569670-1499795328-534050024-1001\Software\Microsoft\Internet Explorer\Main\\"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" => значение успешно восстановлен
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} => не найдено
HKLM\Software\Classes\PROTOCOLS\Handler\osf => успешно удалены
HKLM\Software\Classes\CLSID\{D924BDC6-C83A-4BD5-90D0-095128A113D1} => успешно удалены
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F9C5C994-F6B9-4D75-B3E7-AD01B84073E9}" => не найдено
K-Lite Mega Codec Pack 18.5.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 18.5.0 - KLCP) => Ошибка: Для этой записи не найдено автоматических исправлений.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{43a03b9c-4770-409c-a999-587b60700b63}" => не найдено
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7023D1B1-AD28-42B7-8409-E952F1A001E9}" => не найдено
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5C203FAE-9A4F-489C-9CF3-99AE50F1573B}" => не найдено
EasyAntiCheat_EOS => служба не найдено.
dge DefaultProfile: Default => Ошибка: Для этой записи не найдено автоматических исправлений.

"C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default" Папка переместить:

C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default => успешно перемещены
"Edge HomePage" => не найдено
"Edge DefaultSearchURL" => не найдено
"Edge DefaultSearchKeyword" => не найдено
"Edge DefaultNewTabURL" => не найдено
"Edge DefaultSuggestURL" => не найдено
Edge Extension: (Steam Inventory Helper) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl [2024-09-08] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (Hola VPN - Your Website Unblocker) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2024-08-12] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (Pride) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gpahbdchbfofplfeaeipcphhbdhdpnae [2024-09-08] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (Dark Reader) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ifoakfbpdcdoeenechcleahebpibofpc [2024-09-04] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-04-07] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (uBlock Origin) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\odfafepnkmbhccpbejgmiehpchacaeak [2024-08-08] => Ошибка: Для этой записи не найдено автоматических исправлений.
"C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1" => не найдено
Edge Extension: (Google Документы офлайн) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2024-08-16] => Ошибка: Для этой записи не найдено автоматических исправлений.
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-08-16] => Ошибка: Для этой записи не найдено автоматических исправлений.
HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0 => не найдено
"FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation -> Microsoft Corporation)" => не найдено
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation" => не найдено
"FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation -> Microsoft Corporation)" => не найдено
ambakdrv => служба не найдено.
ammntdrv => служба не найдено.
amwrtdrv => служба не найдено.
AsrDrv102 => служба не найдено.
HWiNFO_187 => служба не найдено.
ThrottleStop => служба не найдено.
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer" => не найдено
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{29f16c65-8176-4a4a-b767-e559d0edd17c}\\DhcpNameServer" => не найдено
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{911b7043-1409-4574-925a-8d43fc0bc74d}\\DhcpNameServer" => не найдено
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd227b35-ebc6-476e-9efa-ef40a6b18cd4}\\NameServer" => успешно удалены
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e644a866-43a1-4e41-b70c-3d4dd3ff32d1}\\DhcpNameServer" => не найдено
HKU\S-1-5-21-620569670-1499795328-534050024-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9d78227d-434b-11ef-9749-a8a159718017} => не найдено

==== Конец от Fixlog 16:55:43 ====

I don't know what a EasyAntiCheat_EOS. Because I uninstalled Fortnite and epic game launcher about 4-6 months ago. Very suspicious. Also I don't know Edge Extension: (Pride) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gpahbdchbfofplfeaeipcphhbdhdpnae [2024-09-08] => Ошибка: Для этой записи не найдено автоматических исправлений.

You appear to have posted the results from a different fixlist?

No, I have attached the current fix

This was my fixlist.

Start::
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Ограничение ? <==== ВНИМАНИЕ
Policies: C:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
File: C:\Users\ltvn.adm\AppData\Local\Controld\ctrld.exe
File: C:\Users\ltvn.adm\Desktop\goodbyedpi-0.2.2\x86_64\WinDivert64.sys
Folder: C:\WINDOWS\system32\Drivers\mde
2024-11-11 09:55 - 2024-11-11 12:48 - 001013552 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
2024-11-11 08:27 - 2024-06-29 10:02 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [9372]
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (Нет файла)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> Нет файла
FirewallRules: [TCP Query User{FD473402-BB57-4A86-BB94-EE0700DD6947}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
FirewallRules: [UDP Query User{5AB0D409-C41B-427E-967B-2AB644116EDC}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Emptytemp:
End::

 

This is the one in your reply.

HKLM\...\Drivers32: [VIDC.X264] => C:\Windows\system32\x264vfw64.dll [3799552 2017-07-30] (x264vfw project) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.LAGS] => C:\Windows\system32\lagarith.dll [148992 2011-12-07] () [Файл не подписан]
HKLM\...\Drivers32: [VIDC.XVID] => C:\Windows\system32\xvidvfw.dll [310784 2019-12-28] () [Файл не подписан]
HKLM\...\Drivers32: [msacm.ac3acm] => C:\Windows\system32\ac3acm.acm [180736 2012-07-21] (fccHandler) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.X264] => C:\Windows\SysWOW64\x264vfw.dll [3850240 2017-07-30] (x264vfw project) [Файл не подписан]
HKLM\...\Drivers32: [VIDC.LAGS] => C:\Windows\SysWOW64\lagarith.dll [216064 2011-12-07] () [Файл не подписан]
HKLM\...\Drivers32: [VIDC.XVID] => C:\Windows\SysWOW64\xvidvfw.dll [284160 2019-12-28] () [Файл не подписан]
HKLM\...\Drivers32: [msacm.ac3acm] => C:\Windows\SysWOW64\ac3acm.acm [122880 2012-07-21] (fccHandler) [Файл не подписан]
HKU\S-1-5-21-620569670-1499795328-534050024-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2018-07-18] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2021-08-17] (Microsoft Corporation -> Microsoft Corporation)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{F9C5C994-F6B9-4D75-B3E7-AD01B84073E9}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
K-Lite Mega Codec Pack 18.5.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 18.5.0 - KLCP)
Launcher Prerequisites (x64) (HKLM-x32\...\{43a03b9c-4770-409c-a999-587b60700b63}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
FirewallRules: [{7023D1B1-AD28-42B7-8409-E952F1A001E9}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [Файл не подписан]
FirewallRules: [{5C203FAE-9A4F-489C-9CF3-99AE50F1573B}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe (The qBittorrent Project) [Файл не подписан]
S3 EasyAntiCheat_EOS; C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe [955816 2024-04-21] (EasyAntiCheat Oy -> Epic Games, Inc.)
dge DefaultProfile: Default
Edge Profile: C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default [2024-09-08]
Edge HomePage: Default -> hxxps://google.ru/
Edge DefaultSearchURL: Default -> hxxps://yandex.ru/{yandex:searchPath}?text={searchTerms}&{yandex:referralID}
Edge DefaultSearchKeyword: Default -> yandex.ru
Edge DefaultNewTabURL: Default -> hxxps://www.yandex.ru/chrome/newtab
Edge DefaultSuggestURL: Default -> hxxps://suggest.yandex.ru/suggest-ff.cgi?part={searchTerms}
Edge Extension: (Steam Inventory Helper) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl [2024-09-08]
Edge Extension: (Hola VPN - Your Website Unblocker) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2024-08-12]
Edge Extension: (Pride) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gpahbdchbfofplfeaeipcphhbdhdpnae [2024-09-08]
Edge Extension: (Dark Reader) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ifoakfbpdcdoeenechcleahebpibofpc [2024-09-04]
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-04-07]
Edge Extension: (uBlock Origin) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\odfafepnkmbhccpbejgmiehpchacaeak [2024-08-08]

Edge Profile: C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1 [2024-08-16]
Edge Extension: (Google Документы офлайн) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2024-08-16]
Edge Extension: (Edge relevant text changes) - C:\Users\ltvn.adm\AppData\Local\Microsoft\Edge\User Data\Profile 1\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-08-16]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation -> Microsoft Corporation)
R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [51120 2016-12-21] (CHENGDU AOMEI Tech Co., Ltd. -> )
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [171952 2016-12-21] (CHENGDU AOMEI Tech Co., Ltd. -> )
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [38320 2017-09-01] (CHENGDU AOMEI Tech Co., Ltd. -> )
S3 AsrDrv102; C:\Windows\SysWOW64\Drivers\AsrDrv102.sys [22248 2024-08-13] (ASROCK Incorporation -> ASRock Incorporation) [Файл не подписан]
S3 HWiNFO_187; \??\C:\Users\ltvn.adm\AppData\Local\Temp\HWiNFO64A_187.SYS [X] <==== ВНИМАНИЕ
S3 ThrottleStop; \??\C:\Users\ltvn.adm\AppData\Local\Temp\ThrottleStop.sys [X] <==== ВНИМАНИЕ
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.1
Tcpip\..\Interfaces\{29f16c65-8176-4a4a-b767-e559d0edd17c}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{911b7043-1409-4574-925a-8d43fc0bc74d}: [DhcpNameServer] 192.168.0.1 192.168.0.1
Tcpip\..\Interfaces\{bd227b35-ebc6-476e-9efa-ef40a6b18cd4}: [NameServer] 1.1.1.1,9.9.9.9
Tcpip\..\Interfaces\{e644a866-43a1-4e41-b70c-3d4dd3ff32d1}: [DhcpNameServer] 192.168.0.1
HKU\S-1-5-21-620569670-1499795328-534050024-1001\...\MountPoints2: {9d78227d-434b-11ef-9749-a8a159718017} - "I:\SETUP.EXE"

 

 

I should attach a fixlog.txt after your fix right?

Результаты исправления Farbar Recovery Scan Tool (x64) Версия: 10-11-2024 02
Запущено с помощью ltvn.adm (14-11-2024 19:36:07) Run:5
Запущено из C:\Users\ltvn.adm\Desktop\_Utilities
Загруженные профили: ltvn.adm
Режим загрузки: Normal
==============================================

fixlist содержимое:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Ограничение ? <==== ВНИМАНИЕ
Policies: C:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
File: C:\Users\ltvn.adm\AppData\Local\Controld\ctrld.exe
File: C:\Users\ltvn.adm\Desktop\goodbyedpi-0.2.2\x86_64\WinDivert64.sys
Folder: C:\WINDOWS\system32\Drivers\mde
2024-11-11 09:55 - 2024-11-11 12:48 - 001013552 _ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _ C:\WINDOWS\SysWOW64\DnsStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000000000 _ C:\WINDOWS\SysWOW64\DnsStorage-wal
2024-11-11 08:27 - 2024-06-29 10:02 - 000012288 _ C:\WINDOWS\SysWOW64\AppRulesStorage
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [9372]
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (Нет файла)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> Нет файла
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> Нет файла
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> Нет файла
FirewallRules: [TCP Query User{FD473402-BB57-4A86-BB94-EE0700DD6947}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
FirewallRules: [UDP Query User{5AB0D409-C41B-427E-967B-2AB644116EDC}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe] => (Block) C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe => Нет файла
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Emptytemp:
End::
*****************

Точка восстановления была успешно создана.
Процессы успешно завершились.

"C:\WINDOWS\system32\GroupPolicy\Machine" Папка переместить:

C:\WINDOWS\system32\GroupPolicy\Machine => успешно перемещены
C:\WINDOWS\system32\GroupPolicy\GPT.ini => успешно перемещены
C:\ProgramData\NTUSER.pol => успешно перемещены

========================= File: C:\Users\ltvn.adm\AppData\Local\Controld\ctrld.exe ========================

"C:\Users\ltvn.adm\AppData\Local\Controld\ctrld.exe" => не найдено
====== Конец от File: ======


========================= File: C:\Users\ltvn.adm\Desktop\goodbyedpi-0.2.2\x86_64\WinDivert64.sys ========================

C:\Users\ltvn.adm\Desktop\goodbyedpi-0.2.2\x86_64\WinDivert64.sys
Файл имеет ЭЦП
MD5: 007A3AE3F03FB18C2CAB1E0C97C45A20
Дата создания и изменения: 2022-03-21 11:13 - 2024-08-08 04:54
Размер: 000050592
Атрибуты: ----A
Название Компании : Ars Nova Systems -> Basil's Projects
Внутренний Имя: WinDivert.sys
Оригинальный Имя: WinDivert.sys
Продукт: WinDivert 1.4 driver
Описание: The WinDivert driver [URL: https://reqrypt.org/windivert.html] [Bitcoin: 1C5vZVSbizPeZ8ydTYhUfm4LA2cNwBfcYh]
Файл Версия: 1.4 built by: WinDDK
Продукт Версия: 1.4
Авторское право: Copyright © Basil's Projects 2011-2017
Virusscan: Ошибка:(2)

====== Конец от File: ======


========================= Folder: C:\WINDOWS\system32\Drivers\mde ========================


====== Конец от Folder: ======

Не могут быть перемещены "C:\WINDOWS\SysWOW64\AppRulesStorage-wal" => Запланирован к перемещению после перезагрузки.
Не могут быть перемещены "C:\WINDOWS\SysWOW64\DnsStorage-shm" => Запланирован к перемещению после перезагрузки.
Не могут быть перемещены "C:\WINDOWS\SysWOW64\AppRulesStorage-shm" => Запланирован к перемещению после перезагрузки.
Не могут быть перемещены "C:\WINDOWS\SysWOW64\DnsStorage-wal" => Запланирован к перемещению после перезагрузки.
Не могут быть перемещены "C:\WINDOWS\SysWOW64\AppRulesStorage" => Запланирован к перемещению после перезагрузки.
C:\Users\Public\Shared Files => ":VersionCache" ADS успешно удалены
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E0F10DCF-44AD-40E8-9370-FB5DA59F93FB}" => успешно удалены
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0F10DCF-44AD-40E8-9370-FB5DA59F93FB}" => успешно удалены
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => успешно перемещены
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => успешно удалены
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => успешно удалены
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => успешно удалены
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{FD473402-BB57-4A86-BB94-EE0700DD6947}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe" => успешно удалены
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{5AB0D409-C41B-427E-967B-2AB644116EDC}C:\users\ltvn.adm\appdata\local\temp\mxt243\mx86_64b\bin\xwin_mobax.exe" => успешно удалены

HKLM\System\CurrentControlSet\Services\WinSetupMon => успешно удалены
WinSetupMon => служба успешно удалены

========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.



========= Конец от CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.



========= Конец от CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright Microsoft Corp.

{B8F1BE17-BF0E-48BB-8D85-EB9136638F4B} canceled.
{AF602BCB-5FF6-4B11-8E42-8FB117ACCC94} canceled.
2 out of 2 jobs canceled.


========= Конец от CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.


========= Конец от CMD: =========


=========== EmptyTemp: ==========

FlushDNS => завершено
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 28739142 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 237512060 B
Windows/system/drivers => 47797422 B
Edge => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 7680 B
ProgramData => 7680 B
Public => 7680 B
systemprofile => 7680 B
systemprofile32 => 7680 B
LocalService => 106586 B
NetworkService => 113642 B

The last part of the Fixlog is missing.

Could you please attach the Fixlog.txt file to your next post.

Please refer to this guide on how to attach the file.

Yes I can
.

Could you please run this part of the  FRST script again.

• Right click on the FRST icon and select Run as administrator.
• Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.

Start::
CreateRestorePoint:
CloseProcesses:
2024-11-11 09:55 - 2024-11-11 12:48 - 001013552 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
2024-11-11 08:27 - 2024-06-29 10:02 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
Emptytemp:
End::

• Click on the Fix button just once and wait.
• Please make sure you let the system restart normally. After that let the tool complete its run.
• When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.