Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Genuinely lost on how to remove this trojan virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 Kemosaabee

Kemosaabee

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 06 July 2018 - 08:14 PM

A guy from Reddit redirected me towards here after asking for help with this suspected trojan virus on my computer. Long story short, I tried pirating Skyrim and in effect got a trojan virus from downloading the program. I'm running on Windows 8.1 and don't know what to do since the easy part of downloading antivirus programs has been made harder since the virus has disabled my access to the internet. I checked some threads on ways to remove some trojan viruses but I didn't see one that disabled windows and in effect, disabled your interenet connection. Any help with this issue will be greatly appreciated (:



BC AdBot (Login to Remove)

 


#2 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 07 July 2018 - 11:29 AM

Hi Kemosaabee,

My name is Zach, and, though I generally go by Sasschary, you may call me whatever you want. I will be helping you get your computer working again. To start out, please read through the thread here. Then, please try to perform step 6 and copy/paste the logs into a reply here. If you are not able to get the programs to run, just reply here and we'll go about it another way.

Also, please be aware that I am currently in training, so all of my posts need to be reviewed before you can see them. As such, it may take a day or two for me to post my replies.

Sincerely,

In your next reply, please include the following:

  • FRST.txt
  • Addition.txt

sasschary



#3 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 09 July 2018 - 12:34 AM

Hey Zach, 

Thank you so much for helping me with this issue. So I don't know why I didn't think about it until now but I have a USB I used to install that program onto my computer and got the logs. This will probably make things easier since now I know I can install any other kind of program needed.

Here is the FRST text: 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20.06.2018
Ran by Kemosaabee (administrator) on BICH (08-07-2018 21:51:47)
Running from E:\
Loaded Profiles: Kemosaabee (Available Profiles: Kemosaabee & Joseph)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\cwesrdhsvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\SystemCore\mfefire.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(McAfee, Inc.) C:\ProgramData\McAfee\Direct\McDiReg.exe
() C:\Program Files (x86)\Cree\mitzi.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
() C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper64.exe
() C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\ui32.exe
(Spotify Ltd) C:\Users\Kemosaabee\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Spotify Ltd) C:\Users\Kemosaabee\AppData\Roaming\Spotify\Spotify.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\Cree\mitzi.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
() C:\Users\Kemosaabee\AppData\Local\avhzgwk\avhzgwk.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\SystemCore\mfefire.exe
(Spotify Ltd) C:\Users\Kemosaabee\AppData\Roaming\Spotify\Spotify.exe
() C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\ui32.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
() C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\ui32.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
() C:\Users\Kemosaabee\AppData\Local\avhzgwk\uposnrk.exe
(McAfee, Inc.) C:\Program Files\McAfee\MAT\McPvTray.exe
(Spotify Ltd) C:\Users\Kemosaabee\AppData\Roaming\Spotify\Spotify.exe
(Spotify Ltd) C:\Users\Kemosaabee\AppData\Roaming\Spotify\Spotify.exe
() C:\Users\Kemosaabee\AppData\Local\avhzgwk\uposnrk.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\VSCore_15_4_1\McVscIns.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM\...\Run: [Explorers] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
HKLM\...\Run: [Bromides] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
HKLM\...\Run: [Overtures] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
HKLM-x32\...\Run: [Himmelfarb] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
HKLM-x32\...\Run: [Raad] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
HKLM-x32\...\Run: [Maliciousness] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Garlic] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Marson] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Volpe] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Submitting] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Staggeringly] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Spendthrifts] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [powerpoint] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [avocado] => "C:\Program Files (x86)\breadfruit\avocado.exe" tanhwg
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3200800 2018-05-18] (Valve Corporation)
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [WallpaperEngine] => C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper64.exe [1838056 2018-05-28] ()
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Spotify Web Helper] => C:\Users\Kemosaabee\AppData\Roaming\Spotify\SpotifyWebHelper.exe [782736 2018-05-28] (Spotify Ltd)
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Spotify] => C:\Users\Kemosaabee\AppData\Roaming\Spotify\Spotify.exe [23177616 2018-05-28] (Spotify Ltd)
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\MountPoints2: {d572e077-35de-11e4-8256-806e6f6e6963} - "D:\Msetup4.exe" 
Startup: C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleurisy.lnk [2018-05-25]
ShortcutTarget: pleurisy.lnk -> C:\Program Files (x86)\Supercar\Cystic.exe (No File)
Startup: C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleurisypleurisy.lnk [2018-05-25]
ShortcutTarget: pleurisypleurisy.lnk -> C:\Program Files (x86)\astonished\Bonnin.exe (No File)
GroupPolicy: Restriction - Windows Defender <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{27244DFB-37D1-4455-B67F-11F74E807528}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com/?pc=ACJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3262422751-4070970212-1586142915-1001 -> DefaultScope {9F60873E-E1E6-4AE0-9B31-5E2FD12F1BE6} URL = 
SearchScopes: HKU\S-1-5-21-3262422751-4070970212-1586142915-1001 -> {9F60873E-E1E6-4AE0-9B31-5E2FD12F1BE6} URL = 
SearchScopes: HKU\S-1-5-21-3262422751-4070970212-1586142915-1001 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2018-05-31] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2018-05-31] (Oracle Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2016-04-28] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2016-04-28] (McAfee, Inc.)
 
FireFox:
========
FF DefaultProfile: ww3axrkt.default-1527532672918
FF ProfilePath: C:\Users\Kemosaabee\AppData\Roaming\Mozilla\Firefox\Profiles\ww3axrkt.default-1527532672918 [2018-05-31]
FF Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\Kemosaabee\AppData\Roaming\Mozilla\Firefox\Profiles\ww3axrkt.default-1527532672918\Extensions\firefox@ghostery.com.xpi [2018-05-30]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: (McAfee Anti-Spam Thunderbird Extension) - C:\Program Files\McAfee\MSK [2018-05-27] [Legacy] [not signed]
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-04-28] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2018-05-31] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2018-05-31] (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-04-28] ()
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\odarsnlk <==== ATTENTION (Rootkit!)
 
S4 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [5745672 2018-04-27] ()
S4 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [775296 2018-04-16] (EasyAntiCheat Ltd)
S4 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [989192 2016-04-28] (McAfee, Inc.)
S4 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [419096 2016-04-01] (McAfee, Inc.)
S4 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.741.0\\McCSPServiceHost.exe [1903320 2016-04-18] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [795528 2016-04-20] (McAfee, Inc.)
S4 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232688 2016-03-07] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [382456 2016-04-01] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [277744 2016-03-07] (McAfee, Inc.)
S4 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1424352 2016-04-21] (McAfee, Inc.)
S4 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S4 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1029856 2016-04-21] (Intel Security, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
S4 WNetworkMgmt; C:\ProgramData\Microsoft\Windows\WNetworkMgmt\WNetworkMgmt.exe [6232185 2018-05-22] () [File not signed] <==== ATTENTION <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [78632 2016-03-11] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207968 2016-02-24] (McAfee, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-05-28] ()
R2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [79192 2016-04-20] (McAfee, Inc.)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [419624 2016-03-11] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [349480 2016-03-11] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [83608 2016-03-11] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [493352 2016-03-11] (McAfee, Inc.)
R1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [842536 2016-03-11] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [543488 2016-02-10] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [109480 2016-02-10] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [243496 2016-03-11] (McAfee, Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S3 WirelessKeyboardFilter; C:\Windows\System32\drivers\WirelessKeyboardFilter.sys [49336 2018-03-11] (Microsoft Corporation)
S3 AthBTPort; \SystemRoot\system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; \SystemRoot\system32\drivers\btath_a2dp.sys [X]
S3 btath_avdt; \SystemRoot\system32\drivers\btath_avdt.sys [X]
S3 BTATH_BUS; \SystemRoot\System32\drivers\btath_bus.sys [X]
S3 BTATH_HCRP; \SystemRoot\System32\drivers\btath_hcrp.sys [X]
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; \SystemRoot\System32\drivers\btath_rcp.sys [X]
S3 BtFilter; \SystemRoot\system32\DRIVERS\btfilter.sys [X]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S1 duidczqj; \??\C:\Windows\system32\drivers\duidczqj.sys [X]
R3 hloruy; system32\drivers\oruybe.sys [X]
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
S1 MBAMSwissArmy; System32\Drivers\mbamswissarmy.sys [X]
S3 RSUSBVSTOR; \SystemRoot\System32\Drivers\RtsUVStor.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-08 21:50 - 2018-07-08 21:51 - 000000000 ____D C:\FRST
2018-07-08 21:39 - 2018-07-08 21:39 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\renpozs
2018-07-06 17:12 - 2018-07-06 17:12 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\psntvoi
2018-07-01 22:10 - 2018-07-01 22:10 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\psradxt
2018-07-01 21:37 - 2018-07-01 21:37 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\auitrvx
2018-07-01 20:31 - 2018-07-01 20:31 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\athboil
2018-06-15 22:04 - 2018-06-15 22:04 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\pwhxlid
2018-06-15 21:17 - 2018-06-15 21:17 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\nidugob
2018-06-08 23:25 - 2018-06-08 23:25 - 000142672 ____N C:\Windows\system32\Drivers\atoehknr.sys
2018-06-08 23:00 - 2018-06-08 23:00 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\usekcmd
2018-06-08 22:35 - 2018-06-08 22:35 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\sbadvwp
2018-06-08 21:59 - 2018-06-08 21:59 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\exalbkv
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-08 21:47 - 2018-05-28 12:41 - 000000000 ____D C:\Users\Kemosaabee\AppData\Roaming\Spotify
2018-07-08 21:42 - 2018-05-27 12:12 - 000000000 __RSD C:\Users\Kemosaabee\Documents\McAfee Vaults
2018-07-08 21:42 - 2018-05-25 21:30 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\avhzgwk
2018-07-08 21:42 - 2018-04-16 21:51 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3262422751-4070970212-1586142915-1001
2018-07-08 21:41 - 2013-08-22 06:25 - 000262144 ___SH C:\Windows\system32\config\ELAM
2018-07-08 21:39 - 2018-05-28 11:45 - 000000000 ____D C:\Program Files (x86)\Steam
2018-07-08 21:37 - 2013-08-22 07:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-08 21:36 - 2018-05-25 21:29 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\cwesrdhsvc.exe
2018-07-06 17:44 - 2018-05-28 11:50 - 000000000 ____D C:\Riot Games
2018-07-06 17:39 - 2018-05-28 11:40 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\Discord
2018-07-06 17:39 - 2018-04-16 22:02 - 000000000 ____D C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2018-07-06 17:38 - 2018-05-28 10:32 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-07-06 17:07 - 2013-08-22 06:25 - 012058624 _____ C:\Windows\system32\config\HARDWARE
2018-06-15 22:02 - 2018-04-16 21:45 - 000000000 ____D C:\Users\Kemosaabee
2018-06-15 21:15 - 2013-08-22 06:36 - 000000000 ____D C:\Windows\Inf
2018-06-08 23:07 - 2018-05-27 12:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2018-06-08 23:05 - 2018-05-27 23:38 - 000000000 ____D C:\Users\Kemosaabee\AppData\Local\CrashDumps
2018-06-08 22:58 - 2018-04-16 21:45 - 000000000 __SHD C:\Users\Kemosaabee\IntelGraphicsProfiles
 
==================== Files in the root of some directories =======
 
2018-05-27 12:06 - 2018-05-27 12:07 - 000000000 _____ () C:\Users\Kemosaabee\AppData\Roaming\MCVi2UserDetail.ini
2018-05-25 21:15 - 2018-05-25 21:15 - 000140800 _____ () C:\Users\Kemosaabee\AppData\Local\installer.dat
2018-05-25 21:31 - 2018-05-25 21:31 - 000003072 _____ () C:\Users\Kemosaabee\AppData\Local\setupImageCreator_v4.2.exe
 
Some files in TEMP:
====================
2018-05-27 12:45 - 2017-09-28 17:29 - 004964640 _____ (Acer Incorporated) C:\Users\Kemosaabee\AppData\Local\Temp\AcerDocsSetup.exe
2018-05-27 12:47 - 2014-01-16 18:09 - 001328384 _____ (Acer Incorporated) C:\Users\Kemosaabee\AppData\Local\Temp\AcerPortalSetup.exe
2018-05-27 13:39 - 2017-09-26 12:36 - 001976608 _____ (Acer Incorporated) C:\Users\Kemosaabee\AppData\Local\Temp\AOPSetup.exe
2018-05-25 21:13 - 2018-05-25 21:13 - 001793368 _____ () C:\Users\Kemosaabee\AppData\Local\Temp\gimi.exe
2016-04-18 01:19 - 2016-04-18 01:19 - 000213072 _____ (McAfee, Inc.) C:\Users\Kemosaabee\AppData\Local\Temp\McCSPInstall.dll
2018-05-27 13:39 - 2017-09-26 12:34 - 000301272 _____ (CodePlex Community) C:\Users\Kemosaabee\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll
2018-04-17 15:48 - 2018-04-17 15:49 - 041561472 _____ (SweetLabs,Inc.) C:\Users\Kemosaabee\AppData\Local\Temp\octABBE.tmp.exe
2018-05-27 12:50 - 2018-05-08 18:59 - 023177616 _____ (Spotify Ltd) C:\Users\Kemosaabee\AppData\Local\Temp\SpotifyUninstall.exe
2018-05-25 21:20 - 2018-05-25 21:19 - 000099896 _____ () C:\Users\Kemosaabee\AppData\Local\Temp\Uninstall.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\atoehknr.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-05-31 00:17
 
==================== End of FRST.txt ============================

And here is the Addition text:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Kemosaabee (08-07-2018 21:53:37)
Running from E:\
Windows 8.1 (Update) (X64) (2018-04-17 04:45:08)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3262422751-4070970212-1586142915-500 - Administrator - Disabled)
Guest (S-1-5-21-3262422751-4070970212-1586142915-501 - Limited - Disabled)
Joseph (S-1-5-21-3262422751-4070970212-1586142915-1002 - Limited - Enabled) => C:\Users\Joseph
Kemosaabee (S-1-5-21-3262422751-4070970212-1586142915-1001 - Administrator - Enabled) => C:\Users\Kemosaabee
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Epic Games Launcher (HKLM-x32\...\{93BFE5DF-776E-436F-8693-DF1F72C0E3C1}) (Version: 1.1.151.0 - Epic Games, Inc.)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{66C5838F-B854-4A55-89E6-A6138747A4DF}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Impaq Speed (HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\{5b0c3e0d-0e9b-4ebd-a5de-222a48f16015}) (Version: 0.0.0.0 - Melasys LLC) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{c6c5a357-c7ca-4a5f-9789-3bb1af579253}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
League of Legends (HKLM-x32\...\League of Legends 1.0) (Version: 1.0 - Riot Games, Inc)
McAfee® Total Protection (HKLM-x32\...\MSC) (Version: 14.0.9029 - McAfee, Inc.)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Roblox Player for Kemosaabee (HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - Roblox Corporation)
Sid Meier's Civilization V (HKLM-x32\...\steam app 8930) (Version:  - 2K Games, Inc.)
Spotify (HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Spotify) (Version: 1.0.80.474.gef6b503e - Spotify AB)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3262422751-4070970212-1586142915-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
ContextMenuHandlers1: [Atheros] -> {B8952421-0E55-400B-94A6-FA858FC0A39F} =>  -> No File
ContextMenuHandlers1: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll [2016-04-28] (McAfee, Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2015-08-09] (Intel Corporation)
ContextMenuHandlers6: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll [2016-04-28] (McAfee, Inc.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {072DF236-B153-410A-8FAB-62FC988BBF25} - System32\Tasks\shakey_mummy => C:\Program Files (x86)\Cheerleaders\Cystic.exe
Task: {0BD2C93B-51F3-4E97-B69B-437CCD1A27DB} - System32\Tasks\facilityfacility => C:\Program Files (x86)\Cree\mitzi.exe [2018-05-25] ()
Task: {280D5499-1AD7-4478-8B76-F372C70029E1} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
Task: {29A701C7-F4FF-4AA5-8714-BDE1C6B3B090} - System32\Tasks\msf containing monohull => C:\Users\Kemosaabee\AppData\Local\Cystic.exe
Task: {2A3E2A38-BE23-4BC5-A8F9-B6441853CAF9} - System32\Tasks\moratorium => C:\Program Files (x86)\gerri\gerri.exe
Task: {3CD26EE5-70AA-4CCD-8916-06380630F268} - System32\Tasks\msf containing monohullmsf containing monohull => C:\Users\Kemosaabee\AppData\Local\Cystic.exe
Task: {55400E35-94A4-4D17-82B1-50FE1D1C212D} - System32\Tasks\McDiReg => C:\ProgramData\McAfee\Direct\McDiReg.exe [2018-04-13] (McAfee, Inc.)
Task: {55B2E583-9226-4B8C-8333-78C8E814C4BB} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {56ABF8C0-21EF-44DB-8645-752569259AAB} - System32\Tasks\facility => C:\Program Files (x86)\Cree\mitzi.exe [2018-05-25] ()
Task: {56F5F627-8BB4-457A-B1F5-47A03A93E7CA} - System32\Tasks\moratoriummoratorium => C:\Program Files (x86)\gerri\gerri.exe
Task: {58666E71-1C4D-4CA2-94AF-3A3FECC57D26} - System32\Tasks\storytelling proceeduresstorytelling proceedures => C:\Program Files (x86)\Cheerleaders\Bonnin.exe
Task: {65C7DF72-202B-4588-AF8C-D647F1A39856} - System32\Tasks\choir_eyeletchoir_eyelet => C:\Users\Kemosaabee\AppData\Local\Bonnin.exe
Task: {6AAE2DA0-0043-4682-89E1-A7E8896A303C} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe [2016-04-23] (McAfee, Inc.)
Task: {77F66353-416F-4C89-A21D-8C9CA6D4517A} - System32\Tasks\shakey_mummyshakey_mummy => C:\Program Files (x86)\Cheerleaders\Cystic.exe
Task: {7BBA01DA-303E-426B-88FB-9DAC51834594} - System32\Tasks\BacKGroundAgent => C:\Program Files (x86)\Acer\AOP Framework\BackgroundAgent.exe
Task: {7F6EBD11-25E1-4774-BAC7-26AB4BF5ECF5} - System32\Tasks\storytelling proceedures => C:\Program Files (x86)\Cheerleaders\Bonnin.exe
Task: {AE931A60-D3CE-4D97-90CC-21943280749C} - System32\Tasks\choir_eyelet => C:\Users\Kemosaabee\AppData\Local\Bonnin.exe
Task: {D2251B6D-C9FD-4E64-977A-8C385480081B} - System32\Tasks\aneurin => C:\Program Files (x86)\Supercar\Cystic.exe
Task: {EA6855CB-145E-4AD2-A187-B32FAD499D6A} - System32\Tasks\construes-prognosticateconstrues-prognosticate => C:\Program Files (x86)\astonished\Bonnin.exe
Task: {EF415686-0CCF-44E0-AE23-EBAE20731AEA} - System32\Tasks\{7F38C753-8326-4479-B56E-1B414337DD0B} => C:\Windows\system32\pcalua.exe -a C:\Users\Kemosaabee\AppData\Local\Roblox\Versions\version-0d11713edd8c4452\RobloxPlayerLauncher.exe -c -uninstall
Task: {F0A75C0E-D0E0-4CBA-A3AA-819F728A6EF5} - System32\Tasks\construes-prognosticate => C:\Program Files (x86)\astonished\Bonnin.exe
Task: {FE3CBF41-218E-4B0F-8FD1-5E56FF4EAA94} - System32\Tasks\aneurinaneurin => C:\Program Files (x86)\Supercar\Cystic.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-05-25 21:07 - 2018-05-25 21:07 - 000078269 _____ () C:\Program Files (x86)\Cree\mitzi.exe
2018-05-28 12:13 - 2018-05-28 11:57 - 001838056 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper64.exe
2018-05-28 11:58 - 2018-05-28 11:57 - 002009576 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\ui32.exe
2018-05-28 11:48 - 2018-05-01 00:32 - 000788256 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2018-05-28 11:48 - 2016-08-31 18:02 - 004969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2018-05-28 11:48 - 2018-05-18 16:01 - 002632480 _____ () C:\Program Files (x86)\Steam\video.dll
2018-05-28 11:48 - 2016-08-31 18:02 - 001563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2018-05-28 11:48 - 2016-08-31 18:02 - 001195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2018-05-28 11:48 - 2017-12-19 18:43 - 005137696 _____ () C:\Program Files (x86)\Steam\libavcodec-57.dll
2018-05-28 11:48 - 2017-12-19 18:43 - 000695584 _____ () C:\Program Files (x86)\Steam\libavformat-57.dll
2018-05-28 11:48 - 2017-12-19 18:43 - 000351520 _____ () C:\Program Files (x86)\Steam\libavresample-3.dll
2018-05-28 11:48 - 2017-12-19 18:43 - 000847136 _____ () C:\Program Files (x86)\Steam\libavutil-55.dll
2018-05-28 11:48 - 2017-12-19 18:43 - 000783648 _____ () C:\Program Files (x86)\Steam\libswscale-4.dll
2018-05-28 11:48 - 2018-05-18 16:01 - 000979232 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2018-05-28 12:13 - 2018-05-28 11:57 - 084304360 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\libcef.dll
2018-05-28 12:13 - 2018-05-28 11:57 - 002834920 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\assimp-vc140-mt32.dll
2018-05-28 12:54 - 2018-05-28 12:54 - 081767312 _____ () C:\Users\Kemosaabee\AppData\Roaming\Spotify\libcef.dll
2018-05-28 12:13 - 2018-05-28 11:57 - 003735528 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\libglesv2.dll
2018-05-28 12:13 - 2018-05-28 11:58 - 000085992 _____ () C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\libegl.dll
2018-05-28 11:48 - 2018-05-01 00:32 - 000788256 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\SDL2.dll
2018-05-28 11:48 - 2018-05-14 12:39 - 083524384 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2018-05-28 11:48 - 2015-09-24 16:52 - 000119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2018-05-28 12:54 - 2018-05-28 12:54 - 003740560 _____ () C:\Users\Kemosaabee\AppData\Roaming\Spotify\libglesv2.dll
2018-05-28 12:54 - 2018-05-28 12:54 - 000088464 _____ () C:\Users\Kemosaabee\AppData\Roaming\Spotify\libegl.dll
2017-07-17 10:30 - 2017-07-17 10:30 - 000863744 _____ () C:\Windows\mod_frst.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Public\AppData:CSM [462]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2018-05-26 22:30 - 000000850 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: AeLookupSvc => 3
MSCONFIG\Services: ALG => 3
MSCONFIG\Services: AppIDSvc => 3
MSCONFIG\Services: AppReadiness => 3
MSCONFIG\Services: AudioEndpointBuilder => 2
MSCONFIG\Services: Audiosrv => 2
MSCONFIG\Services: AxInstSV => 3
MSCONFIG\Services: BDESVC => 3
MSCONFIG\Services: BEService => 3
MSCONFIG\Services: BFE => 2
MSCONFIG\Services: BITS => 2
MSCONFIG\Services: Browser => 3
MSCONFIG\Services: BthHFSrv => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: CertPropSvc => 3
MSCONFIG\Services: COMSysApp => 3
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: CryptSvc => 2
MSCONFIG\Services: defragsvc => 3
MSCONFIG\Services: DeviceAssociationService => 2
MSCONFIG\Services: DeviceInstall => 3
MSCONFIG\Services: Dhcp => 2
MSCONFIG\Services: DiagTrack => 2
MSCONFIG\Services: Dnscache => 2
MSCONFIG\Services: dot3svc => 3
MSCONFIG\Services: DPS => 2
MSCONFIG\Services: DsmSvc => 3
MSCONFIG\Services: Eaphost => 3
MSCONFIG\Services: EasyAntiCheat => 3
MSCONFIG\Services: EFS => 3
MSCONFIG\Services: EventLog => 2
MSCONFIG\Services: EventSystem => 2
MSCONFIG\Services: Fax => 3
MSCONFIG\Services: fdPHost => 3
MSCONFIG\Services: FDResPub => 3
MSCONFIG\Services: fhsvc => 3
MSCONFIG\Services: FontCache => 2
MSCONFIG\Services: FontCache3.0.0.0 => 3
MSCONFIG\Services: hidserv => 3
MSCONFIG\Services: hkmsvc => 3
MSCONFIG\Services: HomeGroupListener => 3
MSCONFIG\Services: HomeGroupProvider => 3
MSCONFIG\Services: HomeNetSvc => 2
MSCONFIG\Services: IEEtwCollectorService => 3
MSCONFIG\Services: igfxCUIService1.0.0.0 => 2
MSCONFIG\Services: IKEEXT => 2
MSCONFIG\Services: iphlpsvc => 2
MSCONFIG\Services: KeyIso => 3
MSCONFIG\Services: KtmRm => 3
MSCONFIG\Services: LanmanServer => 2
MSCONFIG\Services: LanmanWorkstation => 2
MSCONFIG\Services: lfsvc => 3
MSCONFIG\Services: lltdsvc => 3
MSCONFIG\Services: lmhosts => 2
MSCONFIG\Services: McAWFwk => 3
MSCONFIG\Services: McBootDelayStartSvc => 2
MSCONFIG\Services: mccspsvc => 2
MSCONFIG\Services: McNaiAnn => 2
MSCONFIG\Services: McODS => 3
MSCONFIG\Services: mcpltsvc => 2
MSCONFIG\Services: McProxy => 2
MSCONFIG\Services: MMCSS => 2
MSCONFIG\Services: ModuleCoreService => 2
MSCONFIG\Services: MpsSvc => 2
MSCONFIG\Services: MSDTC => 3
MSCONFIG\Services: MSiSCSI => 3
MSCONFIG\Services: MSK80Service => 2
MSCONFIG\Services: napagent => 3
MSCONFIG\Services: NcaSvc => 3
MSCONFIG\Services: NcbService => 3
MSCONFIG\Services: NcdAutoSetup => 3
MSCONFIG\Services: Netlogon => 3
MSCONFIG\Services: Netman => 3
MSCONFIG\Services: netprofm => 3
MSCONFIG\Services: NlaSvc => 2
MSCONFIG\Services: nsi => 2
MSCONFIG\Services: p2pimsvc => 3
MSCONFIG\Services: p2psvc => 3
MSCONFIG\Services: PcaSvc => 2
MSCONFIG\Services: PEFService => 2
MSCONFIG\Services: PerfHost => 3
MSCONFIG\Services: pla => 3
MSCONFIG\Services: PlugPlay => 3
MSCONFIG\Services: PNRPAutoReg => 3
MSCONFIG\Services: PNRPsvc => 3
MSCONFIG\Services: PolicyAgent => 3
MSCONFIG\Services: Power => 2
MSCONFIG\Services: PrintNotify => 3
MSCONFIG\Services: QWAVE => 3
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 3
MSCONFIG\Services: RpcLocator => 3
MSCONFIG\Services: SamSs => 2
MSCONFIG\Services: ScDeviceEnum => 3
MSCONFIG\Services: SCPolicySvc => 3
MSCONFIG\Services: seclogon => 3
MSCONFIG\Services: SENS => 2
MSCONFIG\Services: SensrSvc => 3
MSCONFIG\Services: SessionEnv => 3
MSCONFIG\Services: ShellHWDetection => 2
MSCONFIG\Services: smphost => 3
MSCONFIG\Services: SNMPTRAP => 3
MSCONFIG\Services: Spooler => 2
MSCONFIG\Services: SSDPSRV => 3
MSCONFIG\Services: SstpSvc => 3
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\Services: stisvc => 2
MSCONFIG\Services: StorSvc => 3
MSCONFIG\Services: svsvc => 3
MSCONFIG\Services: swprv => 3
MSCONFIG\Services: SysMain => 2
MSCONFIG\Services: TabletInputService => 3
MSCONFIG\Services: TapiSrv => 3
MSCONFIG\Services: TermService => 3
MSCONFIG\Services: Themes => 2
MSCONFIG\Services: THREADORDER => 3
MSCONFIG\Services: TrkWks => 2
MSCONFIG\Services: TrustedInstaller => 3
MSCONFIG\Services: UI0Detect => 3
MSCONFIG\Services: UmRdpService => 3
MSCONFIG\Services: upnphost => 3
MSCONFIG\Services: VaultSvc => 3
MSCONFIG\Services: vds => 3
MSCONFIG\Services: vmicguestinterface => 3
MSCONFIG\Services: vmicheartbeat => 3
MSCONFIG\Services: vmickvpexchange => 3
MSCONFIG\Services: vmicrdv => 3
MSCONFIG\Services: vmicshutdown => 3
MSCONFIG\Services: vmictimesync => 3
MSCONFIG\Services: vmicvss => 3
MSCONFIG\Services: VSS => 3
MSCONFIG\Services: W32Time => 3
MSCONFIG\Services: wbengine => 3
MSCONFIG\Services: WbioSrvc => 3
MSCONFIG\Services: Wcmsvc => 2
MSCONFIG\Services: wcncsvc => 3
MSCONFIG\Services: WcsPlugInService => 3
MSCONFIG\Services: WdiServiceHost => 3
MSCONFIG\Services: WdiSystemHost => 3
MSCONFIG\Services: WebClient => 3
MSCONFIG\Services: Wecsvc => 3
MSCONFIG\Services: WEPHOSTSVC => 3
MSCONFIG\Services: wercplsupport => 3
MSCONFIG\Services: WerSvc => 3
MSCONFIG\Services: WiaRpc => 3
MSCONFIG\Services: WinHttpAutoProxySvc => 3
MSCONFIG\Services: Winmgmt => 2
MSCONFIG\Services: WinRM => 3
MSCONFIG\Services: WlanSvc => 2
MSCONFIG\Services: wlidsvc => 3
MSCONFIG\Services: wmiApSrv => 3
MSCONFIG\Services: WMPNetworkSvc => 3
MSCONFIG\Services: WNetworkMgmt => 2
MSCONFIG\Services: workfolderssvc => 3
MSCONFIG\Services: WPCSvc => 3
MSCONFIG\Services: WPDBusEnum => 3
MSCONFIG\Services: WSearch => 2
MSCONFIG\Services: wuauserv => 3
MSCONFIG\Services: wudfsvc => 3
MSCONFIG\Services: WwanSvc => 3
HKLM\...\StartupApproved\Run: => "Bromides"
HKLM\...\StartupApproved\Run: => "Overtures"
HKLM\...\StartupApproved\Run: => "Explorers"
HKLM\...\StartupApproved\Run: => "WindowsDefender"
HKLM\...\StartupApproved\Run32: => "Raad"
HKLM\...\StartupApproved\Run32: => "Maliciousness"
HKLM\...\StartupApproved\Run32: => "Himmelfarb"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\StartupFolder: => "pleurisypleurisy.lnk"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\StartupFolder: => "pleurisy.lnk"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "avocado"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Staggeringly"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Marson"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "powerpoint"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Spendthrifts"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Submitting"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Volpe"
HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\StartupApproved\Run: => "Garlic"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{29CE96CD-A7A0-410A-8A31-EFFED185FF26}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{AB948F10-9A91-4328-B7A1-914127CFA8B4}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{267B4964-5880-49C0-BB58-A6AC28520179}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{D85C7AE4-5AA5-47CC-B60A-A30A900E7885}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{9A8C8844-4375-4CF8-B8F0-4135B6EEDAEA}] => (Allow) C:\Program Files\Soluto\SolutoRemoteDirect.exe
FirewallRules: [{1F7C9E90-FA9C-4919-8878-BEDB42F09116}] => (Allow) C:\Program Files\Soluto\Soluto.exe
FirewallRules: [{25A5CF8F-EBA5-480E-955B-9A53E9413F7A}] => (Allow) C:\Program Files\Soluto\SolutoCleanup.exe
FirewallRules: [{B012BD70-476E-4612-BD4D-95873B403E0E}] => (Allow) C:\Program Files\Soluto\SolutoConsole.exe
FirewallRules: [{693A5FCE-8B98-4041-B79C-863FAF503F97}] => (Allow) C:\Program Files\Soluto\SolutoUpdateService.exe
FirewallRules: [{EB98ADA9-15A0-40B0-BC96-9243CFDE1B1F}] => (Allow) C:\Program Files\Soluto\SolutoService.exe
FirewallRules: [{D09B0B7E-DE37-4AA7-A9DD-071A12DF56E9}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{43FF6956-59BB-411A-A9E7-EAF97FEF01A1}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{B3AA9147-88D2-49B3-BE9F-6DB30618FD00}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{0AE91451-563C-495A-939C-EFBA38ECB9E7}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{5E5354EC-1AD1-4A5B-9382-6366D0E4E88D}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{E87243A4-B8D0-4A8F-AE1A-790C48E91A40}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{CCFBD29F-36CA-4AE8-9779-B74276B802DD}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{2FCDDEC3-FA2D-4047-80B4-AB5F3A4B7F74}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{BE2AB9B3-EA22-42EF-A48B-BDB96A07A70C}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{28DE8B0F-3E08-4DEF-AB52-44F4D5FFEE82}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{D1E2557C-A0E2-40A2-BA55-6409BA978DA4}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{D357CE07-29DD-41F9-A5EF-69C0CA2F95D8}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{16D2B00C-1938-4B48-8FEF-2815FB891C91}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{FABC0006-50A3-4BDB-B83D-F144D4C28B3F}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{001C152A-26CF-476E-A94F-2346AE2F49AE}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{D22A2095-1FDD-4BEE-B9D1-6E6CAEF8C860}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{CD0B173E-A340-426D-A4C8-67752A2FF50F}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{DFC8FAC3-AB50-4C78-853B-253F3559AA97}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{F4CECD18-9266-4C4F-9AB1-FE918C02CF58}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{DFA0604C-E7D0-4268-BF5F-A0C2D39253BF}] => (Allow) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{02849821-8645-4844-907F-4E2F4073F027}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{64DBE0EA-8633-4059-89E3-6ACA77AC8EB9}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{F10E9BDF-17A1-4F18-ADD9-43185F82A0B4}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\Sdd.exe
FirewallRules: [{EE04BD1E-1C05-4381-AAB0-6381F733F677}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\Sdd.exe
FirewallRules: [{CE4B21EA-246E-4B01-B39A-7E706BCCE8A6}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\virtualdrive.exe
FirewallRules: [{4645A550-0360-4B0D-BBE9-56E3EFEB4C16}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\virtualdrive.exe
FirewallRules: [{61D183EA-C6B4-4772-BCDB-A5C8A426872D}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{47502393-B00E-4F6E-8E60-E7028D180EF3}] => (Allow) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{2A5DBF67-2E2C-4D4E-BF07-4A3A1C8ED92C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{22322D4C-4B5D-4E0E-8544-E2CA007A5597}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0051F485-06A8-47E9-B478-A4307EAFF70F}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{C2F62DC2-26FC-4C90-81BC-A3AB7CFA0525}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{391E6F9B-01E1-48CE-A4AF-A25158EF5EA0}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{2ACB78DD-4DB3-49F4-9202-B7E2D7E9E21D}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{985F68E8-A74B-4237-9036-D69A7FDC64F9}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{D5F4424A-A31D-41B3-AF61-57B3FAED5671}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{FA927CAC-04D9-4D4F-B02B-7F7C0B515500}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{2EBE2810-1B07-423D-AA1A-6FF63841C368}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{FBD1C8B4-0D72-4891-A2D5-11BFBE09F1F5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{1250B7F5-8A53-4DA4-9E3B-CE632262A51E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{86DCBB70-619E-49DB-BBCC-F8DA3DA9EA37}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{A1BAA481-95BA-433F-BCB0-F81716D7EFEE}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [TCP Query User{F9C451CD-3FBE-4D23-92DF-6A0F7F2DEC9B}C:\users\kemosaabee\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\kemosaabee\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{36E12080-4FE8-4BAD-B130-2D5EF0537D56}C:\users\kemosaabee\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\kemosaabee\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{CA94683C-B208-4BD7-8E67-6E8C09A4B096}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe
FirewallRules: [UDP Query User{F32BBBFF-0C3E-4007-9A80-65C587164BAF}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe
FirewallRules: [{F0F46CBF-57EC-4E22-A1CF-D76942B8573E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Launcher.exe
FirewallRules: [{AE6687EE-EDCD-405E-9571-A1BD13ED15F5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Launcher.exe
FirewallRules: [{D6B08DC1-45BC-4988-868E-4E5C66C08D73}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Borderlands2.exe
FirewallRules: [{DB663747-C18E-41A9-B868-14F7F4370D35}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Borderlands2.exe
FirewallRules: [TCP Query User{8B0418D6-DC5A-416C-B578-A4655E10ECB9}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.174\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.174\deploy\leagueclient.exe
FirewallRules: [UDP Query User{04A4CE39-6BB0-49DF-BE23-B43D1EC294F7}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.174\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.174\deploy\leagueclient.exe
FirewallRules: [{8F154F75-614B-4DCD-9A71-81CF82A72E27}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\Binaries\Win64\CMW.exe
FirewallRules: [{41BF7E93-B64A-4597-A5AB-DEF269BDADC0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\Binaries\Win64\CMW.exe
FirewallRules: [{DB265B31-CB85-44B6-A8B1-A42AEAA2F62C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\Binaries\Win32\CMW.exe
FirewallRules: [{9235FD94-A0A7-42CD-A9C2-CAFAF69505DB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\Binaries\Win32\CMW.exe
FirewallRules: [{EF8189C1-1026-40DA-A3D4-5E3FDE3735CA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\ChivLauncher.exe
FirewallRules: [{5700561F-47CC-4372-81A2-C8BBED3DB178}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\chivalrymedievalwarfare\ChivLauncher.exe
FirewallRules: [{C2E4AB51-90EB-436F-8F83-FF89403D3ABA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Forest\TheForest.exe
FirewallRules: [{CC243145-C357-4103-865C-FD03827E172A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Forest\TheForest.exe
FirewallRules: [TCP Query User{A49C0E85-5E92-40D7-A534-B9C50BCE5B91}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe
FirewallRules: [UDP Query User{CD8FAA4F-7881-48A9-8DF3-D727D6316643}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe
FirewallRules: [{7146A7D0-54EB-4928-8283-1CDF7D67AC31}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FEAR Ultimate Shooter Edition\FEAR.exe
FirewallRules: [{C7D7B223-7356-419B-80E1-84940873AEA6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FEAR Ultimate Shooter Edition\FEAR.exe
FirewallRules: [{074FA933-E624-4C74-9AF4-41335BD9D136}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Serious Sam 2\Bin\Sam2.exe
FirewallRules: [{CC423CD3-3034-441B-BF76-4E7D93E2F869}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Serious Sam 2\Bin\Sam2.exe
FirewallRules: [{D0992475-81DE-4394-93D8-E6DBCED0FB5D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe
FirewallRules: [{33762968-B928-4E70-82AD-E14FB5ED888F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe
FirewallRules: [{EBE4B8AA-F28A-4B74-8BF2-B1E4E54F62E4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\GarrysMod\hl2.exe
FirewallRules: [{2EC9CE42-A618-4F5E-9C9F-D0DFD4EBA60D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\GarrysMod\hl2.exe
FirewallRules: [{63D3E76E-9C1A-4E8D-B2A5-DEFCE7D3AB71}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{C40FC91E-66D7-4558-AD3F-84F8863676E0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [TCP Query User{34E42CBF-136C-4A71-A510-21CCA7E0A3F3}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.175\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.175\deploy\leagueclient.exe
FirewallRules: [UDP Query User{06AF4E65-9B04-48F9-AB24-A565FAF49186}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.175\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.175\deploy\leagueclient.exe
FirewallRules: [TCP Query User{9913923A-2A70-44B1-A513-02E142092508}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.139\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.139\deploy\leagueclient.exe
FirewallRules: [UDP Query User{E37649C1-A1A0-410A-81D3-F2779BE3FFA3}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.139\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.139\deploy\leagueclient.exe
FirewallRules: [TCP Query User{3C1BCD2E-BE9A-4599-9B48-222B6EAC2DB5}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.140\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.140\deploy\leagueclient.exe
FirewallRules: [UDP Query User{93A124DD-D068-4EBE-8A58-F2F6302668C0}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.140\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.140\deploy\leagueclient.exe
FirewallRules: [{CA098997-2D17-4D6F-8251-22EE4936F0AD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Battlerite\Battlerite.exe
FirewallRules: [{3FD016C9-3F28-4553-B255-ECE233E1E8B4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Battlerite\Battlerite.exe
FirewallRules: [TCP Query User{3AC837F3-A674-4388-940D-4006B44CBADC}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.176\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.176\deploy\leagueclient.exe
FirewallRules: [UDP Query User{D32BF67D-EB0E-4258-A78F-94BFADB2397A}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.176\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.176\deploy\leagueclient.exe
FirewallRules: [TCP Query User{FF660826-7A71-46F1-AFF5-8DC5C009F045}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.177\deploy\leagueclient.exe] => (Block) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.177\deploy\leagueclient.exe
FirewallRules: [UDP Query User{D4850984-EE63-41B4-9949-4CC8F6EE14ED}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.177\deploy\leagueclient.exe] => (Block) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.177\deploy\leagueclient.exe
FirewallRules: [{F5C67DF5-8D47-4F38-A13F-C5CB03349F89}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dark Souls Prepare to Die Edition\DATA\DARKSOULS.exe
FirewallRules: [{C1FF9276-8BE7-4EF0-A5D4-A6780BBE061C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dark Souls Prepare to Die Edition\DATA\DARKSOULS.exe
FirewallRules: [{519DBDE4-3EB4-4758-B7CA-0DADD239F401}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\insurgency2\insurgency_BE.exe
FirewallRules: [{3965A77A-8F4B-4B76-9E74-F74F6A2932FA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\insurgency2\insurgency_BE.exe
FirewallRules: [{0EC8D695-F68F-4A6D-8BAD-E96CEE9094B2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{26110982-8814-428B-B8FC-5A56C57817D4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [TCP Query User{92227704-A01B-4C51-9F0C-85CFD2907EA9}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.179\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.179\deploy\leagueclient.exe
FirewallRules: [UDP Query User{121BD754-323E-4E4D-8C18-9C3F7D0CED44}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.179\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.179\deploy\leagueclient.exe
FirewallRules: [TCP Query User{44351071-24DE-4BE4-B6F2-8074DBAD14D5}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.181\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.181\deploy\leagueclient.exe
FirewallRules: [UDP Query User{3ECF8AB6-BC38-4FA2-9A46-33AD38C42493}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.181\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.181\deploy\leagueclient.exe
FirewallRules: [{634A8D1C-C65A-4A63-9B66-67BF4A03DE45}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\STALKER Shadow of Chernobyl\bin\XR_3DA.exe
FirewallRules: [{362E2225-328F-45CF-8827-BE63F8486975}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\STALKER Shadow of Chernobyl\bin\XR_3DA.exe
FirewallRules: [{FA059F79-7B85-486E-BB3B-F79B472C4595}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\STALKER Clear Sky\bin\xrEngine.exe
FirewallRules: [{780DEC7B-C157-48F8-9F61-0DF59F6EEF8D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\STALKER Clear Sky\bin\xrEngine.exe
FirewallRules: [{7C09CF3E-1328-45EA-BCD1-1E3E679722D7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stalker Call of Pripyat\bin\xrEngine.exe
FirewallRules: [{1DE82AC4-E955-42F6-BF32-2223F553FD4F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stalker Call of Pripyat\bin\xrEngine.exe
FirewallRules: [TCP Query User{71EA333A-7A35-4B20-B075-FD193FFFDF19}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{4D585460-CF63-4E5B-BCA3-DAB90B41DD69}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{92889727-30BE-4E39-BBDF-8AB19C686F28}C:\program files (x86)\steam\steamapps\common\stalker clear sky\_appdata_\.svn\sace3\bin\xrengine.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\stalker clear sky\_appdata_\.svn\sace3\bin\xrengine.exe
FirewallRules: [UDP Query User{9F364EE9-8443-4097-BA48-19417B0CA3DD}C:\program files (x86)\steam\steamapps\common\stalker clear sky\_appdata_\.svn\sace3\bin\xrengine.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\stalker clear sky\_appdata_\.svn\sace3\bin\xrengine.exe
FirewallRules: [TCP Query User{412DF964-90D1-4855-98D8-7A9BF93A42D8}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.182\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.182\deploy\leagueclient.exe
FirewallRules: [UDP Query User{1461E6A6-9599-4CB4-874A-4176885C17D6}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.182\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.182\deploy\leagueclient.exe
FirewallRules: [TCP Query User{87A438A3-172B-4C3C-8FD2-7E38D4074824}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.183\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.183\deploy\leagueclient.exe
FirewallRules: [UDP Query User{FF350170-CD1D-4B7E-9CC6-762A8C716F1A}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.183\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.183\deploy\leagueclient.exe
FirewallRules: [TCP Query User{7819A578-BFBF-4A61-BFDD-17C5E87C36DB}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.184\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.184\deploy\leagueclient.exe
FirewallRules: [UDP Query User{2B342E7D-E845-4505-B92A-E02AC3B7EE79}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.184\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.184\deploy\leagueclient.exe
FirewallRules: [TCP Query User{5E45FD24-6244-4990-B956-FD0BD1B37009}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.185\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.185\deploy\leagueclient.exe
FirewallRules: [UDP Query User{534F0BEB-4A96-4090-AF9E-27D728F2B9A7}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.185\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.185\deploy\leagueclient.exe
FirewallRules: [TCP Query User{9752A3C6-A113-4560-966D-12E9818B7663}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.186\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.186\deploy\leagueclient.exe
FirewallRules: [UDP Query User{A32C2EE3-714A-482D-812F-DC3FBA67E660}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.186\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.186\deploy\leagueclient.exe
FirewallRules: [TCP Query User{7FD9B156-CE82-489A-B1F5-1DA3263FC2FF}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.141\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.141\deploy\leagueclient.exe
FirewallRules: [UDP Query User{99C1CE9B-82AB-487A-BC22-E5396E4DD619}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.141\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.141\deploy\leagueclient.exe
FirewallRules: [TCP Query User{543B0F9B-CE2E-407E-A649-036D3B97A71E}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.187\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.187\deploy\leagueclient.exe
FirewallRules: [UDP Query User{064BB85B-27FD-41BF-94A6-F590A97A826E}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.187\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.187\deploy\leagueclient.exe
FirewallRules: [TCP Query User{6A4B7303-4D24-4BC5-8DC9-816C24DE4828}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.188\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.188\deploy\leagueclient.exe
FirewallRules: [UDP Query User{C37D8E94-ADB4-41F9-A2D0-EE9ED4FCB792}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.188\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.188\deploy\leagueclient.exe
FirewallRules: [TCP Query User{BE1B3136-76B4-4766-9937-0E76593E54F5}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.189\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.189\deploy\leagueclient.exe
FirewallRules: [UDP Query User{57113395-31B9-4F94-916C-A1372EB239E7}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.189\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.189\deploy\leagueclient.exe
FirewallRules: [TCP Query User{757F4979-3FEC-4446-9996-818CD8E44BD2}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.190\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.190\deploy\leagueclient.exe
FirewallRules: [UDP Query User{74108E50-8C46-419F-8ADC-464B1BC1D578}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.190\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.190\deploy\leagueclient.exe
FirewallRules: [TCP Query User{41C10F1D-CC6C-498C-9D37-56ABB3855298}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.191\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.191\deploy\leagueclient.exe
FirewallRules: [UDP Query User{69F737F8-E7CF-4689-984F-B880C391A310}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.191\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.191\deploy\leagueclient.exe
FirewallRules: [TCP Query User{F5BE72B7-7374-476C-8583-DBF57A04BB7A}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.192\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.192\deploy\leagueclient.exe
FirewallRules: [UDP Query User{218F5248-42F5-4DF6-9208-7488D60B6D93}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.192\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.192\deploy\leagueclient.exe
FirewallRules: [TCP Query User{6B9389A1-D508-40E2-902C-A23D3D0141BC}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.193\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.193\deploy\leagueclient.exe
FirewallRules: [UDP Query User{77F01887-7899-428A-8348-853A825DD179}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.193\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.193\deploy\leagueclient.exe
FirewallRules: [{9CD2922C-BFF3-4317-AACA-BCB09E69F374}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{3340F54B-2148-4C3B-B51C-1BF373A3F03F}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.194\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.194\deploy\leagueclient.exe
FirewallRules: [UDP Query User{2A22152D-8128-4294-8EE1-7F2AF5B49135}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.194\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.194\deploy\leagueclient.exe
FirewallRules: [TCP Query User{CF7D7BB4-18AD-42A0-970D-EFAFAD88D506}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.195\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.195\deploy\leagueclient.exe
FirewallRules: [UDP Query User{98841280-62EC-416B-94AF-87ADBDFA8D73}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.195\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.195\deploy\leagueclient.exe
FirewallRules: [TCP Query User{F33EA99B-5A83-4DCF-9D47-C24BD3E2BF10}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.144\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.144\deploy\leagueclient.exe
FirewallRules: [UDP Query User{6B4775BC-7878-4AFF-84BB-A9E758956A41}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.144\deploy\leagueclient.exe] => (Allow) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.144\deploy\leagueclient.exe
FirewallRules: [TCP Query User{57480AE5-E9F3-4F94-8C4C-380371485315}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.196\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.196\deploy\leagueclient.exe
FirewallRules: [UDP Query User{427D0C74-778A-467D-B9E6-287983D8CEF2}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.196\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.196\deploy\leagueclient.exe
FirewallRules: [{8A111951-D10D-4F07-B96D-C67EE400BC41}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Forest\TheForestVR.exe
FirewallRules: [{0AC7B748-3326-4951-9077-44F84F7FF15B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Forest\TheForestVR.exe
FirewallRules: [TCP Query User{4F0D5EC4-34F5-42CF-8CCE-DE2EF463FDCC}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.198\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.198\deploy\leagueclient.exe
FirewallRules: [UDP Query User{25243801-E395-470B-B50A-288A38FB1EDF}C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.198\deploy\leagueclient.exe] => (Allow) C:\riot games\pbe\rads\projects\league_client\releases\0.0.1.198\deploy\leagueclient.exe
FirewallRules: [{2B4EB1F5-70F3-47F0-8310-BCBED1FAA349}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Oblivion\OblivionLauncher.exe
FirewallRules: [{B155EFF5-8157-4F11-9CE3-C8F4BF205D9B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Oblivion\OblivionLauncher.exe
FirewallRules: [{3B05CCE7-8BC5-4655-8E77-E74D2B44FFAA}] => (Allow) C:\Users\Kemosaabee\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D3826E66-733E-4506-9F48-D22B0EB43E0D}] => (Allow) C:\Users\Kemosaabee\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{176D9D5C-937D-471F-B9F9-90CA3B85F36A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe
FirewallRules: [{A55F6686-E4F7-4B79-9268-82DD5BD04853}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe
FirewallRules: [{3A0EAA8F-3FE8-4B56-AEB8-CC87F09E30BE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Endless Legend\EndlessLegend.exe
FirewallRules: [{104C62ED-7144-4A44-924B-BC94DAB4EF14}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Endless Legend\EndlessLegend.exe
FirewallRules: [{FD880934-34FE-4D2D-A817-5AF118C21570}] => (Allow) C:\Program Files (x86)\Supercar\Cystic.exe
FirewallRules: [{5D6580A2-064C-4AB9-8258-3C4D3F3BFB93}] => (Allow) C:\Program Files (x86)\Cheerleaders\Cystic.exe
FirewallRules: [{3ADCEBF9-D597-46C4-B875-8BC12D315DA0}] => (Allow) C:\Program Files (x86)\astonished\Bonnin.exe
FirewallRules: [{B65860D2-CB01-4D75-8E72-335F7A2A85AB}] => (Allow) C:\Program Files (x86)\Cheerleaders\Bonnin.exe
FirewallRules: [{D2621E15-3E5A-4DA8-B19E-C3CAC9C6569F}] => (Allow) C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe
FirewallRules: [{6E9EC17B-E915-43EB-8491-DD61201A3C14}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{DF68C6F8-B751-4458-93D7-8A4E4214E59B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{F928ADA5-FDB0-4011-99ED-B41B66DFBF5D}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{1FFE78BC-575D-49E1-B437-06343A11182E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\launcher.exe
FirewallRules: [{A26BF4DB-B141-4797-A926-15BF494BDCB5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\launcher.exe
FirewallRules: [{4E224F34-B445-4BA8-B5D4-13267D9431E5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\CoJ Gunslinger\CoJGunslinger.exe
FirewallRules: [{78D0E649-A95E-4887-9777-510BCD57BB65}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\CoJ Gunslinger\CoJGunslinger.exe
 
==================== Restore Points =========================
 
Could not list restore points
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/08/2018 11:05:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: gldriverquery.exe, version: 0.0.0.0, time stamp: 0x59bc6c77
Faulting module name: VCRUNTIME140.dll, version: 6.3.9600.18895, time stamp: 0x5a4b127e
Exception code: 0xc0000135
Fault offset: 0x0009d4e2
Faulting process id: 0x1594
Faulting application start time: 0x01d3ffb7d262cc67
Faulting application path: C:\Program Files (x86)\Steam\bin\gldriverquery.exe
Faulting module path: VCRUNTIME140.dll
Report Id: 1135c684-6bab-11e8-8285-c389bf705e85
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/08/2018 11:00:49 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (06/08/2018 11:00:49 PM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
 
Error: (06/08/2018 11:00:49 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
Error: (06/08/2018 10:35:57 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (06/08/2018 10:35:57 PM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
 
Error: (06/08/2018 10:35:57 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
Error: (06/08/2018 10:35:33 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: gldriverquery.exe, version: 0.0.0.0, time stamp: 0x59bc6c77
Faulting module name: VCRUNTIME140.dll, version: 6.3.9600.18895, time stamp: 0x5a4b127e
Exception code: 0xc0000135
Fault offset: 0x0009d4e2
Faulting process id: 0x1084
Faulting application start time: 0x01d3ffb3aed6a19a
Faulting application path: C:\Program Files (x86)\Steam\bin\gldriverquery.exe
Faulting module path: VCRUNTIME140.dll
Report Id: ed8682b1-6ba6-11e8-8284-8fc5b22fd460
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (07/08/2018 09:51:51 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume C:.
 
The exact nature of the corruption is unknown.  The file system structures need to be scanned online.
 
Error: (07/08/2018 09:39:31 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The McAfee Personal Firewall Service service depends on the Windows Firewall service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
Error: (07/08/2018 09:39:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (07/08/2018 09:37:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Defender Network Inspection Service service depends on the Windows Defender Network Inspection System Driver service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (07/08/2018 09:37:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Defender Network Inspection System Driver service depends on the Base Filtering Engine service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
Error: (07/08/2018 09:36:51 PM) (Source: Microsoft-Windows-Ntfs) (EventID: 98) (User: NT AUTHORITY)
Description: C:\Device\HarddiskVolume43
 
Error: (06/08/2018 11:03:47 PM) (Source: volsnap) (EventID: 14) (User: )
Description: The shadow copies of volume C: were aborted because of an IO failure on volume C:.
 
Error: (06/08/2018 11:03:47 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
Windows Defender:
===================================
Date: 2018-06-07 20:27:29.020
Description: 
Windows Defender scan has been stopped before completion.
Scan ID: {C3201C68-01F9-48D3-A4D1-97D5E02B4882}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-06 19:22:53.122
Description: 
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win64/Detrahere.E
ID: 2147725567
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Kemosaabee\AppData\Local\Mozilla\Firefox\Profiles\ww3axrkt.default-1527532672918\cache2\entries\CA185E0F829E9F7E18BBA06FD712076973D0D506
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: User
Process Name: Unknown
Signature Version: AV: 1.269.439.0, AS: 1.269.439.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14901.4, NIS: 2.1.14600.4
 
Date: 2018-06-06 16:34:23.783
Description: 
Windows Defender scan has been stopped before completion.
Scan ID: {13E2DDE6-98E2-4EEF-AF4B-22B480C84F18}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-05-31 18:12:49.813
Description: 
Windows Defender scan has been stopped before completion.
Scan ID: {74332883-21EC-43B9-9793-D6F5299A6A18}
Scan Type: Antimalware
Scan Parameters: Full Scan
 
Date: 2018-05-29 18:24:06.306
Description: 
Windows Defender scan has been stopped before completion.
Scan ID: {A9173A0C-5F6D-4DFF-A562-2437DD714F5A}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-07-08 21:50:06.281
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 119.0.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.14600.4
Error code: 0x800706d9
Error description: There are no more endpoints available from the endpoint mapper. 
 
Date: 2018-07-08 21:50:06.281
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.439.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x800706d9
Error description: There are no more endpoints available from the endpoint mapper. 
 
Date: 2018-07-08 21:50:06.281
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.439.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x800706d9
Error description: There are no more endpoints available from the endpoint mapper. 
 
Date: 2018-07-08 21:50:06.250
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.439.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-08 21:37:22.010
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 119.0.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.14600.4
Error code: 0x800706d9
Error description: There are no more endpoints available from the endpoint mapper. 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4440 CPU @ 3.10GHz
Percentage of memory in use: 21%
Total physical RAM: 8001.43 MB
Available physical RAM: 6283.73 MB
Total Virtual: 9729.43 MB
Available Virtual: 7845.32 MB
 
==================== Drives ================================
 
Drive c: (Acer) (Fixed) (Total:913.35 GB) (Free:789.85 GB) NTFS
Drive e: () (Removable) (Total:14.91 GB) (Free:14.81 GB) NTFS
 
\\?\Volume{cd8949a8-175e-44f8-b7e5-22a00e9fd3f3}\ (Recovery) (Fixed) (Total:0.59 GB) (Free:0.18 GB) NTFS
\\?\Volume{d88f45c9-caaf-4c68-97e0-07fedc736675}\ () (Fixed) (Total:0 GB) (Free:0 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: F2EA4953)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 14.9 GB) (Disk ID: 421ABC8A)
Partition 1: (Active) - (Size=14.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

I hope this provided some help (:


#4 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 09 July 2018 - 04:06 PM

Hi, Kemosaabee,

 

Glad to hear you have a USB drive, because we're about to use that. Please delete the copy of FRST which you are currently running from the USB drive, then redownload it using a PC which has not been infected. Do not put the drive back into the infected PC yet, as, if you do, the copy of FRST may become infected and work improperly.

 

Let's run an FRST scan from the Recovery Environment.

  • Turn off the infected system.
  • Once the computer is off, put the USB drive into the infected PC.
  • Turn your computer on, but once the system starts booting, press and hold the power button to turn it off again.
  • Repeat Step 3 two more times.
  • Turn on your system again, and let it boot completely. It should boot into an automatic repair mode.
  • After the startup repair process completes, press Advanced options, then TroubleshootAdvanced Options, and finally Command Prompt.
  • You should be asked to sign in. Click your username, and then enter your password on the next screen.
  • A command prompt should appear. Type notepad and press Enter on your keyboard.
  • In the Notepad window which opens, click the File menu, then click Open.
  • In the Open dialog box, click This PC.
  • Look for your USB drive and find what drive letter it has. This will probably look something like E:\.
  • Click Cancel and close Notepad.
  • Back in the command prompt, type E:\FRST64.exe, replacing E:\ with the letter you found earlier. So, if you found it to be G:\, you should type G:\FRST64.exe.
  • Press Enter on your keyboard.
  • FRST should open. Click Yes to allow FRST to run.
  • Click Scan.

FRST should create the scan logs in the root directory of your flash drive. Please open those, then copy and paste them into your next reply.

 

In your next reply, please include the following:

  • FRST.txt

sasschary



#5 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 12 July 2018 - 02:12 PM

Hi, Kemosaabee,

 

Are you still with me?
 



#6 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 14 July 2018 - 02:57 AM

Hi Zach, I'm so sorry for the inconvenience but I had a family issue to attend to and was out of town for a few days, I hope you understand. So immediately there seems to be a problem to where my computer won't start in the automatic repair mode no matter how many times I try to turn off and on the computer. 



#7 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 15 July 2018 - 11:27 AM

Let's reboot into the Recovery Environment.

  • On the infected system, open your Start menu and click the power button. Then, press and hold Enter on your keybaord and click Restart.
  • Windows will begin to reboot, but then will open a menu. In the menu, press Advanced options, then TroubleshootAdvanced Options, and finally Command Prompt.
  • You should be asked to sign in. Click your username, and then enter your password on the next screen.
  • A command propmt should open.

Now, please refer to my last post and go through the instructions from there starting at Step 8.

In your next reply, please include the following:

  • FRST.txt

sasschary



#8 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 18 July 2018 - 01:03 AM

Hey Zach, so Ive realized all these steps are to get the frst text but since Ive already posted it in an earlier comment, whats the point of doing it again?

#9 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 18 July 2018 - 10:58 AM

Hi Kemosaabee,

There is a line in your current scan, notably, this one:

S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION

Which leads me to believe that part of your infection my be the SmartService infection, which can be a difficult infection to remove. FRST has a functionality built in that will help us remove that infection. This function can only be accessed by running a scan from the Recovery Environment. So, the purpose of running the scan again is less to get the scan text itself, and more to get FRST to remove the rootkit part of the infection. Once we have run the scan again from the RE we will be able to continue as most malware removal threads would.

sasschary



#10 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 20 July 2018 - 06:19 PM

Hey Zach, I've tried both of these methods to boot the computer into recovery environment but it seems it never works. Could it be possible that the malware can stop me from booting into this?



#11 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 22 July 2018 - 07:09 AM

Hi Kemosaabee,

Yes, that is a possibility. We should be able to work around it, though.

Do you still have access to the link you downloaded the Skyrim installer from? If you do, could you please post that? This is a rather new infection, and we have people who do things with malware analysis who would appreciate samples of this malware, if possible.

Let's run a scan using GMER.

Note: This is a rootkit scanner and does not always cooperate with modern systems. As such, it may cause a Blue Screen of Death when running. Please do not have any other things running when you run GMER to make data corruption less likely if a BSOD does take place.

  • Please download GMER from here and save it to your Dektop. It will be a randomly named file to try to prevent malware from blocking it, so do not be surprised by its name.
  • Make sure all other programs are closed, then disable your antivirus software.
  • On your desktop, right-click on the GMER file and click Run as Administrator.
  • If a User Accounts Control dialog box appears, click Yes to allow GMER to run.
  • Once GMER opens, please make sure the following things are set on the right side of the screen:
    • IAT/EAT - Unchecked
    • All drive letters - Unchecked
    • Quick Scan - Checked
    • Show All - Unchecked
  • Click Scan.
  • If you see a rootkit warning, click OK to continue.
  • After the scan has finished, save the findings to your desktop as GMER.log. Open that file in Notepad, then copy and paste it into your next reply.
  • Finally, please reenable your antivirus software.

Let's run a fix using FRST.

Note: Running this scan will reset your Windows firewall settings. Windows will occasionally prompt you to either allow or prevent programs from accessing the internet afterward, to which you will generally probably want to allow.

  • Highlight the contents of the code box below, then press Ctrl + C on your keyboard to copy it, You do not need to paste it anywhere, it need only be in your clipboard.
    C:\ProgramData\Microsoft\Windows\WNetworkMgmt
    C:\Program Files (x86)\astonished
    C:\Program Files (x86)\breadfruit
    C:\Program Files (x86)\Cheerleaders
    C:\Program Files (x86)\Cree
    C:\Program Files (x86)\gerri
    C:\Program Files (x86)\Supercar
    C:\Users\Kemosaabee\AppData\Local\athboil
    C:\Users\Kemosaabee\AppData\Local\auitrvx
    C:\Users\Kemosaabee\AppData\Local\avhzgwk
    C:\Users\Kemosaabee\AppData\Local\Bonnin.exe
    C:\Users\Kemosaabee\AppData\Local\Cystic.exe
    C:\Users\Kemosaabee\AppData\Local\exalbkv
    C:\Users\Kemosaabee\AppData\Local\installer.dat
    C:\Users\Kemosaabee\AppData\Local\Mozilla\Firefox\Profiles\ww3axrkt.default-1527532672918\cache2\entries\CA185E0F829E9F7E18BBA06FD712076973D0D506
    C:\Users\Kemosaabee\AppData\Local\nidugob
    C:\Users\Kemosaabee\AppData\Local\psntvoi
    C:\Users\Kemosaabee\AppData\Local\psradxt
    C:\Users\Kemosaabee\AppData\Local\pwhxlid
    C:\Users\Kemosaabee\AppData\Local\renpozs
    C:\Users\Kemosaabee\AppData\Local\sbadvwp
    C:\Users\Kemosaabee\AppData\Local\setupImageCreator_v4.2.exe
    C:\Users\Kemosaabee\AppData\Local\Temp\gimi.exe
    C:\Users\Kemosaabee\AppData\Local\Temp\Uninstall.exe
    C:\Users\Kemosaabee\AppData\Local\usekcmd
    C:\Windows\System32\cwesrdhsvc.exe
    C:\Windows\system32\Drivers\atoehknr.sys
    HKLM\...\Run: [Explorers] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
    HKLM\...\Run: [Bromides] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
    HKLM\...\Run: [Overtures] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
    HKLM-x32\...\Run: [Himmelfarb] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
    HKLM-x32\...\Run: [Raad] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
    HKLM-x32\...\Run: [Maliciousness] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Garlic] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Marson] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Volpe] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Submitting] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Staggeringly] => "C:\Program Files (x86)\astonished\Bonnin.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [Spendthrifts] => "C:\Program Files (x86)\Cheerleaders\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [powerpoint] => "C:\Program Files (x86)\Supercar\Cystic.exe" tanhwg
    HKU\S-1-5-21-3262422751-4070970212-1586142915-1001\...\Run: [avocado] => "C:\Program Files (x86)\breadfruit\avocado.exe" tanhwg
    Startup: C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleurisy.lnk [2018-05-25]
    ShortcutTarget: pleurisy.lnk -> C:\Program Files (x86)\Supercar\Cystic.exe (No File)
    Startup: C:\Users\Kemosaabee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleurisypleurisy.lnk [2018-05-25]
    ShortcutTarget: pleurisypleurisy.lnk -> C:\Program Files (x86)\astonished\Bonnin.exe (No File)
    HKLM\SYSTEM\CurrentControlSet\Services\odarsnlk <==== ATTENTION (Rootkit!)
    S4 WNetworkMgmt; C:\ProgramData\Microsoft\Windows\WNetworkMgmt\WNetworkMgmt.exe [6232185 2018-05-22] () [File not signed] <==== ATTENTION <==== ATTENTION
    S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
    S1 duidczqj; \??\C:\Windows\system32\drivers\duidczqj.sys [X]
    R3 hloruy; system32\drivers\oruybe.sys [X]
    Task: {072DF236-B153-410A-8FAB-62FC988BBF25} - System32\Tasks\shakey_mummy => C:\Program Files (x86)\Cheerleaders\Cystic.exe
    Task: {0BD2C93B-51F3-4E97-B69B-437CCD1A27DB} - System32\Tasks\facilityfacility => C:\Program Files (x86)\Cree\mitzi.exe [2018-05-25] ()
    Task: {29A701C7-F4FF-4AA5-8714-BDE1C6B3B090} - System32\Tasks\msf containing monohull => C:\Users\Kemosaabee\AppData\Local\Cystic.exe
    Task: {2A3E2A38-BE23-4BC5-A8F9-B6441853CAF9} - System32\Tasks\moratorium => C:\Program Files (x86)\gerri\gerri.exe
    Task: {3CD26EE5-70AA-4CCD-8916-06380630F268} - System32\Tasks\msf containing monohullmsf containing monohull => C:\Users\Kemosaabee\AppData\Local\Cystic.exe
    Task: {56ABF8C0-21EF-44DB-8645-752569259AAB} - System32\Tasks\facility => C:\Program Files (x86)\Cree\mitzi.exe [2018-05-25] ()
    Task: {56F5F627-8BB4-457A-B1F5-47A03A93E7CA} - System32\Tasks\moratoriummoratorium => C:\Program Files (x86)\gerri\gerri.exe
    Task: {58666E71-1C4D-4CA2-94AF-3A3FECC57D26} - System32\Tasks\storytelling proceeduresstorytelling proceedures => C:\Program Files (x86)\Cheerleaders\Bonnin.exe
    Task: {65C7DF72-202B-4588-AF8C-D647F1A39856} - System32\Tasks\choir_eyeletchoir_eyelet => C:\Users\Kemosaabee\AppData\Local\Bonnin.exe
    Task: {77F66353-416F-4C89-A21D-8C9CA6D4517A} - System32\Tasks\shakey_mummyshakey_mummy => C:\Program Files (x86)\Cheerleaders\Cystic.exe
    Task: {7F6EBD11-25E1-4774-BAC7-26AB4BF5ECF5} - System32\Tasks\storytelling proceedures => C:\Program Files (x86)\Cheerleaders\Bonnin.exe
    Task: {AE931A60-D3CE-4D97-90CC-21943280749C} - System32\Tasks\choir_eyelet => C:\Users\Kemosaabee\AppData\Local\Bonnin.exe
    Task: {D2251B6D-C9FD-4E64-977A-8C385480081B} - System32\Tasks\aneurin => C:\Program Files (x86)\Supercar\Cystic.exe
    Task: {EA6855CB-145E-4AD2-A187-B32FAD499D6A} - System32\Tasks\construes-prognosticateconstrues-prognosticate => C:\Program Files (x86)\astonished\Bonnin.exe
    Task: {F0A75C0E-D0E0-4CBA-A3AA-819F728A6EF5} - System32\Tasks\construes-prognosticate => C:\Program Files (x86)\astonished\Bonnin.exe
    Task: {FE3CBF41-218E-4B0F-8FD1-5E56FF4EAA94} - System32\Tasks\aneurinaneurin => C:\Program Files (x86)\Supercar\Cystic.exe
    AlternateDataStreams: C:\Users\Public\AppData:CSM [462]
    CMD: netsh advfirewall reset
  • From your desktop, right click FRST and click Run as Administrator.
  • If a User Account Control dialog box and/or a disclaimer from FRST appears, click Yes to allow FRST to run.
  • When FRST opens, click Fix and wait for the fixlist to be run.
  • After the fix has been completes, FRST should create and open a file called Fixlog.txt in Notepad. Please copy and paste that file into your next reply.

In your next reply, please include the following:

  • GMER.log
  • Fixlog.txt
  • The URL from which you got the infection, if possible

sasschary



#12 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 25 July 2018 - 12:22 AM

Hey Zach, 
I've basically spent all the free time I've had trying to get that program to work but the thing is, this malware has disabled the ability for mice to work on it, leaving only my keyboard to try and fix this. It was never really a problem for me until now where I have to select the boxes and such. Another effect from it disabling my mice is that I can't even click the save button after the scan, which means I'm not allowed to transfer any of the data from one computer to another. Unless there is a way select these boxes without a mouse, I seem to be stuck. I've tried tabbing and basically mashing my keyboard, but to no avail. On the subject of the url, it was just a link from the Pirate Bay, nothing too special but to find it again would be difficult since it was just the highest rated one, along with me deleting basically every trace of utorrent and that program available, obviously some of it stuck around though /:



#13 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 25 July 2018 - 10:15 AM

Hi, Kemosaabee,

 

Have you tried changing the USB port of the mouse or using a different mouse? If not, please try those. If you have, let's try reinstalling the driver for the mouse and see if that does anything.

 

Let's reinstall the driver for your mouse.

 

  1. Press the Windows key and X on your keyboard.
  2. Use the arrow keys to move in the menu and get to Device Manager, then press Enter.
  3. If a User Accounts Control dialog opens, move to Yes and press Enter.
  4. Once the Device Manager opens, press Tab until the first item in the main list is selected. Then use the arrow keys to scroll down to Mice and other pointing devices.
  5. Press the right arrow key to expand the list. Find the mouse that isn't working in the list, then press the key next to the right control key which looks like a menu. In this menu, move to Properties and press Enter.
  6. The Properties window will open, most likely to the General tab. Press Tab until the tab heading is outlined, then press the right arrow key to move to the Driver tab.
  7. Press Tab until the button labeled Uninstall Device is highlighted, then press Enter.
  8. A confirmation dialog will appear. Press Enter to confirm the uninstallation.
  9. After the uninstall is complete, press the Windows key to open the Start Menu.
  10. Press Tab until one of the icons on the left is selected, then move down to the power icon and press Enter.
  11. Finally, move to Restart and press Enter.

Once the computer has restarted, try using your mouse again to see if anything has changed. If you are able to use it, please try again to run the scan and fix I gave in my last post.

 

sasschary



#14 Kemosaabee

Kemosaabee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 27 July 2018 - 09:37 PM

Hey Zach,
After loading up the device manager, I've realized the "mice and other pointer devices" is just nonexistent. There were some devices disabled but none pertained to being my mouse, and other mice also don't work. Is it possible the malware can hide this from me being able to edit these for the reason to slow down its removal?



#15 sasschary

sasschary

  • Malware Study Hall Senior
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:07:26 PM

Posted 29 July 2018 - 10:47 PM

Hi, Kemosaabee,

 

Can you try your mouse on a different computer, just to verify that the problem is definitely not the mouse?

 

Sasschary






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users