Inactive Three trojans Kaspersky flagged but couldn't disinfect. (1 of 2)

Status
Not open for further replies.

mirby777

TS Rookie
Hi Julio!

Here are three trojans that Kaspersky could not disinfect (below). I should have been more careful!

FRST output warns about a file I can't delete.

There were 3 warnings in Addition.txt located in the next thread. Can you help? Thanks a bunch!

Kaspersky warnings:

06.03.2018 06.25.55 Detected object (process memory) cannot be disinfected c:\windows\syswow64\cmd.exe Process memory: c:\windows\syswow64\cmd.exe Object name: PDM:Trojan.Win32.Pushel.a Object type: Other malware Time: 3/6/2018 6:25 AM

06.03.2018 06.25.55 Detected object (process memory) cannot be disinfected c:\users\mirby\appdata\local\bohaf\hekitan.exe Process memory: c:\users\mirby\appdata\local\bohaf\hekitan.exe Time: 3/6/2018 6:25 AM (I deleted hekitan.exe but still got the warning)

06.03.2018 06.25.29 Detected object (file) not processed pscmd:\276da89c56fab8df1e10ac0db2c8c2fefc4ef9f102eca1b9748e06e00552ae49//amsi_script_utf8 File: pscmd:\276da89c56fab8df1e10ac0db2c8c2fefc4ef9f102eca1b9748e06e00552ae49//amsi_script_utf8 Object name: HEUR:Trojan.PowerShell.Generic Object type: Trojan program Time: 3/6/2018


And here are the requested FRST.txt file contents.

The Addition.txt
file contents are in the next thread due to size constraints.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04.03.2018
Ran by mirby (administrator) on HP3 (07-03-2018 09:39:42)
Running from C:\Users\mirby\Desktop
Loaded Profiles: mirby (Available Profiles: mirby)
Platform: Windows 10 Pro Version 1709 16299.248 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:

=== Processes (Whitelisted) ====

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\120322.inf_amd64_496b556827a662cb\igfxCUIService.exe
(HP) C:\Windows\System32\HP3DDGService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Dassault Systemes) C:\Program Files (x86)\Dassault Systemes\B21\intel_a\code\bin\CATSysDemon.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 18.0.0\avp.exe
(Intel Corporation) C:\MSC.Software\MSC_Nastran\20160\msc20160\actran\win64\Actran_16.1.b.92885\mpi\intelmpi\bin\smpd.exe
(Intel(R) Corporation) C:\Program Files\Intel\BCA\pabeSvc64.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe
(MDL Forum, mod by Ratiborus) C:\ProgramData\KMSAuto\bin\KMSSS.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Mentor Graphics Corporation) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\remotesolverdispatcherservice.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
() C:\Program Files\AVAST Software\SecureLine\vpnsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe
(Mentor Graphics Corporation) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\dispatcher.exe
(Acresso Software Inc.) C:\SIMULIA\SIMULIA\License\lmgrd.exe
(Flexera Software LLC.) C:\Program Files\Siemens\PLMLicenseServer\lmgrd.exe
(Acresso Software Inc.) C:\SIMULIA\SIMULIA\License\lmgrd.exe
(Flexera Software LLC.) C:\Program Files\Siemens\PLMLicenseServer\lmgrd.exe
(Dassault Systemes SIMULIA Corp) C:\SIMULIA\SIMULIA\License\ABAQUSLM.exe
(Siemens PLM Software Inc.) C:\Program Files\Siemens\PLMLicenseServer\ugslmd.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(iolo technologies, LLC) C:\Program Files (x86)\Phoenix360\System Mechanic\ioloGovernor64.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\120322.inf_amd64_496b556827a662cb\igfxEM.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam6\YouCamService6.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\sgx_psw.inf_amd64_1781f8bae8fdf5c0\aesm_service.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Users\mirby\AppData\Local\Google\Update\GoogleUpdate.exe
(PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 18.0.0\avpui.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(HP Inc.) C:\Program Files\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 2.0\ksde.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 2.0\ksdeui.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\QuickSearch.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\MemfilesService.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Mozilla Corporation) C:\Program Files (x86)\mozilla firefox\firefox.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(SplashData, Inc) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe
Failed to access process -> NVDisplay.Container.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\TrueImageHome\TrueImageHomeNotify.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe

== Registry (Whitelisted) ==

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8801024 2016-09-06] (Realtek Semiconductor)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567936 2018-02-26] (Dropbox, Inc.)
HKLM-x32\...\Run: [SSDMonitor] => C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [105120 2012-08-21] (PC Tools)
HKLM-x32\...\Run: [MalTray] => C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe [980976 2018-02-01] (Glarysoft Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [646680 2017-12-19] (Oracle Corporation)
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [44016 2018-02-01] (Glarysoft Ltd)
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\Run: [Google Update] => C:\Users\mirby\AppData\Local\Google\Update\1.3.33.7\GoogleUpdateCore.exe [601680 2017-11-13] (Google Inc.)
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2018-01-10] (Apple Inc.)
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [41100328 2018-01-29] ()
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\Run: [Spotify Web Helper] => C:\Users\mirby\AppData\Roaming\Spotify\SpotifyWebHelper.exe [782736 2018-03-06] (Spotify Ltd)
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
BootExecute: autocheck autochk *

== Internet (All) ==

DELETED

== Services (All) ==

DELETED

== NetSvcs (Whitelisted) =

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

== Files in the root of some directories

2018-02-07 01:11 - 2018-03-06 01:12 - 000000297 _____ () C:\Users\mirby\AppData\Roaming\WB.CFG
2018-02-15 10:59 - 2018-02-15 16:14 - 000425511 _____ () C:\Users\mirby\AppData\Local\ars.cache
2018-02-15 16:19 - 2018-02-15 16:19 - 002202368 _____ () C:\Users\mirby\AppData\Local\census.cache
2018-02-14 13:11 - 2018-02-14 13:11 - 000000036 _____ () C:\Users\mirby\AppData\Local\housecall.guid.cache
2017-04-06 12:04 - 2018-02-24 20:01 - 000007610 _____ () C:\Users\mirby\AppData\Local\Resmon.ResmonCfg
2018-02-14 14:17 - 2018-02-15 14:53 - 000000010 _____ () C:\Users\mirby\AppData\Local\sponge.last.runtime.cache
2017-04-24 10:31 - 2017-12-14 08:30 - 000000000 _____ () C:\Users\mirby\AppData\Local\Temptable.xml

Files to move or delete:
==

C:\Windows\Tasks\{204209D5-5A18-2ADD-020A-18FC0FC3265A}.job


== Bamital & volsnap ====

DELETED

LastRegBack: 2018-02-27 12:37

== End of FRST.txt ===






 

mirby777

TS Rookie
Here's the Addition.txt file contents
(associated with the following thread: Three trojans Kaspersky flagged but couldn't disinfect. (1 of 2)

There were 3 ATTENTION warnings. Thanks so much for looking at this! - Michael

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 04.03.2018
Ran by mirby (07-03-2018 09:40:16)
Running from C:\Users\mirby\Desktop
Windows 10 Pro Version 1709 16299.248 (X64) (2017-11-24 15:36:10)
Boot Mode: Normal
==

== Accounts: ==

Administrator (S-1-5-21-1210401764-526646618-19501893-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1210401764-526646618-19501893-503 - Limited - Disabled)
Guest (S-1-5-21-1210401764-526646618-19501893-501 - Limited - Disabled)
mirby (S-1-5-21-1210401764-526646618-19501893-1001 - Administrator - Enabled) => C:\Users\mirby
WDAGUtilityAccount (S-1-5-21-1210401764-526646618-19501893-504 - Limited - Disabled)

== Security Center ==

(If an entry is included in the fixlist, it will be removed.)

AV: Kaspersky Internet Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Kaspersky Internet Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}

== Installed Programs ==

DELETED - THERE WERE MANY HIDDEN APPS, BUT TOO MANY TO FIT THIS THREAD.


== Custom CLSID (Whitelisted): ========

DELETED

== Scheduled Tasks (Whitelisted) ====

DELETED EXCEPT:

Task: {23BBA173-B7CF-47FC-ADA6-D3D28EFCDA17} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2016-03-17] (Intel Corporation)
Task: {2D21EA5B-4DEF-4246-8647-4FB7F46D3129} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION

Task: {5270B2DB-323C-4E9B-BE66-BD7B36EEB941} - \Search Provided by Bing nerod -> No File <==== ATTENTION

Task: C:\WINDOWS\Tasks\Search Provided by Bing nerod.job => C:\ProgramData\{83CC46AF-098E-CC69-8F48-522B150AD9E5}\tefe.txt <==== ATTENTION

Task: C:\WINDOWS\Tasks\{204209D5-5A18-2ADD-020A-18FC0FC3265A}.job => C:\Users\mirby\AppData\Local\Bohaf\hekitan.exe <---- I DELETED THIS BUT IT STILL SHOWS UP.

== Shortcuts & WMI ======

DELETED

== Loaded Modules (Whitelisted) =====

DELETED

== Alternate Data Streams (Whitelisted)

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1 [153]

== Safe Mode (Whitelisted) =

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


== Association (Whitelisted) ======

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


== Internet Explorer trusted/restricted ======

(If an entry is included in the fixlist, it will be removed from the registry.)


== Hosts content: ========

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-07-10 03:04 - 2018-02-23 18:10 - 000001078 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 activation.acronis.com
127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com

== Other Areas =

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1210401764-526646618-19501893-1001\Control Panel\Desktop\\Wallpaper -> f:\my pictures 26.8 gb\aa all background pics\aa webshots backgrounds\fauna\birds\scarlet macaw.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: Apple Mobile Device Service => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: ClickToRunSvc => 2
MSCONFIG\Services: esifsvc => 2
MSCONFIG\Services: HPWMISVC => 2
MSCONFIG\Services: PCToolsSSDMonitorSvc => 2
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "WeatherBug"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "GUDelayStartup"
HKU\S-1-5-21-1210401764-526646618-19501893-1001\...\StartupApproved\Run: => "iCloudServices"

== FirewallRules (Whitelisted) ======

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{C952B161-3830-4691-B385-662D44F40860}] => (Allow) C:\Program Files\Microsoft MPI\Bin\smpd.exe
FirewallRules: [{86F82398-EDB5-49B7-A1A2-C7BE50058C6B}] => (Allow) C:\Program Files\Microsoft MPI\Bin\smpd.exe
FirewallRules: [{F94CF426-9CB8-45A9-93DB-208EC2E48C20}] => (Allow) C:\Program Files\Microsoft MPI\Bin\mpiexec.exe
FirewallRules: [{7C71AD9C-14CF-44ED-A937-4769B82EA210}] => (Allow) C:\Program Files\Microsoft MPI\Bin\mpiexec.exe
FirewallRules: [{5E3A947C-36E9-4C88-85B3-97E9DA2861E8}] => (Allow) C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe
FirewallRules: [{F9406682-DF36-4EF1-9A39-F5694BB523FC}] => (Allow) C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe
FirewallRules: [{8A693280-1D1B-4B97-98E8-211E0C93E470}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4AEA8A6B-86AE-4A64-8E71-5FB8B4A9F84D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{BFEDAF4E-301E-4BB7-B8E1-4DF40CED5AEA}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{914317FA-822C-4A74-8CBA-DDCAAC7788A8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{F13A98C1-DFE5-4C67-B2B8-D25BE6F26EE2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVD Cinema\PowerDVDCinema.exe
FirewallRules: [{3F0C28FB-65A3-4939-87B1-AC86064866B2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVDMovie.exe
FirewallRules: [{18293C76-55EE-44BD-8477-307957E4806C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe
FirewallRules: [{EA1A56ED-D5CF-426B-A206-51544B378B83}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe
FirewallRules: [{17AEB789-9C2F-4917-B910-2EE375E6E541}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD.exe
FirewallRules: [{4183B68F-88FB-45A9-AD7B-11E106A409B7}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{2318C1CD-187F-4782-A8A4-7697AB6DF082}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{061B606F-E149-4C4A-9AC3-D0169286F7A9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{ADECDC60-45C1-4956-8EE7-FF7F045267C8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3E3223C5-602B-4D7C-A7A2-D0116D136D16}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{959F43AE-A233-4DEF-883F-DA7B049E8111}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{30C2027E-2D46-4125-842E-BC91EC03771A}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7DCF8C8C-9B87-463D-8523-2365748032CA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{EA204407-02CA-43D7-B166-081CE338C379}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{FB2E9D1D-3573-42D7-BAFD-54DE8EFFC1A7}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{0A8AF3EC-0417-49CC-B49C-008A512AE9AE}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{157A153D-EBD1-4EA0-A6E1-ADD621393D36}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DFA07C93-84B6-4E25-B880-86F697CA4B4F}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BAAB2948-DAEB-4742-ADB0-348A7AB40B34}] => (Allow) C:\Users\mirby\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{0E1EC2FB-C9D9-479F-AC21-79F5A9289E5F}] => (Allow) C:\Users\mirby\AppData\Local\Maelstrom\Application\chrome.native.torrent.exe
FirewallRules: [{5BCC1842-BC21-44EC-A541-C9F1D9813F60}] => (Allow) C:\Users\mirby\AppData\Local\Maelstrom\Application\chrome.native.torrent.exe
FirewallRules: [{25BCB1CC-DB41-4BA1-AC41-CD43117B0C12}] => (Block) %ProgramFiles% (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe
FirewallRules: [{6915C3E6-D0D0-4DF9-85FF-1D34A9F6A933}] => (Block) %ProgramFiles% (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe
FirewallRules: [{17882F6C-1093-4F53-8DA2-C59951A72309}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{E8E35E93-4FE8-4692-8A6F-C1F37570EFB8}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{9607B623-E52B-44EC-B14C-B1A0F8855012}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{5524D114-6758-43DB-88DB-99166D803314}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{8229978A-29EE-4EF1-9371-1B05EBDED293}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{E55A7863-54D5-42A0-93EA-9DE4A250D1BB}] => (Allow) C:\Program Files\SOLIDWORKS Corp\SOLIDWORKS\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{0B9E7C0E-807A-453F-9789-621549C7BCFE}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{D591D40F-B544-4BAF-ADAB-33E22ACB8028}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{C63D7D5C-8D98-4126-9C0A-D658C43C61B9}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{6731E294-8684-4866-9F9A-6F35E4AD4B02}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{4873EF05-375C-4050-900A-C44E4EFABCB8}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{C5042671-6DDA-4BB3-AE89-F411B78FC575}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{DE04FC33-49DF-408D-AB56-DD57DC87BB06}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe
FirewallRules: [{440F938D-FACA-483E-81B6-4C457B5A5B27}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe
FirewallRules: [UDP Query User{48378C5E-E738-47E3-A524-9247AAF43C9C}C:\program files\ansys inc\v160\aisol\bin\winx64\ansyswbu.exe] => (Block) C:\program files\ansys inc\v160\aisol\bin\winx64\ansyswbu.exe
FirewallRules: [TCP Query User{65D0B018-55D2-4EDA-BB6E-A57605BF78DB}C:\program files\ansys inc\v160\aisol\bin\winx64\ansyswbu.exe] => (Block) C:\program files\ansys inc\v160\aisol\bin\winx64\ansyswbu.exe
FirewallRules: [UDP Query User{11EF68D5-9301-446D-A138-1E6ECBCB7A6D}C:\program files\ansys inc\v160\framework\bin\win64\ansysfww.exe] => (Block) C:\program files\ansys inc\v160\framework\bin\win64\ansysfww.exe
FirewallRules: [TCP Query User{DA9FE107-0EB6-4DF6-B231-07FC048BE349}C:\program files\ansys inc\v160\framework\bin\win64\ansysfww.exe] => (Block) C:\program files\ansys inc\v160\framework\bin\win64\ansysfww.exe
FirewallRules: [UDP Query User{1AF5D000-E545-49D8-B251-70F81C95BA52}C:\program files\ansys inc\shared files\licensing\winx64\ansysli_client.exe] => (Block) C:\program files\ansys inc\shared files\licensing\winx64\ansysli_client.exe
FirewallRules: [TCP Query User{BADD06AD-1CBE-477E-8DE0-C1346BBCCCFA}C:\program files\ansys inc\shared files\licensing\winx64\ansysli_client.exe] => (Block) C:\program files\ansys inc\shared files\licensing\winx64\ansysli_client.exe
FirewallRules: [{289D10EA-4CD9-4DB6-B91F-53107C349172}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\RegMech.exe
FirewallRules: [{F423431C-8523-4272-9F26-4FE6A027FFEA}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\RegMech.exe
FirewallRules: [{24C25389-2EEA-483C-8246-3E3CAD0D7B14}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\RegMech.exe
FirewallRules: [{1E2AFDDB-EB77-43B2-BB12-16A1457AA0D9}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\RegMech.exe
FirewallRules: [{C1DF5516-844D-460F-8B5A-2859C3FA369E}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\Update.exe
FirewallRules: [{1FD71E7B-91FD-4878-9B66-8BF81538A252}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\Update.exe
FirewallRules: [{D68CF001-D979-4690-B4BC-F1D62D7AA5F8}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\Update.exe
FirewallRules: [{B637B58C-0D67-4278-B06A-41B82EE6F2F3}] => (Allow) C:\Program Files (x86)\PC Tools\PC Tools Registry Mechanic\Update.exe
FirewallRules: [{76E3C35A-4038-40A7-AC21-A3D23C2ED144}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{0AD866C3-1042-4594-AD4A-28CFB6D38212}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiAppOld.exe
FirewallRules: [{9E67E98A-FFA0-4646-A272-1DD5EA4ADB9E}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\Next\WirelessDisplay.exe
FirewallRules: [{82AE7E5B-B464-4FEB-BE02-B7D0F433BFF3}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\SmartAgentTest.exe
FirewallRules: [{85B25F68-2EA9-4C19-BA4E-97BA7BC5FE59}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [TCP Query User{AEC75878-CCF6-42C0-A0F1-66ACC0CDD8DF}C:\users\mirby\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\mirby\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{6BDC6B0B-91CA-4162-8D10-B35960591B40}C:\users\mirby\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\mirby\appdata\roaming\spotify\spotify.exe
FirewallRules: [{BFB5265E-CB49-4582-BE9A-EBEE6FFABCE9}] => (Block) C:\users\mirby\appdata\roaming\spotify\spotify.exe
FirewallRules: [{4A5D83D3-A9CE-4401-A30D-C6766E79A610}] => (Block) C:\users\mirby\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{65B4B620-6116-4C1F-A5FB-12969723A7D6}C:\program files (x86)\glarysoft\software update pro\softwareupdatepro.exe] => (Block) C:\program files (x86)\glarysoft\software update pro\softwareupdatepro.exe
FirewallRules: [UDP Query User{A7EC1866-8CD9-488A-BC7E-DE207A9A58DC}C:\program files (x86)\glarysoft\software update pro\softwareupdatepro.exe] => (Block) C:\program files (x86)\glarysoft\software update pro\softwareupdatepro.exe
FirewallRules: [TCP Query User{7EE6B751-2A06-4B6D-9626-8272F1FCE243}C:\program files\ansys inc\v160\ekm\programs\jre1.7.0_60\bin\javaw.exe] => (Allow) C:\program files\ansys inc\v160\ekm\programs\jre1.7.0_60\bin\javaw.exe
FirewallRules: [UDP Query User{5DAC5AAC-1411-4A4B-B322-952DDB359C12}C:\program files\ansys inc\v160\ekm\programs\jre1.7.0_60\bin\javaw.exe] => (Allow) C:\program files\ansys inc\v160\ekm\programs\jre1.7.0_60\bin\javaw.exe
FirewallRules: [{8D75BFA1-F52E-4592-9745-5A823356BEDE}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe
FirewallRules: [{C4219F63-5CEA-4327-A230-843987F11353}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{4F3CFEF8-F59E-4870-9DB3-573DC4E2FE65}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [TCP Query User{8EF030C7-9331-4418-933E-505CBB865C29}C:\program files\dassault systemes\b20\win_b64\code\bin\cnext.exe] => (Block) C:\program files\dassault systemes\b20\win_b64\code\bin\cnext.exe
FirewallRules: [UDP Query User{2399547E-BD41-46CA-9E6E-EA360865CBC6}C:\program files\dassault systemes\b20\win_b64\code\bin\cnext.exe] => (Block) C:\program files\dassault systemes\b20\win_b64\code\bin\cnext.exe
FirewallRules: [TCP Query User{B0425DBA-04C4-4DD9-AD7D-9B6BE645F041}C:\program files\dassault systemes\b20\win_b64\code\bin\catutil.exe] => (Block) C:\program files\dassault systemes\b20\win_b64\code\bin\catutil.exe
FirewallRules: [UDP Query User{0BCBF7DA-DD80-4E38-8FE5-A0B7B59E02C7}C:\program files\dassault systemes\b20\win_b64\code\bin\catutil.exe] => (Block) C:\program files\dassault systemes\b20\win_b64\code\bin\catutil.exe
FirewallRules: [{3E2E6FE8-11D5-46DF-964A-583A07AB4911}] => (Allow) C:\Program Files (x86)\Nero\Nero 2017\Nero Burning ROM\StartNBR.exe
FirewallRules: [{9F909BF1-8BE0-4812-BAB8-D0CD214C4BF6}] => (Allow) C:\Program Files (x86)\Nero\Nero 2017\Nero MediaHome\NMDllHost.exe
FirewallRules: [{423CF448-F24C-4B24-9100-FF9459AC02A9}] => (Allow) C:\Program Files (x86)\Nero\Nero 2017\Nero MediaHome\MediaHome.exe
FirewallRules: [{824C7A3F-C22C-4B17-983E-54D4C6A69D07}] => (Allow) C:\Program Files (x86)\Nero\Nero 2017\Nero Burning ROM\nero.exe
FirewallRules: [TCP Query User{66474AA1-7097-4AB0-99F7-57AF90F5C118}C:\windows\temp\files\bin\kmss.exe] => (Allow) C:\windows\temp\files\bin\kmss.exe
FirewallRules: [UDP Query User{550053D9-CA1C-4E6C-AF99-77225F364A3F}C:\windows\temp\files\bin\kmss.exe] => (Allow) C:\windows\temp\files\bin\kmss.exe
FirewallRules: [{BC311291-D3D1-464E-BCC4-D4B9B3B8074B}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{6D376E7B-E38F-4994-95C9-38BE94ADA37D}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{71185657-2E8E-4650-9C42-BC1D31FCE1AD}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{6EAB6766-1083-49D0-B763-3FB035067DED}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{D21DF611-B2E5-45CC-B10C-BE08A75E3C68}] => (Allow) LPort=1688
FirewallRules: [{B289DCE1-25B4-4899-83B8-14CADA8E741D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{A97A5DFD-067E-4A5D-A243-1AADFB951661}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{F593E7C9-B0CB-467F-950B-ED61956F1A6F}] => (Allow) C:\Program Files\Altair\2017\feko\bin\feko_mkl.csv.impi.exe
FirewallRules: [{E7652CB8-3393-4813-A209-D606BF8EC51F}] => (Allow) C:\Program Files\Altair\2017\feko\bin\feko_mkl.csv.mpich.exe
FirewallRules: [{AA70AC1F-89A8-410F-8034-CAA57F369175}] => (Allow) C:\Program Files\Altair\2017\feko\bin\feko_mkl.csv.msmpi.exe
FirewallRules: [{35461F9E-4200-44A2-9212-8B4B7C550278}] => (Allow) C:\Program Files\Altair\2017\acusolve\win64\fv\bin\fvsrv64\smpd.exe
FirewallRules: [{5AE02937-4977-4C98-9B8F-8FE347C7EA0F}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\mpiexec.smpd.exe
FirewallRules: [{F2DF5AB8-9AFF-4BE9-8052-EA87A104FA44}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\smpd.exe
FirewallRules: [{9FD5CA4D-51D9-414D-8037-1109042A45BA}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\mpiexec.smpd.exe
FirewallRules: [{81F9F893-B197-46BC-B48D-F30ED81C67E3}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\smpd.exe
FirewallRules: [{66A13CF1-D3BD-47C9-860D-22F90A1B2E04}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\mpich\bin\smpd.exe
FirewallRules: [{9957147B-8362-4FA1-86BF-B203E085D014}] => (Allow) C:\Program Files\Altair\2017\acusolve\win64\fv\bin\fvsrv64\mpiexec.exe
FirewallRules: [{162D653B-9E6A-4646-9B12-85222322AE4F}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\mpiexec.exe
FirewallRules: [{BF5D17BF-B0EC-45AA-8924-4B3645E4F8C2}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\mpiexec.hydra.exe
FirewallRules: [{E8BD2292-E86A-4D2B-ABE6-911CEE66ABD8}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\mpiexec.smpd.exe
FirewallRules: [{09003C17-D256-4E29-AF7C-428CA0B0DD5C}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\bin\wmpiexec.exe
FirewallRules: [{F1470060-13F8-4D63-81E8-FC12DA516CB4}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\mpiexec.exe
FirewallRules: [{3A2CCED3-C508-4CCE-9F3D-E3E87B83734E}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\mpiexec.hydra.exe
FirewallRules: [{29E116CC-4D9D-49CF-91C7-10784AEB4301}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\mpiexec.smpd.exe
FirewallRules: [{819C0575-E35E-4666-BD08-7FE69784494C}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\intel-mpi\em64t\bin\wmpiexec.exe
FirewallRules: [{5A4CBDF5-E8FA-4CB4-8C3B-2D9736C108BF}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\mpich\bin\mpiexec.exe
FirewallRules: [{8D77771C-680C-4337-AB85-BD5D4E871551}] => (Allow) C:\Program Files\Altair\2017\mpi\win64\mpich\bin\wmpiexec.exe
FirewallRules: [{7244C33A-6F1A-4970-86A9-EF7E844494F0}] => (Allow) C:\Users\mirby\AppData\Local\Temp\HouseCall\tmase\nmap\bonjour.exe
FirewallRules: [{B48A0AE1-6C1B-4A65-938B-633542F7E9C2}] => (Allow) C:\Users\mirby\AppData\Local\Temp\HouseCall\tmase\drs\DrScaner.exe
FirewallRules: [{89244BA6-4FA0-4A85-9181-5EFD32727225}] => (Allow) C:\Program Files (x86)\Trend Micro\DRScanner\DRScanner.exe
FirewallRules: [{8F60DFA8-D003-4A5A-8779-99ADD29920C0}] => (Allow) C:\Program Files (x86)\Trend Micro\DRScanner\sdk\nmap\nmap.exe
FirewallRules: [{85AB3B99-8347-4686-91C9-ED57A5690ED3}] => (Allow) %systemroot%\system32\alg.exe
FirewallRules: [{C2864E4F-096B-448F-BF39-7DDE3BB7891D}] => (Allow) C:\Program Files\PTC\Creo 4.1\View Express\i486_nt\obj\productview.exe
FirewallRules: [TCP Query User{E91C99BD-D16A-464F-8978-2D6FAF82A5F2}C:\program files\ptc\creo 4.0\m030\common files\x86e_win64\nms\nmsd.exe] => (Allow) C:\program files\ptc\creo 4.0\m030\common files\x86e_win64\nms\nmsd.exe
FirewallRules: [UDP Query User{3A679BC5-0D79-4691-AD7E-5EA6B62D5455}C:\program files\ptc\creo 4.0\m030\common files\x86e_win64\nms\nmsd.exe] => (Allow) C:\program files\ptc\creo 4.0\m030\common files\x86e_win64\nms\nmsd.exe
FirewallRules: [{07AF7426-92C3-42ED-A900-CA8F7812D25F}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe

== Restore Points =======

17-02-2018 16:20:56 Post Abaqus, Pre Patran 2017
20-02-2018 20:42:52 Windows Update
21-02-2018 14:49:09 Post Abaqus and Patran, pre CREO
22-02-2018 08:48:11 Restore Operation
23-02-2018 09:42:57 Windows Modules Installer
24-02-2018 18:42:32 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
25-02-2018 19:57:29 Removed ScottradeELITE v5

== Faulty Device Manager Devices ====

Could not list Devices. Check "winmgmt" service or repair WMI.

== Event log errors: =======

Application errors:

Error: (03/07/2018 09:36:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NVDisplay.Container.exe, version: 1.2.0.0, time stamp: 0x5a38835c
Faulting module name: combase.dll, version: 10.0.16299.15, time stamp: 0x3db461b4
Exception code: 0xc0000005
Fault offset: 0x00000000000b67f8
Faulting process id: 0xb54
Faulting application start time: 0x01d3b62ebeba143d
Faulting application path: C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: 6021376a-09a4-42d0-8f71-e7bb548eb8ec
Faulting package full name:
Faulting package-relative application ID:

Error: (03/07/2018 08:19:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ioloSSTray.exe, version: 17.5.0.116, time stamp: 0x5a2a4485
Faulting module name: KERNELBASE.dll, version: 10.0.16299.248, time stamp: 0x4414ec23
Exception code: 0xe0434352
Fault offset: 0x0000000000014008
Faulting process id: 0x1b34
Faulting application start time: 0x01d3b62edca50cdc
Faulting application path: C:\Program Files (x86)\Phoenix360\System Mechanic\ioloSSTray.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 3e9e1d59-42ad-458e-bc12-c8cae20810c8
Faulting package full name:
Faulting package-relative application ID:

Error: (03/07/2018 08:19:11 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: ioloSSTray.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
at iolo.Controller.EntitlementController.get_IsServiceExpired()
at iolo.SSTray.SSTrayApp..ctor()
at iolo.SSTray.Program.Main()

Error: (03/07/2018 07:57:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NVDisplay.Container.exe, version: 1.2.0.0, time stamp: 0x5a38835c
Faulting module name: ntdll.dll, version: 10.0.16299.248, time stamp: 0xeffc9126
Exception code: 0xc0000005
Fault offset: 0x000000000004be7b
Faulting process id: 0x31e8
Faulting application start time: 0x01d3b4edeee6d012
Faulting application path: C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 62de8392-fd7f-4b61-b210-c1f27ea09c2b
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2018 01:19:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: parametric.exe, version: 31.0.2012.380, time stamp: 0x59b7c90b
Faulting module name: parametric.exe, version: 31.0.2012.380, time stamp: 0x59b7c90b
Exception code: 0xc0000005
Fault offset: 0x00582c33
Faulting process id: 0x19f4
Faulting application start time: 0x01d3b590c379e31d
Faulting application path: C:\Program Files\PTC\Creo 4.0\M030\Parametric\bin\parametric.exe
Faulting module path: C:\Program Files\PTC\Creo 4.0\M030\Parametric\bin\parametric.exe
Report Id: 100b5d01-424d-4bd6-a0ea-2c3c4c9bf49e
Faulting package full name:
Faulting package-relative application ID:

Error: (03/06/2018 04:45:50 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: HP3)
Description: Package Microsoft.Windows.Photos_2018.18021.12420.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.

Error: (03/06/2018 04:00:36 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: HP3)
Description: Package Microsoft.Windows.Photos_2018.18021.12420.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.

Error: (03/06/2018 02:45:33 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: HP3)
Description: Package Microsoft.Windows.Photos_2018.18021.12420.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.


System errors:
====
Error: (03/07/2018 08:27:30 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:22:31 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:14:22 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Intel® SGX AESM service hung on starting.

Error: (03/07/2018 08:10:56 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:10:56 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:10:56 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:10:56 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/07/2018 08:10:56 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Windows Defender:
========
Date: 2018-02-21 21:10:08.681
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\ProgramData\KMSAuto\bin\KMSSS.exe;process:_pid:3928,ProcessStart:131637492616007165;service:_KMSEmulator
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\ProgramData\KMSAuto\bin\KMSSS.exe
Signature Version: AV: 1.261.1490.0, AS: 1.261.1490.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-02-21 18:58:46.982
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\ProgramData\KMSAuto\bin\KMSSS.exe;process:_pid:4328,ProcessStart:131637381082890692;service:_KMSEmulator
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
Signature Version: AV: 1.261.1490.0, AS: 1.261.1490.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-02-21 18:20:57.756
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\ProgramData\KMSAuto\bin\KMSSS.exe;process:_pid:4328,ProcessStart:131637381082890692;service:_KMSEmulator
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\ProgramData\KMSAuto\bin\KMSSS.exe
Signature Version: AV: 1.261.1490.0, AS: 1.261.1490.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-02-21 18:17:07.164
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\ProgramData\KMSAuto\bin\KMSSS.exe;process:_pid:4328,ProcessStart:131637381082890692
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\ProgramData\KMSAuto\bin\KMSSS.exe
Signature Version: AV: 1.261.1490.0, AS: 1.261.1490.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-02-21 18:06:13.280
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\ProgramData\KMSAuto\bin\KMSSS.exe;process:_pid:4328,ProcessStart:131637381082890692
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\ProgramData\KMSAuto\bin\KMSSS.exe
Signature Version: AV: 1.249.219.0, AS: 1.249.219.0, NIS: 117.2.0.0
Engine Version: AM: 1.1.14003.0, NIS: 2.1.13804.0

Date: 2017-12-21 08:45:01.811
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.249.219.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14003.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2017-12-21 08:45:01.810
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 117.2.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.13804.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2017-12-21 08:45:01.806
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.249.219.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14003.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2017-12-21 08:45:01.806
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.249.219.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14003.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2017-12-21 08:45:01.805
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.249.219.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14003.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
========

Date: 2018-03-07 09:35:09.472
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:35:09.471
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:31:35.769
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:31:35.767
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:31:03.222
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:31:03.221
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:20:09.251
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-03-07 09:20:09.250
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

== Memory info

Processor: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
Percentage of memory in use: 35%
Total physical RAM: 16204.34 MB
Available physical RAM: 10514.83 MB
Total Virtual: 18636.34 MB
Available Virtual: 12679.64 MB

== Drives =====

Drive c: (Windows) (Fixed) (Total:349.19 GB) (Free:13.87 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:25.43 GB) (Free:2.25 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (Data) (Fixed) (Total:1487.15 GB) (Free:776.73 GB) NTFS

\\?\Volume{378fb206-46e4-4810-999b-69cab220a97e}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.18 GB) FAT32
\\?\Volume{3a1f355f-5d47-4755-a42b-f1de9f8ed770}\ () (Fixed) (Total:0.86 GB) (Free:0.33 GB) NTFS

== MBR & Partition Table

==
Disk: 0 (Size: 1863 GB) (Disk ID: 0664B0C4)

Partition: GPT.

== End of Addition.txt =
 

Broni

Malware Annihilator
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================

1. Please do NOT create multiple topics regarding same computer. This time I merged both topics.

2. In order to help you I need to see WHOLE logs. You can't delete some random sections.
 
Status
Not open for further replies.