Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update Issue


  • This topic is locked This topic is locked
25 replies to this topic

#1 Veo8888

Veo8888

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 28 September 2016 - 12:34 PM

Dear Forums,
Hello my name is V.  I am having a major issue with my desktop computer.  It is an old computer which runs Windows 7.

My main issue/problem is that I cannot download Windows Update files.  As soon as I select Windows Update files to download and install, I get stuck at the download screen with 0% downloaded for minutes.  At this time I also get a 25% surge in my CPU Usage.  Upon opening the Task Manager, I find the culprit to be an SVCHOST.EXE file.  Sometimes there is also a TRUSTEDINTSTALLER.EXE file that takes up the 25% surge in CPU Usage.  I have "end process" on both of these files, and they go away.  Unfortunately, as soon as I click on Windows Update again they return.

I have scanned my computer with AVG Free Anti-Virus, Ad-Aware free, and MS Malware Removal Tool.  All scans come up clean.

I have tried booting in safe mode with networking to scan for the problem but the scans come up clean as well.

I have a version of HiJackThis on my computer but I am a computer novice so the HiJackThis log info just goes over my head.  Should I use that Farbar tool?

If anyone on the forums could help me, or guide me in the right direction, I would be grateful.  Thanks.
-V.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 28 September 2016 - 12:39 PM

Hi Veo8888 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

There are known Windows Update issues under Windows 7 (and Windows Vista for that matter) right now. I doubt you are infected, but I can check to make sure before I send you your way in the Windows 7 section for help with your Windows Update issue :) Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 28 September 2016 - 12:56 PM

Thank you Aura for helping me.

 

Here is the FRST.txt log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-09-2016
Ran by v2 (administrator) on V2POWER1 (28-09-2016 10:46:36)
Running from C:\download2
Loaded Profiles: v2 (Available Profiles: dave & v2)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\AdAwareTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.376\SSScheduler.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(NEC Electronics Corporation) C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8116256 2009-09-22] (Realtek Semiconductor)
HKLM\...\Run: [AdAwareTray] => C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\AdAwareTray.exe [9571552 2016-07-18] ()
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [6718224 2016-08-26] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2009-09-25] (NEC Electronics Corporation)
HKLM-x32\...\Run: [nmctxth] => C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe [647216 2009-07-07] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [nmapp] => C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe [472112 2009-07-08] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [218896 2016-09-13] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [ATICustomerCare] => C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [307200 2009-06-14] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-2690842011-3162687123-38773563-1003\...\Run: [ROC_ROC_APR2013_AV] => C:\Users\v2\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 6a19cdb121c3be289a33b4767b7ef11b-e722dd6604241098ca6e4bb9732da770c6042916 --CMPID ROC_APR2013_AV --CMPIDE (the data entry has 9 more characters).
HKU\S-1-5-21-2690842011-3162687123-38773563-1003\...\Run: [AVG-Secure-Search-Update_0913a] => C:\Users\v2\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 6a19cdb121c3be289a33b4767b7ef11b-e722dd6604241098ca6e4bb9732da770c6042916 --CMPID 0913a
HKU\S-1-5-21-2690842011-3162687123-38773563-1003\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\v2\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=6a19cdb121c3be289a33b4767b7ef11b-e722dd6604241098ca6e4bb9732da770c6042916 /CMPID=0214c
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-08-16]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.376\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\v2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk [2010-03-16]
ShortcutTarget: Check for TWS Updates.lnk -> C:\Jts\WiseUpdt.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1    mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{81FA1EED-D4DB-49F0-B490-AEA0452685D8}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-2690842011-3162687123-38773563-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
SearchScopes: HKU\S-1-5-21-2690842011-3162687123-38773563-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2690842011-3162687123-38773563-1003 -> {13BAC38C-080F-4F5C-86C8-0411B2BAE6D8} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll => No File
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssie.dll => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-09] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-09] (Oracle Corporation)
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\amd64\puresp4.dll [2009-07-14] (Cisco Systems, Inc.)
Handler-x32: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll [2009-07-14] (Cisco Systems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Extension: (Flashblock) - C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-01-21]
FF Extension: (FlashGot) - C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-03-24]
FF Extension: (BetterPrivacy) - C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-05-09]
FF Extension: (NoScript) - C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-08-09]
FF Extension: (Session Manager) - C:\Users\v2\AppData\Roaming\Mozilla\Firefox\Profiles\5lvmkid3.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2016-03-21]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-09-23] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-09-23] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2016-09-23] [not signed]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [674552 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5285344 2016-08-26] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1149712 2016-09-13] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [760024 2016-08-26] (AVG Technologies CZ, s.r.o.)
S2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\AdAwareService.exe [732056 2016-07-18] ()
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.376\McCHSvc.exe [327944 2016-07-18] (McAfee, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [310016 2016-08-23] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [272640 2016-07-27] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [260352 2016-06-01] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [262400 2016-08-02] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [299264 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 Avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows ® Server 2003 DDK provider)
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [485512 2016-04-28] (BitDefender S.R.L.)
S3 ALSysIO; \??\C:\Users\dave\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz131; \??\C:\Users\dave\AppData\Local\Temp\cpuz131\cpuz_x64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-28 10:45 - 2016-09-28 10:46 - 00000000 ____D C:\FRST
2016-09-26 09:52 - 2016-09-27 10:25 - 00000392 ____H C:\Windows\Tasks\AVG EUpdate Task.job
2016-09-23 17:08 - 2016-09-23 18:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-22 09:29 - 2016-09-22 09:45 - 00000000 ____D C:\Windows\pss
2016-09-21 15:42 - 2015-10-13 09:41 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2016-09-21 15:42 - 2015-10-13 09:40 - 00118272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2016-09-21 15:35 - 2015-10-12 21:57 - 00950720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2016-09-21 10:26 - 2016-09-23 16:12 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-28 10:46 - 2010-03-04 16:45 - 00000000 ____D C:\download2
2016-09-28 09:56 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-28 09:56 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-09-28 09:51 - 2009-07-13 21:45 - 00015024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-28 09:51 - 2009-07-13 21:45 - 00015024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-28 07:54 - 2010-10-17 16:49 - 00000000 ____D C:\ProgramData\MFAData
2016-09-24 09:52 - 2009-07-13 22:08 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-09-24 09:43 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-23 18:41 - 2012-04-29 11:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-09-23 18:00 - 2010-03-04 19:22 - 144199024 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-09-22 10:18 - 2016-02-23 15:01 - 00002328 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2016-09-16 09:32 - 2015-12-15 10:49 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-09-14 09:41 - 2015-11-10 10:49 - 00000936 _____ C:\Users\Public\Desktop\AVG Protection.lnk
2016-09-14 09:41 - 2014-03-31 10:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

==================== Files in the root of some directories =======

2010-03-04 15:01 - 2016-06-17 10:20 - 0007616 _____ () C:\Users\v2\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\v2\AppData\Local\Temp\avg-6dd85a68-7726-4753-b178-1f320f8c2450.exe
C:\Users\v2\AppData\Local\Temp\avguirn_081039971338.exe
C:\Users\v2\AppData\Local\Temp\avguirn_081319523978.exe
C:\Users\v2\AppData\Local\Temp\avguirn_081725977860.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08206849020.exe
C:\Users\v2\AppData\Local\Temp\avguirn_082083333355.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08312261119.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08583178686.exe
C:\Users\v2\AppData\Local\Temp\avguirn_086031498.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08782442859.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08837234681.exe
C:\Users\v2\AppData\Local\Temp\avguirn_08906313575.exe
C:\Users\v2\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\v2\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\v2\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\v2\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\v2\AppData\Local\Temp\jre-8u91-windows-au.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-30 10:54

==================== End of FRST.txt ============================

 

 

Here is the Addition.txt log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-09-2016
Ran by v2 (28-09-2016 10:47:05)
Running from C:\download2
Windows 7 Home Premium Service Pack 1 (X64) (2010-02-23 16:39:58)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2690842011-3162687123-38773563-500 - Administrator - Disabled)
dave (S-1-5-21-2690842011-3162687123-38773563-1001 - Administrator - Enabled) => C:\Users\dave
Guest (S-1-5-21-2690842011-3162687123-38773563-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2690842011-3162687123-38773563-1002 - Limited - Enabled)
v2 (S-1-5-21-2690842011-3162687123-38773563-1003 - Administrator - Enabled) => C:\Users\v2

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Ad-Aware Antivirus (HKLM\...\{36036827-FA38-4A74-8333-26BC4EEC9308}_AdAwareUpdater) (Version: 11.12.945.9202 - Lavasoft)
AdAwareInstaller (Version: 11.12.945.9202 - Lavasoft) Hidden
AdAwareUpdater (Version: 11.12.945.9202 - Lavasoft) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.017.20053 - Adobe Systems Incorporated)
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.0.45.2 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
AntimalwareEngine (Version: 3.0.129.0 - Lavasoft) Hidden
ATI Catalyst Install Manager (HKLM\...\{5F94D3B9-2B02-9C37-740B-A59C7B8D17CC}) (Version: 3.0.762.0 - ATI Technologies, Inc.)
ATI Catalyst Registration (x32 Version: 2.01.0000 - ATI Technologies Inc.) Hidden
AVG (Version: 16.111.7797 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4656 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.111.7797 - AVG Technologies)
ccc-core-static (x32 Version: 2010.0202.2335.42270 - ATI) Hidden
CCleaner (HKLM-x32\...\CCleaner) (Version: 2.35 - Piriform)
Cisco Network Magic (x32 Version: 5.5.09195.0 - Pure Networks) Hidden
CPUID CPU-Z 1.53.1 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
FeedDemon (HKLM-x32\...\FeedDemon_is1) (Version: 4.1.0.0 - NewsGator Technologies, Inc.)
FMW 1 (Version: 1.132.1 - AVG Technologies) Hidden
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.376.2 - McAfee, Inc.)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 49.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 49.0.1 (x86 en-US)) (Version: 49.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 49.0.1.6109 - Mozilla)
Mozilla Thunderbird (3.0.3) (HKLM-x32\...\Mozilla Thunderbird (3.0.3)) (Version: 3.0.3 (en-US) - Mozilla)
NEC Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.14.0 - NEC Electronics Corporation)
NEC Electronics USB 3.0 Host Controller Driver (x32 Version: 1.0.14.0 - NEC Electronics Corporation) Hidden
Network Magic (HKLM-x32\...\Network MagicUninstall) (Version: 5.5.9195.0 - Cisco Systems, Inc.)
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
PokerStars.net (HKLM-x32\...\PokerStars.net) (Version:  - PokerStars.net)
Pure Networks Platform (x32 Version: 11.2.09195.1 - Pure Networks) Hidden
Realtek Ethernet Controller Driver For Windows Vista and Later (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0009 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5943 - Realtek Semiconductor Corp.)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
The Lord of the Rings FREE Trial  (x32 Version: 1.00.0000 - ATI Technologies Inc.) Hidden
Trader Workstation (HKU\S-1-5-21-2690842011-3162687123-38773563-1003\...\Trader Workstation) (Version:  - Interactive Brokers)
Trader Workstation 4.0 (HKLM-x32\...\Trader Workstation 4.0) (Version:  - )
Visual C++ 8.0 Runtime Setup Package (x64) (HKLM-x32\...\{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}) (Version: 9.0.0.623 - AVG Technologies CZ, s.r.o.)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {4D6FD7E5-5C03-4D0D-B651-07AB1956EABB} - System32\Tasks\{540F3C29-24F3-4E05-88C2-0FB76C5FF3EF} => C:\Users\Public\Games\StarCraft II\Versions\BASE18092.TEMP\SC2.EXE
Task: {62913DBB-944E-4258-A95E-AFA27211BE70} - System32\Tasks\{C220D938-0C4D-41D1-9AAD-71F5F19E94D5} => C:\Users\Public\Games\StarCraft II\StarCraft II.exe
Task: {791E90D9-D1E6-4EF5-8E4A-5C79182463BE} - System32\Tasks\{673CF4BB-0FF1-41A5-9F77-B6A24BA52CA6} => C:\Users\Public\Games\StarCraft II\StarCraft II.exe
Task: {A6DF29A8-E00D-4F70-8AD0-88A8C6CD1A32} - System32\Tasks\{D29FEA85-E05E-4CF5-A604-838BE6A6DECB} => C:\Users\Public\Games\StarCraft II\StarCraft II.exe
Task: {AB75947D-5478-4E51-AEFB-810E5A596015} - System32\Tasks\{345424A0-A7C2-4D7E-A065-E6EC2D734A58} => C:\Users\Public\Games\StarCraft II\StarCraft II.exe
Task: {BB54E958-AF21-428B-8C4A-02E019564943} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: {BC1DD458-E5B0-4F34-A481-43D2979D8170} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-08] (Adobe Systems Incorporated)
Task: {D5269FE8-0B2D-4159-BEBA-E08317C99F2D} - System32\Tasks\{5A638F53-C92B-4ACC-8B30-56A2F7039615} => C:\Users\Public\Games\StarCraft II\Versions\BASE18092.TEMP\SC2.EXE
Task: {E7B2D00C-45B7-441C-B77F-5DC4C437F642} - System32\Tasks\{99EC28E5-19B9-4CC8-BB95-93AD0C72C69C} => C:\Users\Public\Games\StarCraft II\Versions\BASE18092.TEMP\SC2.EXE
Task: {FBC9466F-422D-4EFA-BFC4-D2D0779EA38B} - System32\Tasks\{8DACAF59-793C-46FF-906F-2E08895048B5} => C:\Users\Public\Games\StarCraft II\Versions\BASE18092.TEMP\SC2.EXE
Task: {FE58756F-BE31-4162-A366-E1B84DF88B24} - System32\Tasks\{AB589FDE-36D0-40D8-B3E2-2A72D454E5C5} => pcalua.exe -a D:\Monsetup.exe -d D:\
Task: {FE94A73A-1291-4059-A2A0-5CC42A571D81} - System32\Tasks\{67C4638A-C3A2-4758-9B83-9B9F719D409B} => pcalua.exe -a C:\download2\HijackThis.exe -d C:\download2
Task: {FEB9FF52-26BE-4574-92A5-12E6925AA595} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\AVG EUpdate Task.job => C:\Program Files (x86)\AVG\Setup\avgsetupx.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-18 20:26 - 2016-07-18 20:26 - 09571552 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\AdAwareTray.exe
2016-07-18 20:26 - 2016-07-18 20:26 - 03420880 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\RCF.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 00146184 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_filesystem-vc140-mt-1_61.dll
2016-07-18 20:27 - 2016-07-18 20:27 - 00030464 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_system-vc140-mt-1_61.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 00068872 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_date_time-vc140-mt-1_61.dll
2016-07-18 20:27 - 2016-07-18 20:27 - 00124672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_thread-vc140-mt-1_61.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 00040192 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_chrono-vc140-mt-1_61.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 00539392 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\boost_locale-vc140-mt-1_61.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 02485992 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\HtmlFramework.dll
2016-07-18 20:26 - 2016-07-18 20:26 - 00871672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.12.945.9202\AdAwareTrayDefaultSkin.dll
2009-11-24 14:36 - 2009-11-24 14:36 - 00016384 ____R () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2010-02-23 09:55 - 2010-02-23 09:55 - 00270336 _____ () C:\Windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2009-07-13 17:37 - 2009-07-13 17:37 - 00152112 _____ () C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll
2009-07-13 17:37 - 2009-07-13 17:37 - 00098304 _____ () C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\CFireWallCOM.dll
2015-11-10 10:40 - 2016-04-07 10:58 - 40500224 _____ () C:\Program Files (x86)\AVG\UiDll\2171\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LavasoftAdAwareService11 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LavasoftAdAwareService11 => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2016-08-16 11:12 - 00000869 ____A C:\Windows\system32\Drivers\etc\hosts


0.0.0.1    mssplus.mcafee.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2690842011-3162687123-38773563-1003\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{ECCE2957-AF65-4754-A8D0-41FD30B5C877}C:\users\public\games\world of warcraft\launcher.exe] => (Allow) C:\users\public\games\world of warcraft\launcher.exe
FirewallRules: [UDP Query User{F6E91519-6BC7-46BD-A801-97BDB39E5520}C:\users\public\games\world of warcraft\launcher.exe] => (Allow) C:\users\public\games\world of warcraft\launcher.exe
FirewallRules: [{31F4683A-2673-4637-98D5-42855A711741}] => (Allow) C:\Users\Public\Games\World of Warcraft\WoW-3.2.0-enUS-downloader.exe
FirewallRules: [{EDB1DC70-00B6-41D4-843B-541B2C84F31E}] => (Allow) C:\Users\Public\Games\World of Warcraft\WoW-3.2.0-enUS-downloader.exe
FirewallRules: [TCP Query User{B7BB76A3-8899-49C8-BBA9-2134835F4254}C:\users\public\games\world of warcraft\wow-3.2.0.10192-to-3.3.0.10958-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.2.0.10192-to-3.3.0.10958-enus-downloader.exe
FirewallRules: [UDP Query User{6482AB63-AEDE-4537-9CE2-8486CD3D9E84}C:\users\public\games\world of warcraft\wow-3.2.0.10192-to-3.3.0.10958-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.2.0.10192-to-3.3.0.10958-enus-downloader.exe
FirewallRules: [TCP Query User{941196E1-1DDC-45AB-8B9E-BAF223931042}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-enus-downloader.exe
FirewallRules: [UDP Query User{3FC9504B-D3F8-4560-818C-43140EDC2608}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-enus-downloader.exe
FirewallRules: [TCP Query User{A543169F-FD3E-456C-80F7-C7361C612330}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe
FirewallRules: [UDP Query User{841966C4-E687-4F04-9363-25D8715C1E85}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe
FirewallRules: [TCP Query User{937D183D-90BC-42DB-A677-5DA1A697C627}C:\users\public\games\world of warcraft\backgrounddownloader.exe] => (Allow) C:\users\public\games\world of warcraft\backgrounddownloader.exe
FirewallRules: [UDP Query User{85A70E6F-E1E7-471D-A56B-3718A16D10AC}C:\users\public\games\world of warcraft\backgrounddownloader.exe] => (Allow) C:\users\public\games\world of warcraft\backgrounddownloader.exe
FirewallRules: [TCP Query User{BE7B18AF-BD7C-4981-8FAE-FCCDE8019498}C:\program files (x86)\java\jre6\bin\java.exe] => (Allow) C:\program files (x86)\java\jre6\bin\java.exe
FirewallRules: [UDP Query User{4E58A691-6FBA-4117-B9A4-9A5BB6A916F5}C:\program files (x86)\java\jre6\bin\java.exe] => (Allow) C:\program files (x86)\java\jre6\bin\java.exe
FirewallRules: [{918102F0-3D21-47C8-81B7-56756A2499A6}] => (Allow) C:\Users\Public\Games\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe
FirewallRules: [{D54D0AD6-C043-47AE-84AC-DB6E7F37C756}] => (Allow) C:\Users\Public\Games\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe
FirewallRules: [TCP Query User{1F53C574-4B55-4746-A17D-3512F4A3AC3B}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe
FirewallRules: [UDP Query User{A4A1C2CA-65CA-4E6F-8534-A73741EDA693}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe
FirewallRules: [TCP Query User{B5FB3E5E-ABC7-454D-A204-FD79ABF63766}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe
FirewallRules: [UDP Query User{88717AEE-7044-4D9E-BC28-89222BAF9813}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe
FirewallRules: [{A0575280-B7DB-49D0-97D2-C68D9A2D58D4}] => (Allow) %SystemDrive%\Users\Public\Games\World of Warcraft\Wow.exe
FirewallRules: [TCP Query User{DD875C67-938E-4495-AF41-3796B059F010}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-enus-downloader.exe
FirewallRules: [UDP Query User{F454509D-BEC8-4DBA-AEE2-3D069270D8E6}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-enus-downloader.exe
FirewallRules: [TCP Query User{0C7DF945-C289-4169-BD96-7F7CDE4F7893}C:\users\public\games\world of warcraft\wow-3.3.5.12213-to-3.3.5.12340-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.5.12213-to-3.3.5.12340-enus-downloader.exe
FirewallRules: [UDP Query User{85550FCC-411C-4CB7-8658-78861854CC45}C:\users\public\games\world of warcraft\wow-3.3.5.12213-to-3.3.5.12340-enus-downloader.exe] => (Allow) C:\users\public\games\world of warcraft\wow-3.3.5.12213-to-3.3.5.12340-enus-downloader.exe
FirewallRules: [TCP Query User{9AAE3EE2-28BF-4929-A68A-0AC0EB11782B}C:\download2\starcraft_2_beta_enus.exe] => (Allow) C:\download2\starcraft_2_beta_enus.exe
FirewallRules: [UDP Query User{EBB498D3-438E-4402-81B5-9ECC7426FC96}C:\download2\starcraft_2_beta_enus.exe] => (Allow) C:\download2\starcraft_2_beta_enus.exe
FirewallRules: [{6EC55C42-0DAD-44D7-B635-3D65E3469BB4}] => (Allow) C:\Users\Public\Games\StarCraft II Beta\StarCraft II.exe
FirewallRules: [{F2FAFE04-C9BD-40F8-BDA5-67EF17F0973F}] => (Allow) C:\Users\Public\Games\StarCraft II Beta\StarCraft II.exe
FirewallRules: [TCP Query User{26108E07-B6B1-487E-8C6C-55327E6665FA}C:\users\public\games\starcraft ii beta\support\blizzarddownloader.exe] => (Allow) C:\users\public\games\starcraft ii beta\support\blizzarddownloader.exe
FirewallRules: [UDP Query User{DB55F914-58FC-4344-BDCE-E88D6F0F36E9}C:\users\public\games\starcraft ii beta\support\blizzarddownloader.exe] => (Allow) C:\users\public\games\starcraft ii beta\support\blizzarddownloader.exe
FirewallRules: [TCP Query User{CF705EAC-37B9-46A7-A125-498842C738EF}C:\users\public\games\starcraft ii beta\versions\base16094\sc2.exe] => (Allow) C:\users\public\games\starcraft ii beta\versions\base16094\sc2.exe
FirewallRules: [UDP Query User{5EF4B5CE-E6C5-41F3-AF00-6D25D3CFE96A}C:\users\public\games\starcraft ii beta\versions\base16094\sc2.exe] => (Allow) C:\users\public\games\starcraft ii beta\versions\base16094\sc2.exe
FirewallRules: [{F1B4C925-DED9-4CFB-8F1B-CF4842F3FC71}] => (Allow) C:\Users\Public\Games\StarCraft II\StarCraft II.exe
FirewallRules: [{D8E6335A-722B-41A3-B682-7C9057817DEF}] => (Allow) C:\Users\Public\Games\StarCraft II\StarCraft II.exe
FirewallRules: [TCP Query User{05BD5985-5CDD-412A-9D58-5F19898BF9CB}C:\users\public\games\starcraft ii\versions\base15405\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base15405\sc2.exe
FirewallRules: [UDP Query User{B72DA7B0-FD07-401C-9B09-1895C8FA7FE9}C:\users\public\games\starcraft ii\versions\base15405\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base15405\sc2.exe
FirewallRules: [TCP Query User{2CE47264-21D9-44E1-B06F-6ED8B6F1C882}C:\users\public\games\starcraft ii\support\blizzarddownloader.exe] => (Allow) C:\users\public\games\starcraft ii\support\blizzarddownloader.exe
FirewallRules: [UDP Query User{02EBC024-497D-411A-AA0E-132472F37B05}C:\users\public\games\starcraft ii\support\blizzarddownloader.exe] => (Allow) C:\users\public\games\starcraft ii\support\blizzarddownloader.exe
FirewallRules: [TCP Query User{D80CE71D-3F76-4D7F-A834-83AAC8FA8C26}C:\download2\wow_cataclysm_beta_enus.exe] => (Allow) C:\download2\wow_cataclysm_beta_enus.exe
FirewallRules: [UDP Query User{B7B1DFB1-1103-4B31-9E1C-2C12C6E419C8}C:\download2\wow_cataclysm_beta_enus.exe] => (Allow) C:\download2\wow_cataclysm_beta_enus.exe
FirewallRules: [TCP Query User{36FEA05A-425D-4A99-8CB5-81B266A249AE}C:\users\public\games\starcraft ii\versions\base16605\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16605\sc2.exe
FirewallRules: [UDP Query User{3DBE5195-4D9D-450D-B379-46725D5150AF}C:\users\public\games\starcraft ii\versions\base16605\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16605\sc2.exe
FirewallRules: [TCP Query User{D43CAB7D-8425-49F8-B1B0-4B5842CE73BC}C:\users\public\games\starcraft ii\versions\base16755\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16755\sc2.exe
FirewallRules: [UDP Query User{771D9B28-E60F-4F6C-9089-1831F06A9E80}C:\users\public\games\starcraft ii\versions\base16755\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16755\sc2.exe
FirewallRules: [TCP Query User{18E29659-343A-4808-9FD9-33D709ACBE7C}C:\users\public\games\starcraft ii\versions\base16939\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16939\sc2.exe
FirewallRules: [UDP Query User{909D605A-B4D6-492F-85C1-C3334760564E}C:\users\public\games\starcraft ii\versions\base16939\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base16939\sc2.exe
FirewallRules: [{5954A6C9-A413-4F14-8251-D0FB681F4D3B}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{44091190-92F6-4408-A771-72B28B38117A}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{C9C32A85-B54E-44F2-A209-FA699FE74D50}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{7687C2F5-10DC-4BE2-B951-4A906E3DB82D}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [TCP Query User{34F7E429-17AE-4F03-9D3F-84DC0555EEAF}C:\users\public\games\starcraft ii\starcraft ii public test.exe] => (Block) C:\users\public\games\starcraft ii\starcraft ii public test.exe
FirewallRules: [UDP Query User{D6FF1023-FB14-4543-91CA-2CEF3378FFDA}C:\users\public\games\starcraft ii\starcraft ii public test.exe] => (Block) C:\users\public\games\starcraft ii\starcraft ii public test.exe
FirewallRules: [TCP Query User{BC5642EB-263D-4739-8E80-B080BDEC0D23}C:\users\public\games\starcraft ii\versions\base17326\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base17326\sc2.exe
FirewallRules: [UDP Query User{4A6BCA95-8285-42AC-8563-E269DD89ACDF}C:\users\public\games\starcraft ii\versions\base17326\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base17326\sc2.exe
FirewallRules: [TCP Query User{ACC37107-C728-4AE3-9215-03F0C35EE40A}C:\users\public\games\starcraft ii\versions\base18092\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base18092\sc2.exe
FirewallRules: [UDP Query User{BB927BA4-35DD-42BF-82C9-58ED01B91126}C:\users\public\games\starcraft ii\versions\base18092\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base18092\sc2.exe
FirewallRules: [{1972C91D-8CF5-4908-BADE-E151448DB13D}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe
FirewallRules: [{20F405F9-2650-4119-B344-7FC2D2FEDF97}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe
FirewallRules: [TCP Query User{D0051A23-F493-4622-AAC2-438A254E3EF0}C:\users\public\games\starcraft ii\versions\base18574\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base18574\sc2.exe
FirewallRules: [UDP Query User{A29184F5-8429-4E35-A189-02BBFB90A80F}C:\users\public\games\starcraft ii\versions\base18574\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base18574\sc2.exe
FirewallRules: [{609FAEAC-305C-4751-90AA-4EFCC3C1C207}] => (Allow) C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe
FirewallRules: [{A0385CA5-F6D8-4FAD-BBAB-23C6DE5714EA}] => (Allow) C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe
FirewallRules: [{B4BAB0C0-6CE2-4CE6-A56B-CA4F7FB915A6}] => (Allow) E:\World of Warcraft\Launcher.exe
FirewallRules: [{0A2A911D-45F7-4A72-89B3-858881F6E22A}] => (Allow) E:\World of Warcraft\Launcher.exe
FirewallRules: [{26D7A42D-1478-4496-8262-657ADF88C32F}] => (Allow) E:\World of Warcraft\Launcher.patch.exe
FirewallRules: [{7C04E77A-1E51-4A83-8B26-0E2176EC6793}] => (Allow) E:\World of Warcraft\Launcher.patch.exe
FirewallRules: [TCP Query User{BBBC6830-7675-43F5-8C53-CAC914A3C42E}E:\world of warcraft\backgrounddownloader.exe] => (Allow) E:\world of warcraft\backgrounddownloader.exe
FirewallRules: [UDP Query User{7B9E149F-C493-4990-94BD-5776E4E1AE07}E:\world of warcraft\backgrounddownloader.exe] => (Allow) E:\world of warcraft\backgrounddownloader.exe
FirewallRules: [TCP Query User{58FC6689-3B7B-43BA-9842-502A0D7472DD}C:\users\public\games\starcraft ii\versions\base19132\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base19132\sc2.exe
FirewallRules: [UDP Query User{A79543ED-B60B-4416-AE42-ACDEAC4B6EEA}C:\users\public\games\starcraft ii\versions\base19132\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base19132\sc2.exe
FirewallRules: [TCP Query User{B43D316B-09B6-44B1-8104-0A1F162B7C4D}E:\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe] => (Allow) E:\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe
FirewallRules: [UDP Query User{BDD31233-F095-4CA1-983A-0D530DF5D026}E:\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe] => (Allow) E:\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe
FirewallRules: [TCP Query User{65CC0D15-739E-4939-AE95-65288D5CF51B}E:\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe] => (Allow) E:\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe
FirewallRules: [UDP Query User{77B330CC-63DC-45DB-8CCC-AF41D8F0DAD6}E:\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe] => (Allow) E:\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe
FirewallRules: [TCP Query User{3766C676-2DAF-4C6F-9265-3F08DFE7700D}C:\users\public\games\starcraft ii\versions\base19679\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base19679\sc2.exe
FirewallRules: [UDP Query User{A4BCA9FB-7A84-4AAA-8E82-80CB1A1B930C}C:\users\public\games\starcraft ii\versions\base19679\sc2.exe] => (Allow) C:\users\public\games\starcraft ii\versions\base19679\sc2.exe
FirewallRules: [TCP Query User{F4FEC4E3-D19E-411C-AA72-5C83E68DC6F9}C:0\world of warcraft\launcher.exe] => (Allow) C:0\world of warcraft\launcher.exe
FirewallRules: [UDP Query User{89ED4EDD-8E2A-42DD-AF09-8C6592261829}C:0\world of warcraft\launcher.exe] => (Allow) C:0\world of warcraft\launcher.exe
FirewallRules: [{6A30E516-F2DE-490F-A7D2-802DF8439F92}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{5BA16A9A-13CA-40AD-AECE-81C3A3E4F89E}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{F7125E59-1E0D-438A-9879-2C8678B8167C}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{6E977022-91BC-411B-88EE-A773DC197B92}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{E6329419-AB72-4D3E-891C-7FA4B9505E81}] => (Allow) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
FirewallRules: [{B6326DDF-3475-46EF-B0EA-B371CC08256B}] => (Allow) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
FirewallRules: [{C95A39E4-A0F6-4F01-8E4F-BEEF90AC12AA}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{814B018C-F078-4184-893F-54CF24F0B6A2}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{E6E7BF23-86C7-42F7-A831-6BE626DE7522}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{6EEAAA04-2AC1-4E1E-B8AD-C86D1E5AB371}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{5D8B9AFC-AAC4-467B-A1D2-21FC1FB106D6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4DAA6B1C-8675-46CF-9E6A-5EB99E8CAAFC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{205BE635-60CA-4D60-B06D-287AF8EA3466}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{F24C6CD3-6D8A-4F39-9136-074EF0D8D0B6}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{6D9AC9C3-80A0-4D89-A638-DAD7286A8401}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F73EF893-C80D-48AB-B5A6-4D9229664C5F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{186BD00C-6C15-48F0-A0A6-A1FE1762E710}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{434B66DE-9EED-4686-85AC-2B452A77F6F1}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{8ECED4BF-3D86-4ACD-BA11-88A8CE6E9757}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{F2A49D29-9ED3-4268-883E-9D3502B3F886}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{A9679187-4D27-4A12-9538-1262A5DA7CD7}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{5A8DA7C2-2139-49F9-9FBE-DDD36B8A7AC7}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{E441894F-1ED0-43E8-94B8-87319C8F9380}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{67CEE16F-4458-46AF-8D0E-70FC9854DD18}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{DB582588-EC46-42BF-8C46-3698554E23A2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{676A8391-C38A-4D05-BF46-C50823B75DEB}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{79070F2D-A43C-4011-BA77-A53F6F673AC3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{571FC673-258D-49FF-AE72-C2802B188A76}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{61CDE73C-39B9-48ED-B8FC-EAC91F4BA0F2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{5588AB17-F5B9-439B-AB2A-19F226D2AB7B}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe

==================== Restore Points =========================

21-09-2016 16:19:51 Windows Update
21-09-2016 16:57:44 Windows Update

==================== Faulty Device Manager Devices =============

Name: Marvell 91xx Config ATA Device
Description: Marvell 91xx Config ATA Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/17/2016 10:16:55 AM) (Source: MsiInstaller) (EventID: 1024) (User: V2POWER1)
Description: Product: Adobe Acrobat Reader DC - Update '{AC76BA86-7AD7-0000-2550-AC0F0A4E5C00}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (03/14/2016 01:49:53 PM) (Source: MsiInstaller) (EventID: 1024) (User: V2POWER1)
Description: Product: Adobe Reader XI (11.0.14) - Update '{AC76BA86-7AD7-0000-2550-7A8C40011015}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (12/10/2015 12:48:44 PM) (Source: MsiInstaller) (EventID: 1024) (User: V2POWER1)
Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011013}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (10/21/2015 10:32:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Faulting module name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Exception code: 0x40000015
Fault offset: 0x00052d24
Faulting process id: 0x340
Faulting application start time: 0x01d10c266e43ab2f
Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Faulting module path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Report Id: ad4ecc43-7819-11e5-87c9-6cf0490fd2c3

Error: (10/09/2015 09:06:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Faulting module name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Exception code: 0x40000015
Fault offset: 0x00052d24
Faulting process id: 0x1018
Faulting application start time: 0x01d10311173eec3f
Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Faulting module path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Report Id: 55f98412-6f04-11e5-87c9-6cf0490fd2c3

Error: (10/09/2015 10:47:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Faulting module name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Exception code: 0x40000015
Fault offset: 0x00052d24
Faulting process id: 0x135c
Faulting application start time: 0x01d102ba85c38caf
Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Faulting module path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Report Id: c4662faf-6ead-11e5-87c9-6cf0490fd2c3

Error: (09/28/2015 09:09:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Faulting module name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Exception code: 0x40000015
Fault offset: 0x00052d24
Faulting process id: 0xf20
Faulting application start time: 0x01d0fa0807300453
Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Faulting module path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Report Id: 45d9cb74-65fb-11e5-a89b-6cf0490fd2c3

Error: (09/22/2015 04:01:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Faulting module name: jucheck.exe, version: 2.8.60.27, time stamp: 0x55c116b1
Exception code: 0x40000015
Fault offset: 0x00052d24
Faulting process id: 0x998
Faulting application start time: 0x01d0f58aa01ad7c7
Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Faulting module path: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Report Id: de99c623-617d-11e5-a89b-6cf0490fd2c3

Error: (09/16/2015 10:53:30 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program splwow64.exe version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 554

Start Time: 01d0f0a843a1b6b4

Termination Time: 15

Application Path: C:\Windows\splwow64.exe

Report Id: d2bb33d5-5c9b-11e5-b0ca-6cf0490fd2c3

Error: (12/03/2014 11:14:20 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FeedDemon.exe version 4.1.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 18e4

Start Time: 01d00f1f06093104

Termination Time: 0

Application Path: C:\Program Files (x86)\FeedDemon\FeedDemon.exe

Report Id: 2ed7864b-7b18-11e4-9416-6cf0490fd2c3


System errors:
=============
Error: (09/28/2016 09:52:51 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Modules Installer service, but this action failed with the following error:
An instance of the service is already running.

Error: (09/28/2016 09:47:51 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Update service terminated unexpectedly.  It has done this 2 time(s).

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Management Instrumentation service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Profile Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:43 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (09/28/2016 09:47:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (09/28/2016 09:46:32 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
An instance of the service is already running.


CodeIntegrity:
===================================
  Date: 2010-03-05 01:35:36.223
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\v2\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2010-03-05 01:35:36.223
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\v2\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2010-03-05 01:35:36.177
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2010-03-05 01:35:36.177
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 36%
Total physical RAM: 4091.49 MB
Available physical RAM: 2605.98 MB
Total Virtual: 8181.19 MB
Available Virtual: 6294.61 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:59.53 GB) (Free:19.84 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 59.6 GB) (Disk ID: 5D0609E0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=59.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 28 September 2016 - 01:42 PM

As suspected, your logs do not show any signs of infection. However, they do show that you have two Antivirus installed on your computer. You should never have more than one Antivirus program installed at the time, since installing more than one can cause system instability and conflict. For more information, you can read the post below by quietman.

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

This being said, I'll ask you to uninstall one Antivirus (either Ad-Adware or AVG), and keep the other one.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 28 September 2016 - 03:41 PM

Thank you for your help and patience Aura.  Sorry for having two Antivirus running.  I thought I would use Ad-Aware as a simple stand-alone scanner.  But i have read the post by quietman and i have removed Ad-Aware from my computer, leaving only AVG Free Anti-Virus.  I am also using Windows Firewall as AVG Free does not come with a Firewall.

 

Unfortunately, I am still having the same issue/problem.  Every time I try to update through Windows Update (under Start Menu), my computer gets stuck at 0% downloaded screen.  At the same time, my CPU usage surges to a 25% plateau.  Again, it is one SVCHOST.EXE file and (sometimes) one TRUSTEDINTSTALLER.EXE file.  The SVCHOST.EXE constantly takes up 25% of my CPU.  Even now while I am simply surfing the web.

 

I think I should also add that I have not had a Windows Update for a couple months now.  I have around 50 updates to download and install.

 

I am sorry, but I am at a loss as for what to do next.  Any help or guidance with this issue/problem would be greatly appreciated.  Thanks in advance.

 

-V.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 28 September 2016 - 03:46 PM

Did you try leaving your computer on overnight to allow Windows to download and install the updates? That's the first thing I would do.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 28 September 2016 - 04:59 PM

Thanks for your help and patience Aura.

 

I have not tried leaving the computer on overnight.  I might do that tonight.  However, if it is of any import, the Windows Update menu states that the most recent check for updates was 6/29/2016.

 

Thanks again for all your help.

 

-V.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 28 September 2016 - 06:09 PM

No problem, let me know how it went tomorrow :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 29 September 2016 - 12:59 PM

Hello Aura.  Thanks for your help and patience.

 

Unfortunately, I am having the same issues and problems.  I know it may sound strange but I am almost certain there must be some type of malware preventing me from updating through Windows Update.  Also, if I leave the computer idle for longer than like an hour, that same SVCHOST.EXE pops up and takes up 25% of my CPU power constantly.  It also takes up like +150k of memory from what Task Manager states.  The only way to get rid of it is by "End Process Tree" option.  But then it reappears after trying to use Windows Update or leaving the computer idle.

 

Thanks in advance for your help Aura.

 

-V.

 

PS - I will be away from the boards for a couple hours so I will not be able to reply promptly until then.  Sorry for the inconvenience.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 29 September 2016 - 01:11 PM

Like I said before, there's no sign of malware in your logs, and this issue is a really known one. So I guess that Windows didn't find any updates, even if you left it running overnight? When was the last time that you installed Windows Updates on that computer?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 29 September 2016 - 04:55 PM

Hello Aura.

 

I am still having the same problems as to that spike of 25% CPU Usage.  Windows Update has a list of updates that I need to go through (download and install).  It has found many (about 45 to 50) updates, the problem is that when I try to download and install them, the Windows Update menu just hangs at 0% downloaded for minutes.  This is also when I see a spike in CPU usage (to a constant 25%) thanks to that SVCHOST.EXE file. 

 

Luckily, through some trial and error, I have been able to download and install some updates in small batches.  I have to "End Process Tree" on that SVCHOST.EXE file and then I am able to download and install some updates in small batches (like 5 or so updates at a time).  I am close to finishing the updates, hopefully the updates will eliminate the rogue SVCHOST.EXE file.

 

I will let you know if things work out with a new post in a couple of hours.  Thanks again for your help and patience Aura.

 

-V.



#12 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 29 September 2016 - 07:30 PM

Hello Aura.

 

Good and Bad news.  First the good news.  I was able to download and install all but 2 updates.  And that is also the bad news.  I am unable to download KB3042058.  (The other update is for IE11, but I use Firefox so I probably do not have to worry about IE11.)

 

Let me be clear, I am unable to download KB3042058 through Windows Update.  I have yet to manually download it and install it on my computer.  I really am at a loss as to why I was able to download and install other updates (in small batches).

 

Currently I am at a loss as to what to do next.  Any help and/or guidance would be appreciated.  Thanks in advance.

 

-V.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 29 September 2016 - 07:44 PM

Try to download and install it manually.

https://www.microsoft.com/en-us/download/details.aspx?id=47012

If it fails to install, upload the two logs below for me to rewiew.

C:\Windows\WindowsUpdate.log
C:\Windows\Logs\CBS\CBS.log

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Veo8888

Veo8888
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 30 September 2016 - 01:01 PM

Hello Aura.  Thank you for helping me.

 

Unfortunately, more bad news.  I downloaded KB3042058.  However, when I go to open and install it, I get this message: "The Update is not Applicable to your computer" which stops me from installing it.

 

Also, I now get the 25% CPU surge from a rogue SVCHOST.EXE and TRUSTEDINSTALLER.EXE about a minute after startup/restart.

 

Also, if I hit "check for updates" on windows update it just hangs.

 

I will now upload the two log files for your review in the next post.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 30 September 2016 - 01:03 PM

There's no rogue svchost.exe or trustedinstaller.exe processes on your system. When you say that you are unable to download it via Windows Update, does it means that it stays at 0%? If so, how long did you wait for it to download?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users