Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to Enable Firewall and Uninstall AVG


  • This topic is locked This topic is locked
16 replies to this topic

#1 Rhapzodic

Rhapzodic

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 19 January 2017 - 01:02 PM

Hello all!

 

Bleeping Computer has helped me numerous times in the past by posting answers to issues I've had with my computer(s).  However, no matter how much I search, this current issue doesn't seem to be one I can do on my own.

 

Last week I suddenly found myself unable to activate my firewall and could not connect to the internet.  Using my phone I was able to find a way to reconnect to the internet, however I am still unable to activate my firewall.  In fact, my whole Windows Security Center Service is not functioning and I cannot reactivate any parts of it in 'Services'. 

 

I have Spybot and Malwarebytes along with AVG to keep my computer safe; Spybot and Mal consistently pick up things, but I noticed that my AVG is also weird - it will not update and will not uninstall even when using programs like Revo Uninstaller. When scanned by GMER, I noticed the extension avghookx.dll in areas where I have been having issues in the past before the firewall lockout: flash player, ccleaner, etc.

 

Rootkit scans have been unsuccessful in finding the issue and I have no idea how to go about fixing my compromised computer. I have also attempted registry fixes to the Security Center Service to no avail.

 

Here is the FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-01-2017
Ran by Jame K Shonin (administrator) on JAMEKSHONIN-PC (20-01-2017 02:34:11)
Running from C:\Users\Jame K Shonin\Desktop
Loaded Profiles: Jame K Shonin (Available Profiles: Jame K Shonin)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Flux Software LLC) C:\Users\Jame K Shonin\AppData\Local\FluxSoftware\Flux\flux.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\setup\instup.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\AVGUI.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 11\Cobian.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 11\cbInterface.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [IaNvSrv] => C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe [33304 2009-07-13] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2403104 2014-07-25] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [EKStatusMonitor] => C:\Program Files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe [2750840 2013-12-11] (Eastman Kodak Company)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1002984 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files\AVG\Antivirus\AVGUI.exe [9523496 2017-01-19] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-411374393-1568456481-4064395069-1000\...\Run: [f.lux] => C:\Users\Jame K Shonin\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-18] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy\User: Restriction ? <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{20AC56BC-ED9F-4A59-907F-508541717A6D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-411374393-1568456481-4064395069-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={FB7E4A7E-1A73-4D28-8738-FAC4BA7167BC}&mid=9ceea3582b7747d2a6f5d157aab215eb-8bc6786205389264d044733d051690b125fd2e5d&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-19 11:19:52&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Jame K Shonin\AppData\Roaming\Mozilla\Firefox\Profiles\okmk4let.default [2017-01-20]
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\okmk4let.default -> AVG Secure Search
FF Homepage: Mozilla\Firefox\Profiles\okmk4let.default -> hxxp://www.google.com/
FF Session Restore: Mozilla\Firefox\Profiles\okmk4let.default -> is enabled.
FF Extension: (Adblock Plus) - C:\Users\Jame K Shonin\AppData\Roaming\Mozilla\Firefox\Profiles\okmk4let.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-12-18]
FF Extension: (Skype) - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-05-25]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2017-01-19]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-12] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-04] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-04] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2016-05-27]

Chrome:
=======
CHR DefaultProfile: Default
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default [2017-01-19]
CHR Extension: (Google Docs) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-03]
CHR Extension: (Google Drive) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-10]
CHR Extension: (Honey) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-12-24]
CHR Extension: (Google Search) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Google Docs Offline) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Gmail) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]
CHR Extension: (Chrome Media Router) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [1020432 2017-01-09] (AVG Technologies CZ, s.r.o.)
S4 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
S4 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
R2 cbVSCService11; C:\Program Files\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S3 iumsvc; C:\Program Files\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
R2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [407016 2016-04-13] (Eastman Kodak Company)
R2 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [780152 2013-12-11] (Eastman Kodak Company)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [103696 2016-11-14] (Microsoft Corporation)
R2 NIHardwareService; C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [12538992 2015-09-17] (Native Instruments GmbH)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280864 2016-11-14] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1720608 2014-07-25] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [17536800 2014-07-25] (NVIDIA Corporation)
S2 PaceLicenseDServices; C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [47306280 2016-12-02] (PACE Anti-Piracy, Inc.)
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 wscsvc; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 giveio; C:\Windows\system32\giveio.sys [5248 1996-04-04] () [File not signed]
R3 mcdbus; C:\Windows\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [252808 2016-08-25] (Microsoft Corporation)
R1 MpKsl137d3435; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C34669F4-17A3-4C2A-96A8-14414F295E15}\MpKsl137d3435.sys [39168 2017-01-19] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19232 2014-07-25] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2014-04-01] (NVIDIA Corporation)
R2 speedfan; C:\Windows\system32\speedfan.sys [24184 2012-12-30] (Almico Software)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-20 02:36 - 2017-01-20 02:39 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\Desktop 2017-01-20 02;36;27 (Full)
2017-01-20 02:34 - 2017-01-20 02:38 - 00014890 _____ C:\Users\Jame K Shonin\Desktop\FRST.txt
2017-01-20 02:33 - 2017-01-20 02:34 - 00000000 ____D C:\FRST
2017-01-20 02:33 - 2017-01-20 02:33 - 01761792 _____ (Farbar) C:\Users\Jame K Shonin\Desktop\FRST.exe
2017-01-20 02:02 - 2017-01-20 02:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-01-20 02:02 - 2017-01-20 02:02 - 00000000 ____D C:\Program Files\Cobian Backup 11
2017-01-20 01:59 - 2017-01-20 02:00 - 19709440 _____ (Luis Cobian, CobianSoft) C:\Users\Jame K Shonin\Desktop\cbSetup.exe
2017-01-19 20:34 - 2017-01-19 20:16 - 00755144 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgBF00.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00464416 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC423.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00250160 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC482.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00119272 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC741.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00107376 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC337.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00091328 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC058.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00062112 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC3A6.tmp
2017-01-19 20:34 - 2017-01-19 20:15 - 00035128 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgC2D9.tmp
2017-01-19 20:34 - 2017-01-19 20:14 - 00272472 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgBBD3.tmp
2017-01-19 20:34 - 2017-01-19 20:14 - 00258528 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgBA4B.tmp
2017-01-19 20:34 - 2017-01-19 20:14 - 00151048 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgBB17.tmp
2017-01-19 20:34 - 2017-01-19 20:14 - 00134360 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgB5A8.tmp
2017-01-19 20:34 - 2017-01-19 20:14 - 00044016 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgBC8F.tmp
2017-01-19 20:19 - 2017-01-19 20:31 - 00000000 ____D C:\Program Files\AVG Web TuneUp
2017-01-19 20:15 - 2017-01-19 20:14 - 00327656 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-01-19 20:08 - 2017-01-19 20:08 - 00000954 _____ C:\Users\Public\Desktop\AVG.lnk
2017-01-19 20:08 - 2017-01-19 20:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2017-01-19 20:02 - 2017-01-19 20:32 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\AvgSetupLog
2017-01-19 20:02 - 2017-01-19 20:02 - 03449440 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Jame K Shonin\Desktop\AVG_Protection_Free_1597.exe
2017-01-19 19:56 - 2017-01-19 19:56 - 00001230 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\VS Revo Group
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\ProgramData\VS Revo Group
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\Program Files\VS Revo Group
2017-01-19 19:56 - 2016-12-21 14:52 - 00035632 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2017-01-19 19:55 - 2017-01-19 19:55 - 11523496 _____ (VS Revo Group ) C:\Users\Jame K Shonin\Desktop\RevoUninProSetup.exe
2017-01-19 19:45 - 2017-01-19 19:53 - 00000000 ____D C:\AVG_Remover
2017-01-19 19:44 - 2017-01-19 19:44 - 08111408 _____ ( ) C:\Users\Jame K Shonin\Desktop\AVG_Remover.exe
2017-01-19 19:23 - 2017-01-19 19:23 - 00002574 _____ C:\Users\Jame K Shonin\Desktop\Hkey.reg
2017-01-19 19:12 - 2017-01-19 19:12 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2017-01-19 19:11 - 2017-01-19 19:12 - 00000000 ____D C:\Program Files\Microsoft Security Client
2017-01-19 19:03 - 2017-01-19 19:12 - 00001945 _____ C:\Windows\epplauncher.mif
2017-01-19 17:45 - 2017-01-19 18:39 - 00320874 _____ C:\Windows\ntbtlog.txt
2017-01-16 02:15 - 2017-01-16 02:15 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\ESET
2017-01-16 02:14 - 2017-01-16 02:15 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Jame K Shonin\Desktop\esetonlinescanner_enu.exe
2017-01-12 18:21 - 2017-01-06 02:46 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-01-12 18:21 - 2017-01-06 02:46 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-01-12 18:21 - 2017-01-06 02:43 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-01-12 18:21 - 2017-01-06 02:42 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-01-12 18:21 - 2017-01-06 02:23 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-01-12 18:21 - 2017-01-06 02:19 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-01-12 18:21 - 2017-01-06 02:19 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-01-12 18:21 - 2017-01-06 02:19 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-01-12 05:55 - 2017-01-12 05:56 - 00000000 ____D C:\Users\Jame K Shonin\Documents\Virus Log
2017-01-12 05:40 - 2017-01-12 05:40 - 00104960 _____ (GMER) C:\pwtdapog.sys
2017-01-12 05:39 - 2017-01-12 05:39 - 00380928 _____ C:\Users\Jame K Shonin\Desktop\zcgoof3t.exe
2017-01-12 05:28 - 2017-01-12 05:31 - 00424074 _____ C:\TDSSKiller.3.1.0.12_12.01.2017_05.28.24_log.txt
2017-01-09 03:58 - 2017-01-09 03:58 - 00001963 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iLok License Manager.lnk
2017-01-09 03:58 - 2017-01-09 03:58 - 00001951 _____ C:\Users\Public\Desktop\iLok License Manager.lnk
2017-01-09 03:51 - 2017-01-09 03:51 - 00000000 ____D C:\Program Files\iLok License Manager
2017-01-09 03:51 - 2017-01-09 03:51 - 00000000 ____D C:\Program Files\Common Files\PACE
2017-01-07 08:06 - 2017-01-14 09:00 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\Swaez
2016-12-31 16:44 - 2016-12-31 16:44 - 00017596 _____ C:\Users\Jame K Shonin\Desktop\BJ experience.docx
2016-12-30 11:11 - 2016-12-30 11:11 - 00016397 _____ C:\Users\Jame K Shonin\Documents\Going Back From Cali Experience 2016.docx
2016-12-28 10:18 - 2016-12-28 10:18 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_xusb21_01007.Wdf
2016-12-27 13:20 - 2016-12-27 14:07 - 740849178 _____ C:\Users\Jame K Shonin\Desktop\TB Arthur - Psychedelic Cookbook- 100- Royalty Free Sound Library.zip
2016-12-27 06:20 - 2016-05-16 17:38 - 00450771 _____ C:\Windows\system32\Drivers\etc\hosts.20161227-062038.backup
2016-12-26 17:13 - 2017-01-16 16:39 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\Talisman
2016-12-26 15:37 - 2016-12-26 15:37 - 00000216 _____ C:\Users\Jame K Shonin\Desktop\Talisman Digital Edition.url
2016-12-26 02:40 - 2016-12-26 02:40 - 00000000 ____D C:\Users\Jame K Shonin\Documents\NBGI
2016-12-26 02:40 - 2016-12-26 02:40 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\NBGI
2016-12-25 22:01 - 2016-12-25 22:01 - 00000216 _____ C:\Users\Jame K Shonin\Desktop\Dark Souls Prepare to Die Edition.url
2016-12-24 13:30 - 2016-12-24 13:40 - 00000000 ____D C:\Users\Public\Documents\SIR Impulses
2016-12-24 13:30 - 2016-12-24 13:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SIR Audio Tools
2016-12-24 13:17 - 2016-12-24 13:17 - 00000000 ____D C:\Users\Jame K Shonin\AppData\LocalLow\uTorrent
2016-12-24 12:57 - 2016-12-27 07:46 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\5f680
2016-12-24 03:08 - 2016-12-24 03:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arturia
2016-12-24 03:06 - 2016-12-24 03:08 - 00000000 ____D C:\ProgramData\Arturia
2016-12-24 03:06 - 2016-12-24 03:08 - 00000000 ____D C:\Program Files\Arturia
2016-12-22 11:55 - 2017-01-20 01:58 - 00000000 ____D C:\Users\Jame K Shonin\AppData\LocalLow\Mozilla
2016-12-21 01:28 - 2016-12-21 01:28 - 442471608 _____ C:\Windows\MEMORY.DMP
2016-12-21 01:28 - 2016-12-21 01:28 - 00398528 _____ C:\Windows\Minidump\122116-58032-01.dmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-20 01:51 - 2009-07-14 13:34 - 00017024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-20 01:51 - 2009-07-14 13:34 - 00017024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-20 01:40 - 2014-06-17 17:22 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-19 20:17 - 2015-09-10 14:24 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\AVG
2017-01-19 20:16 - 2015-09-10 14:18 - 00000000 ____D C:\ProgramData\AVG
2017-01-19 20:09 - 2014-06-17 00:41 - 00000000 ____D C:\Program Files\AVG
2017-01-19 19:49 - 2016-12-10 07:56 - 00000000 ____D C:\ProgramData\Kodak
2017-01-19 19:48 - 2014-10-19 06:07 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-19 19:48 - 2009-07-14 13:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-19 18:53 - 2014-10-13 10:33 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-19 18:52 - 2014-10-19 08:59 - 00713854 _____ C:\Windows\system32\prfh0416.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00697182 _____ C:\Windows\system32\perfh007.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00656656 _____ C:\Windows\system32\perfh01F.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00149118 _____ C:\Windows\system32\perfc007.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00147658 _____ C:\Windows\system32\prfc0416.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00140002 _____ C:\Windows\system32\perfc01F.dat
2017-01-19 18:52 - 2014-04-13 08:32 - 03259844 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-19 18:52 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\inf
2017-01-19 18:50 - 2015-09-26 20:20 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2017-01-19 18:49 - 2014-04-13 08:27 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\VirtualStore
2017-01-19 18:46 - 2014-06-17 00:38 - 00000000 ____D C:\ProgramData\MFAData
2017-01-19 17:47 - 2014-10-13 09:28 - 00000000 ____D C:\Program Files\Speccy
2017-01-16 16:39 - 2014-06-17 19:15 - 00000000 ____D C:\Program Files\Steam
2017-01-14 09:40 - 2014-11-21 23:09 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\A1AUDIO.de
2017-01-14 09:40 - 2014-06-17 19:57 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\Bitwig Studio
2017-01-14 09:34 - 2016-12-13 10:36 - 00000016 _____ C:\Users\Jame K Shonin\AppData\Roaming\msregsvv.dll
2017-01-14 09:34 - 2016-12-13 10:36 - 00000016 _____ C:\ProgramData\autobk.inc
2017-01-13 09:11 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\rescache
2017-01-13 04:09 - 2014-06-17 08:15 - 00000000 ____D C:\Windows\system32\MRT
2017-01-13 03:23 - 2014-06-17 08:15 - 133456224 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-01-12 16:41 - 2014-06-17 17:22 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2017-01-12 16:41 - 2014-06-17 17:22 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2017-01-12 16:41 - 2014-06-17 17:22 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-12 04:01 - 2014-06-17 18:03 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\ElevatedDiagnostics
2017-01-11 17:41 - 2015-05-27 19:13 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\Avg
2017-01-11 16:21 - 2009-07-14 11:04 - 00450771 ____R C:\Windows\system32\Drivers\etc\hosts.20170119-180352.backup
2017-01-11 15:42 - 2014-06-17 00:33 - 00109280 _____ C:\Users\Jame K Shonin\AppData\Local\GDIPFONTCACHEV1.DAT
2017-01-11 15:01 - 2009-07-14 13:53 - 00032596 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-01-11 14:29 - 2014-12-22 03:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oxe FM Synth
2017-01-11 13:30 - 2009-07-14 13:33 - 00408064 _____ C:\Windows\system32\FNTCACHE.DAT
2017-01-09 03:58 - 2014-06-17 18:16 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2017-01-09 03:51 - 2016-12-01 21:03 - 00022360 _____ C:\Windows\system32\Drivers\iLokDrvr.sys
2016-12-31 03:25 - 2014-07-01 17:04 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\DAW Samples
2016-12-29 11:18 - 2015-10-10 11:50 - 00000000 ____D C:\Users\Jame K Shonin\Documents\Resume
2016-12-27 07:46 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\AppCompat
2016-12-27 06:20 - 2009-07-14 11:04 - 00450771 ____R C:\Windows\system32\Drivers\etc\hosts.20170111-162128.backup
2016-12-26 17:13 - 2014-04-13 08:27 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming
2016-12-26 15:37 - 2014-06-17 19:21 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2016-12-26 02:39 - 2009-07-14 11:37 - 00000000 __RSD C:\Windows\assembly
2016-12-25 15:20 - 2014-06-17 19:15 - 00000000 ____D C:\Program Files\Common Files\Steam
2016-12-24 13:53 - 2014-09-27 20:36 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\uTorrent
2016-12-24 13:41 - 2016-12-18 13:44 - 00000000 ____D C:\Program Files\VST
2016-12-24 13:41 - 2014-10-17 18:02 - 00000000 ____D C:\Program Files\VSTPlugins
2016-12-24 13:40 - 2016-12-18 13:49 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\SIR
2016-12-24 13:40 - 2016-12-18 13:49 - 00000000 ____D C:\ProgramData\SIR
2016-12-24 13:30 - 2009-07-14 11:37 - 00000000 ___RD C:\Users\Public\Documents
2016-12-24 03:06 - 2014-11-21 20:36 - 00000000 ____D C:\Program Files\Common Files\VST3
2016-12-23 15:03 - 2016-12-18 15:15 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-12-23 15:03 - 2014-06-17 00:38 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-12-21 01:28 - 2014-12-22 11:11 - 00000000 ____D C:\Windows\Minidump

==================== Files in the root of some directories =======

2016-12-13 10:36 - 2017-01-14 09:34 - 0000016 _____ () C:\Users\Jame K Shonin\AppData\Roaming\msregsvv.dll
2016-06-05 13:53 - 2016-06-05 13:53 - 0000000 ____H () C:\Users\Jame K Shonin\AppData\Local\BIT5C54.tmp
2016-06-05 13:49 - 2016-06-05 13:49 - 0000000 ____H () C:\Users\Jame K Shonin\AppData\Local\BIT77A1.tmp
2016-09-17 17:10 - 2016-09-25 15:39 - 0007592 _____ () C:\Users\Jame K Shonin\AppData\Local\Resmon.ResmonCfg
2016-05-22 21:48 - 2016-05-22 21:48 - 0000000 _____ () C:\Users\Jame K Shonin\AppData\Local\{EB00AA00-5117-4DD0-826A-792D5BD1CCD5}
2015-12-28 11:29 - 2015-12-28 11:29 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-12-13 10:36 - 2017-01-14 09:34 - 0000016 _____ () C:\ProgramData\autobk.inc

Some files in TEMP:
====================
C:\Users\Jame K Shonin\AppData\Local\Temp\sqlite-3.8.0-x86-sqlitejdbc.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-01-13 09:03

==================== End of FRST.txt ============================

 

 

Attached File  Addition.txt   42.55KB   2 downloads

 

I know y'all work hard so I want to thank all of you in advance for your time and efforts.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 20 January 2017 - 11:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy\User: Restriction ? <======= ATTENTION
SearchScopes: HKU\S-1-5-21-411374393-1568456481-4064395069-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={FB7E4A7E-1A73-4D28-8738-FAC4BA7167BC}&mid=9ceea3582b7747d2a6f5d157aab215eb-8bc6786205389264d044733d051690b125fd2e5d&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-19 11:19:52&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2017-01-19]
CHR Extension: (Honey) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-12-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Chrome Media Router) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I suggest you DISABLE Spybot and Destroy and remove AVG using the Uninstaller program.

Navigate to this page. Download and run the remover program.
http://www.avg.com/ca-en/utilities

Restart the computer when completed.

Please let me know what problem persists with this computer.

#3 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 20 January 2017 - 01:28 PM

Thanks a bunch for the help and expedient response Nasdaq! Look forward to working with you.

 

Disabled Spybot after goolging how to do so. Had the same issue the last time I tried using the same installer as mentioned in first post. It will say "working, please wait" forever and will freeze when I try to cancel it. After it recovers, it does tell me to restart but doesn't actually get rid of AVG. I will restart it again to verify if this is the case again.

 

Also, I have noticed a new error message when I tried to uninstall it via Revo Uninstaller and when I try to open Microsoft Word: "only allowed on installed products" or something similar to that wording (all the restarts and random browser crashes keep deleting my verbatim posts argggg) and won't let me open them. Anyways, will move on from trying to uninstall AVG and will wait for your expedient guidance; now running FRST Fix:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 18-01-2017 Ran by Jame K Shonin (21-01-2017 03:04:20) Run:1 Running from C:\Users\Jame K Shonin\Desktop Loaded Profiles: Jame K Shonin (Available Profiles: Jame K Shonin) Boot Mode: Normal ============================================== fixlist content: ***************** Start CreateRestorePoint: EmptyTemp: CloseProcesses: Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X] ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File GroupPolicy: Restriction ? <======= ATTENTION GroupPolicy\User: Restriction ? <======= ATTENTION SearchScopes: HKU\S-1-5-21-411374393-1568456481-4064395069-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={FB7E4A7E-1A73-4D28-8738-FAC4BA7167BC}&mid=9ceea3582b7747d2a6f5d157aab215eb-8bc6786205389264d044733d051690b125fd2e5d〈=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-19 11:19:52&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms} FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2017-01-19] CHR Extension: (Honey) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-12-24] CHR Extension: (Chrome Web Store Payments) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05] CHR Extension: (Chrome Media Router) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] Reboot: End ***************** Restore point was successfully created. Processes closed successfully. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully. HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. C:\Windows\system32\GroupPolicy\Machine => moved successfully C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully C:\Windows\system32\GroupPolicy\User => moved successfully HKU\S-1-5-21-411374393-1568456481-4064395069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully. HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. C:\Program Files\mozilla firefox\browser\searchplugins\wtu-secure-search.xml => moved successfully C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj => moved successfully C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully HKLM\System\CurrentControlSet\Services\Synth3dVsc => key removed successfully. Synth3dVsc => service removed successfully. HKLM\System\CurrentControlSet\Services\tsusbhub => key removed successfully. tsusbhub => service removed successfully. HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully. VGPU => service removed successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 56314617 B Java, Flash, Steam htmlcache => 478223884 B Windows/system/drivers => 881742 B Edge => 0 B Chrome => 664117218 B Firefox => 368090898 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 22997649 B LocalService => 66228 B NetworkService => 74132 B Jame K Shonin => 210154589 B UpdatusUser => 0 B RecycleBin => 120006944 B EmptyTemp: => 1.8 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 03:14:31 ====

 

Here it is! I am on standby for next orders.


Edited by Rhapzodic, 20 January 2017 - 01:29 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 20 January 2017 - 01:41 PM

Temporary disable Spybot.

https://www.safer-networking.org/faq/how-do-i-disable-live-protection/

Any luck with the AVG removal now?

#5 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 20 January 2017 - 01:59 PM

Nope, still no luck - still freezes, stops working, tells me to restart, and still under program files after restarting.

 

Also, I followed that same link to disable live protection before - I've deduced that I cannot follow the instructions since Live protection does not come with the free version of their software (confirmed by right-clicking on task bar icon and trying to enable, which prompted the message "need license to enable live protection").

 

I have disabled all that I can from spybot in advance settings and still unable to uninstall AVG.

 

Thanks for your patience!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 21 January 2017 - 08:30 AM


Lets remove it.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\setup\instup.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files\AVG\Antivirus\AVGUI.exe [9523496 2017-01-19] (AVG Technologies CZ, s.r.o.)
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\okmk4let.default -> AVG Secure Search
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [1020432 2017-01-09] (AVG Technologies CZ, s.r.o.)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\AVG
Task: {1C0FFF34-4EEB-4ABD-9E81-C7993C24C97A} - System32\Tasks\Antivirus Emergency Update => C:\Program Files\AVG\Antivirus\AvEmUpdate.exe [2017-01-19] (AVG Technologies CZ, s.r.o.)
Task: {B19462FD-7859-4F41-A8A7-940F1BCFB835} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe
MpsSvc => Firewall Service is not running.
FirewallRules: [{52DAA5BC-DD32-4DB7-82F8-AAC0A018F47F}] => C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{B5BB9810-CFAF-41A4-BBF1-3E811E02912A}] => C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{B53AAE8E-D364-4F71-A862-2429B5063141}] => C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{CCD5B3EA-B00E-4EA8-A48D-26B53ADF090C}] => C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{8911975A-4BBC-4DD3-B4BD-E1297F6892D7}] => C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{902FDD00-F64A-46A3-8F59-2C44F45DEBA3}] => C:\Program Files\AVG\Av\avgemcx.exe

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Do not re-install any other security software just yet.

Let me know what are the current issues you are having with this computer.

#7 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 21 January 2017 - 03:21 PM

Progress has been made!!!

 

AVG is no longer listed under my Programs folder.  However...AVG Web Tuneup is still there.  I won't touch it for now unless  you do want me to try to uninstall it using AVG uninstaller again.  Also, it doesn't give me an error message when I try to activate my firewall, it just says it's not at the default settings. 
 

I'm not sure if that means it's off or just on but not at default settings like it should be.  Either way, when I click to restore to default button the mouse circles as if it is changing it, then goes back to normal with no error message, but no change in firewall settings.

 

Here is the 2nd fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 18-01-2017
Ran by Jame K Shonin (22-01-2017 05:05:22) Run:2
Running from C:\Users\Jame K Shonin\Desktop
Loaded Profiles: Jame K Shonin (Available Profiles: Jame K Shonin)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\setup\instup.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\wsc_proxy.exe
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [219856 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files\AVG\Antivirus\AVGUI.exe [9523496 2017-01-19] (AVG Technologies CZ, s.r.o.)
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\okmk4let.default -> AVG Secure Search
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [1020432 2017-01-09] (AVG Technologies CZ, s.r.o.)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\AVG
Task: {1C0FFF34-4EEB-4ABD-9E81-C7993C24C97A} - System32\Tasks\Antivirus Emergency Update => C:\Program Files\AVG\Antivirus\AvEmUpdate.exe [2017-01-19] (AVG Technologies CZ, s.r.o.)
Task: {B19462FD-7859-4F41-A8A7-940F1BCFB835} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe
MpsSvc => Firewall Service is not running.
FirewallRules: [{52DAA5BC-DD32-4DB7-82F8-AAC0A018F47F}] => C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{B5BB9810-CFAF-41A4-BBF1-3E811E02912A}] => C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{B53AAE8E-D364-4F71-A862-2429B5063141}] => C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{CCD5B3EA-B00E-4EA8-A48D-26B53ADF090C}] => C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{8911975A-4BBC-4DD3-B4BD-E1297F6892D7}] => C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{902FDD00-F64A-46A3-8F59-2C44F45DEBA3}] => C:\Program Files\AVG\Av\avgemcx.exe

Reboot:


End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files\AVG\Framework\Common\avgsvcx.exe
C:\Program Files\AVG\Framework\Common\avgsvcx.exe => No running process found
C:\Program Files\AVG\Framework\Common\avguix.exe
C:\Program Files\AVG\Framework\Common\avguix.exe => No running process found
C:\Program Files\AVG\Antivirus\wsc_proxy.exe
C:\Program Files\AVG\Antivirus\wsc_proxy.exe => No running process found
C:\Program Files\AVG\Antivirus\wsc_proxy.exe
C:\Program Files\AVG\Antivirus\wsc_proxy.exe => No running process found
C:\Program Files\AVG\Antivirus\wsc_proxy.exe
C:\Program Files\AVG\Antivirus\wsc_proxy.exe => No running process found
C:\Program Files\AVG\Antivirus\setup\instup.exe
C:\Program Files\AVG\Antivirus\setup\instup.exe => No running process found
C:\Program Files\AVG\Antivirus\wsc_proxy.exe
C:\Program Files\AVG\Antivirus\wsc_proxy.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AVG_UI => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AvgUi => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AVGUI.exe => value removed successfully.
Firefox SelectedSearchEngine removed successfully.
avgsvc => service not found.
Synth3dVsc => service not found.
tsusbhub => service not found.
VGPU => service not found.

 

Ecstatic that progress is being made and always thankful for the help even getting this far!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 22 January 2017 - 08:33 AM

Please run the Farbar tool normally and post fresh FRST and Addition.txt logs.

run this tool and post the log also.
Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#9 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 22 January 2017 - 10:03 AM

Morning Nasdaq!

 

Here is the FRST (heh) Log with Addition attachment:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-01-2017
Ran by Jame K Shonin (administrator) on JAMEKSHONIN-PC (22-01-2017 23:50:14)
Running from C:\Users\Jame K Shonin\Desktop
Loaded Profiles: Jame K Shonin (Available Profiles: Jame K Shonin)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 11\cbVSCService11.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(PACE Anti-Piracy, Inc.) C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Eastman Kodak Company) C:\Program Files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Flux Software LLC) C:\Users\Jame K Shonin\AppData\Local\FluxSoftware\Flux\flux.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IaNvSrv] => C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe [33304 2009-07-13] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2403104 2014-07-25] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [EKStatusMonitor] => C:\Program Files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe [2750840 2013-12-11] (Eastman Kodak Company)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1002984 2016-11-14] (Microsoft Corporation)
HKU\S-1-5-21-411374393-1568456481-4064395069-1000\...\Run: [f.lux] => C:\Users\Jame K Shonin\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-18] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{20AC56BC-ED9F-4A59-907F-508541717A6D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Jame K Shonin\AppData\Roaming\Mozilla\Firefox\Profiles\okmk4let.default [2017-01-22]
FF Homepage: Mozilla\Firefox\Profiles\okmk4let.default -> hxxp://www.google.com/
FF Session Restore: Mozilla\Firefox\Profiles\okmk4let.default -> is enabled.
FF Extension: (Adblock Plus) - C:\Users\Jame K Shonin\AppData\Roaming\Mozilla\Firefox\Profiles\okmk4let.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-12-18]
FF Extension: (Skype) - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-05-25]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-12] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-04] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-04] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2016-05-27]

Chrome:
=======
CHR DefaultProfile: Default
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default [2017-01-21]
CHR Extension: (Google Docs) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-03]
CHR Extension: (Google Drive) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-10]
CHR Extension: (Google Search) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Google Docs Offline) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-29]
CHR Extension: (Gmail) - C:\Users\Jame K Shonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
S4 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
R2 cbVSCService11; C:\Program Files\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S3 iumsvc; C:\Program Files\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
R2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [407016 2016-04-13] (Eastman Kodak Company)
R2 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [780152 2013-12-11] (Eastman Kodak Company)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [103696 2016-11-14] (Microsoft Corporation)
R2 NIHardwareService; C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [12538992 2015-09-17] (Native Instruments GmbH)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280864 2016-11-14] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1720608 2014-07-25] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [17536800 2014-07-25] (NVIDIA Corporation)
R2 PaceLicenseDServices; C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [47306280 2016-12-02] (PACE Anti-Piracy, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 wscsvc; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 giveio; C:\Windows\system32\giveio.sys [5248 1996-04-04] () [File not signed]
R3 mcdbus; C:\Windows\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [252808 2016-08-25] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19232 2014-07-25] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2014-04-01] (NVIDIA Corporation)
R2 speedfan; C:\Windows\system32\speedfan.sys [24184 2012-12-30] (Almico Software)
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-22 23:50 - 2017-01-22 23:55 - 00011645 _____ C:\Users\Jame K Shonin\Desktop\FRST.txt
2017-01-22 23:50 - 2017-01-22 23:50 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\FRST-OlderVersion
2017-01-21 02:46 - 2017-01-21 03:15 - 00000914 _____ C:\Users\Jame K Shonin\Desktop\what i wanna say.txt
2017-01-21 02:46 - 2017-01-21 02:46 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\C 2017-01-20 18;24;48 (Full)
2017-01-21 02:25 - 2017-01-21 02:26 - 08111408 _____ ( ) C:\Users\Jame K Shonin\Desktop\AVG_Remover(1).exe
2017-01-20 03:15 - 2017-01-21 02:46 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\Backup Folders
2017-01-20 02:33 - 2017-01-22 23:50 - 01762816 _____ (Farbar) C:\Users\Jame K Shonin\Desktop\FRST.exe
2017-01-20 02:33 - 2017-01-22 23:50 - 00000000 ____D C:\FRST
2017-01-20 02:02 - 2017-01-20 02:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-01-20 02:02 - 2017-01-20 02:02 - 00000000 ____D C:\Program Files\Cobian Backup 11
2017-01-20 01:59 - 2017-01-20 02:00 - 19709440 _____ (Luis Cobian, CobianSoft) C:\Users\Jame K Shonin\Desktop\cbSetup.exe
2017-01-19 20:19 - 2017-01-19 20:31 - 00000000 ____D C:\Program Files\AVG Web TuneUp
2017-01-19 20:15 - 2017-01-19 20:14 - 00327656 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-01-19 20:02 - 2017-01-19 20:02 - 03449440 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Jame K Shonin\Desktop\AVG_Protection_Free_1597.exe
2017-01-19 19:56 - 2017-01-19 19:56 - 00001230 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\VS Revo Group
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\ProgramData\VS Revo Group
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2017-01-19 19:56 - 2017-01-19 19:56 - 00000000 ____D C:\Program Files\VS Revo Group
2017-01-19 19:56 - 2016-12-21 14:52 - 00035632 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2017-01-19 19:55 - 2017-01-19 19:55 - 11523496 _____ (VS Revo Group ) C:\Users\Jame K Shonin\Desktop\RevoUninProSetup.exe
2017-01-19 19:45 - 2017-01-21 03:54 - 00000000 ____D C:\AVG_Remover
2017-01-19 19:44 - 2017-01-19 19:44 - 08111408 _____ ( ) C:\Users\Jame K Shonin\Desktop\AVG_Remover.exe
2017-01-19 19:23 - 2017-01-19 19:23 - 00002574 ____N C:\Users\Jame K Shonin\Desktop\Hkey.reg
2017-01-19 19:12 - 2017-01-19 19:12 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2017-01-19 19:11 - 2017-01-19 19:12 - 00000000 ____D C:\Program Files\Microsoft Security Client
2017-01-19 19:03 - 2017-01-19 19:12 - 00001945 _____ C:\Windows\epplauncher.mif
2017-01-19 17:45 - 2017-01-19 18:39 - 00320874 _____ C:\Windows\ntbtlog.txt
2017-01-16 02:15 - 2017-01-16 02:15 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\ESET
2017-01-16 02:14 - 2017-01-16 02:15 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Jame K Shonin\Desktop\esetonlinescanner_enu.exe
2017-01-12 18:21 - 2017-01-06 02:46 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-01-12 18:21 - 2017-01-06 02:46 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-01-12 18:21 - 2017-01-06 02:43 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-01-12 18:21 - 2017-01-06 02:43 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-01-12 18:21 - 2017-01-06 02:42 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-01-12 18:21 - 2017-01-06 02:23 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-01-12 18:21 - 2017-01-06 02:19 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-01-12 18:21 - 2017-01-06 02:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-01-12 18:21 - 2017-01-06 02:19 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-01-12 18:21 - 2017-01-06 02:19 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-01-12 05:55 - 2017-01-12 05:56 - 00000000 ____D C:\Users\Jame K Shonin\Documents\Virus Log
2017-01-12 05:40 - 2017-01-12 05:40 - 00104960 _____ (GMER) C:\pwtdapog.sys
2017-01-12 05:39 - 2017-01-12 05:39 - 00380928 _____ C:\Users\Jame K Shonin\Desktop\zcgoof3t.exe
2017-01-12 05:28 - 2017-01-12 05:31 - 00424074 _____ C:\TDSSKiller.3.1.0.12_12.01.2017_05.28.24_log.txt
2017-01-09 03:58 - 2017-01-09 03:58 - 00001963 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iLok License Manager.lnk
2017-01-09 03:58 - 2017-01-09 03:58 - 00001951 _____ C:\Users\Public\Desktop\iLok License Manager.lnk
2017-01-09 03:51 - 2017-01-09 03:51 - 00000000 ____D C:\Program Files\iLok License Manager
2017-01-09 03:51 - 2017-01-09 03:51 - 00000000 ____D C:\Program Files\Common Files\PACE
2017-01-07 08:06 - 2017-01-14 09:00 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\Swaez
2016-12-31 16:44 - 2016-12-31 16:44 - 00017596 ____N C:\Users\Jame K Shonin\Desktop\BJ experience.docx
2016-12-30 11:11 - 2016-12-30 11:11 - 00016397 ____N C:\Users\Jame K Shonin\Documents\Going Back From Cali Experience 2016.docx
2016-12-28 10:18 - 2016-12-28 10:18 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_xusb21_01007.Wdf
2016-12-27 13:20 - 2016-12-27 14:07 - 740849178 ____N C:\Users\Jame K Shonin\Desktop\TB Arthur - Psychedelic Cookbook- 100- Royalty Free Sound Library.zip
2016-12-27 06:20 - 2016-05-16 17:38 - 00450771 _____ C:\Windows\system32\Drivers\etc\hosts.20161227-062038.backup
2016-12-26 17:13 - 2017-01-16 16:39 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\Talisman
2016-12-26 15:37 - 2016-12-26 15:37 - 00000216 ____N C:\Users\Jame K Shonin\Desktop\Talisman Digital Edition.url
2016-12-26 02:40 - 2016-12-26 02:40 - 00000000 ____D C:\Users\Jame K Shonin\Documents\NBGI
2016-12-26 02:40 - 2016-12-26 02:40 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\NBGI
2016-12-25 22:01 - 2016-12-25 22:01 - 00000216 ____N C:\Users\Jame K Shonin\Desktop\Dark Souls Prepare to Die Edition.url
2016-12-24 13:30 - 2016-12-24 13:40 - 00000000 ____D C:\Users\Public\Documents\SIR Impulses
2016-12-24 13:30 - 2016-12-24 13:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SIR Audio Tools
2016-12-24 13:17 - 2016-12-24 13:17 - 00000000 ____D C:\Users\Jame K Shonin\AppData\LocalLow\uTorrent
2016-12-24 12:57 - 2016-12-27 07:46 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\5f680
2016-12-24 03:08 - 2016-12-24 03:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arturia
2016-12-24 03:06 - 2016-12-24 03:08 - 00000000 ____D C:\ProgramData\Arturia
2016-12-24 03:06 - 2016-12-24 03:08 - 00000000 ____D C:\Program Files\Arturia

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-22 23:40 - 2014-06-17 17:22 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-22 23:11 - 2009-07-14 13:34 - 00017024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-22 23:11 - 2009-07-14 13:34 - 00017024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-22 05:15 - 2016-12-22 11:55 - 00000000 ____D C:\Users\Jame K Shonin\AppData\LocalLow\Mozilla
2017-01-22 05:11 - 2016-12-10 07:56 - 00000000 ____D C:\ProgramData\Kodak
2017-01-22 05:10 - 2009-07-14 13:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-22 05:09 - 2014-10-19 06:07 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-21 03:19 - 2014-10-01 00:56 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-01-21 03:19 - 2014-10-01 00:32 - 00000008 __RSH C:\Users\Jame K Shonin\ntuser.pol
2017-01-21 03:19 - 2014-04-13 08:27 - 00000000 ____D C:\Users\Jame K Shonin
2017-01-21 03:04 - 2009-07-14 11:37 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-01-21 02:41 - 2015-09-26 20:20 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-01-21 02:40 - 2015-09-10 14:18 - 00000000 ____D C:\ProgramData\AVG
2017-01-19 20:17 - 2015-09-10 14:24 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\AVG
2017-01-19 18:53 - 2014-10-13 10:33 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-19 18:52 - 2014-10-19 08:59 - 00713854 _____ C:\Windows\system32\prfh0416.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00697182 _____ C:\Windows\system32\perfh007.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00656656 _____ C:\Windows\system32\perfh01F.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00149118 _____ C:\Windows\system32\perfc007.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00147658 _____ C:\Windows\system32\prfc0416.dat
2017-01-19 18:52 - 2014-10-19 08:59 - 00140002 _____ C:\Windows\system32\perfc01F.dat
2017-01-19 18:52 - 2014-04-13 08:32 - 03259844 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-19 18:52 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\inf
2017-01-19 18:50 - 2015-09-26 20:20 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2017-01-19 18:49 - 2014-04-13 08:27 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\VirtualStore
2017-01-19 18:46 - 2014-06-17 00:38 - 00000000 ____D C:\ProgramData\MFAData
2017-01-19 17:47 - 2014-10-13 09:28 - 00000000 ____D C:\Program Files\Speccy
2017-01-16 16:39 - 2014-06-17 19:15 - 00000000 ____D C:\Program Files\Steam
2017-01-14 09:40 - 2014-11-21 23:09 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\A1AUDIO.de
2017-01-14 09:40 - 2014-06-17 19:57 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\Bitwig Studio
2017-01-14 09:34 - 2016-12-13 10:36 - 00000016 _____ C:\Users\Jame K Shonin\AppData\Roaming\msregsvv.dll
2017-01-14 09:34 - 2016-12-13 10:36 - 00000016 _____ C:\ProgramData\autobk.inc
2017-01-13 09:11 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\rescache
2017-01-13 04:09 - 2014-06-17 08:15 - 00000000 ____D C:\Windows\system32\MRT
2017-01-13 03:23 - 2014-06-17 08:15 - 133456224 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-01-12 16:41 - 2014-06-17 17:22 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2017-01-12 16:41 - 2014-06-17 17:22 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2017-01-12 16:41 - 2014-06-17 17:22 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-12 04:01 - 2014-06-17 18:03 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\ElevatedDiagnostics
2017-01-11 17:41 - 2015-05-27 19:13 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Local\Avg
2017-01-11 16:21 - 2009-07-14 11:04 - 00450771 ____R C:\Windows\system32\Drivers\etc\hosts.20170119-180352.backup
2017-01-11 15:42 - 2014-06-17 00:33 - 00109280 _____ C:\Users\Jame K Shonin\AppData\Local\GDIPFONTCACHEV1.DAT
2017-01-11 15:01 - 2009-07-14 13:53 - 00032596 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-01-11 14:29 - 2014-12-22 03:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oxe FM Synth
2017-01-11 13:30 - 2009-07-14 13:33 - 00408064 _____ C:\Windows\system32\FNTCACHE.DAT
2017-01-09 03:58 - 2014-06-17 18:16 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2017-01-09 03:51 - 2016-12-01 21:03 - 00022360 _____ C:\Windows\system32\Drivers\iLokDrvr.sys
2016-12-31 03:25 - 2014-07-01 17:04 - 00000000 ____D C:\Users\Jame K Shonin\Desktop\DAW Samples
2016-12-29 11:18 - 2015-10-10 11:50 - 00000000 ____D C:\Users\Jame K Shonin\Documents\Resume
2016-12-27 07:46 - 2009-07-14 11:37 - 00000000 ____D C:\Windows\AppCompat
2016-12-27 06:20 - 2009-07-14 11:04 - 00450771 ____R C:\Windows\system32\Drivers\etc\hosts.20170111-162128.backup
2016-12-26 17:13 - 2014-04-13 08:27 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming
2016-12-26 15:37 - 2014-06-17 19:21 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2016-12-26 02:39 - 2009-07-14 11:37 - 00000000 __RSD C:\Windows\assembly
2016-12-25 15:20 - 2014-06-17 19:15 - 00000000 ____D C:\Program Files\Common Files\Steam
2016-12-24 13:53 - 2014-09-27 20:36 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\uTorrent
2016-12-24 13:41 - 2016-12-18 13:44 - 00000000 ____D C:\Program Files\VST
2016-12-24 13:41 - 2014-10-17 18:02 - 00000000 ____D C:\Program Files\VSTPlugins
2016-12-24 13:40 - 2016-12-18 13:49 - 00000000 ____D C:\Users\Jame K Shonin\AppData\Roaming\SIR
2016-12-24 13:40 - 2016-12-18 13:49 - 00000000 ____D C:\ProgramData\SIR
2016-12-24 13:30 - 2009-07-14 11:37 - 00000000 ___RD C:\Users\Public\Documents
2016-12-24 03:06 - 2014-11-21 20:36 - 00000000 ____D C:\Program Files\Common Files\VST3
2016-12-23 15:03 - 2016-12-18 15:15 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-12-23 15:03 - 2014-06-17 00:38 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2016-12-13 10:36 - 2017-01-14 09:34 - 0000016 _____ () C:\Users\Jame K Shonin\AppData\Roaming\msregsvv.dll
2016-06-05 13:53 - 2016-06-05 13:53 - 0000000 ____H () C:\Users\Jame K Shonin\AppData\Local\BIT5C54.tmp
2016-06-05 13:49 - 2016-06-05 13:49 - 0000000 ____H () C:\Users\Jame K Shonin\AppData\Local\BIT77A1.tmp
2016-09-17 17:10 - 2016-09-25 15:39 - 0007592 _____ () C:\Users\Jame K Shonin\AppData\Local\Resmon.ResmonCfg
2016-05-22 21:48 - 2016-05-22 21:48 - 0000000 _____ () C:\Users\Jame K Shonin\AppData\Local\{EB00AA00-5117-4DD0-826A-792D5BD1CCD5}
2015-12-28 11:29 - 2015-12-28 11:29 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-12-13 10:36 - 2017-01-14 09:34 - 0000016 _____ () C:\ProgramData\autobk.inc

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-01-13 09:03

==================== End of FRST.txt ============================

 

______

 

And here is the FSS scan log:

Farbar Service Scanner Version: 27-01-2016
Ran by Jame K Shonin (administrator) on 23-01-2017 at 00:07:54
Running from "C:\Users\Jame K Shonin\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****

 

Fingers are still crossed!

Attached Files


Edited by Rhapzodic, 22 January 2017 - 10:09 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 22 January 2017 - 11:53 AM

Microsoft Security Essentials will always disable it when active.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1



Download to your Desktop the wscsvc.reg from this page.
http://download.bleepingcomputer.com/win-services/7/

Run the file as an Administrator.

Restart the computer normally.

Can you now restore the Firewall?

#11 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 22 January 2017 - 04:55 PM

Unfortunately the reg fix was a no-go (and I thought that would fix it too).

 

I tried just in case to start Windows Firewall via "Services" and also a no-go by giving me the "Cannot be started on Local computer...see help for error 5..." message, however base filtering engine is now currently working.

 

Confirmed with Windows Action Center that Defender, Security Essentials, and Spybot were all disabled.  Also, thanks for fair warning about Defender being turned off by Essentials (since Essentials is later version of Defender).

 

Feel kinda naked with no antivirus and no firewall operating, but gotta live on the edge sometimes I guess haha.

Will await further instructions before tinkering with anything else.


Edited by Rhapzodic, 22 January 2017 - 04:57 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 23 January 2017 - 08:22 AM

Repair these services.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================



#13 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 23 January 2017 - 01:21 PM

Yes!  Looks like we are almost in the clear!

 

Restarted computer after following all steps and the firewall is now back on and working!

 

Now, just a couple more questions and then I think I'll be good to go:

 

1) I am still getting the Solve PC Issue notification saying that my Windows Security Center Service is still not on, despite AVG being uninstalled and the firewall back on and working.  Any suggestions on what to do about that?

 

2) Does it look like this was user-error or a result of malware?  Does Spybot, MSE, and MalwareBytes cover my bases or do you recommend the addition and/or subtraction of any other programs?

 

Also attached are the logs by the Tweaking program (wasn't sure which one specifically you needed/wanted so posted all).

Always appreciative of the help received and hope you had a good weekend!

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 AM

Posted 23 January 2017 - 02:03 PM

Does it look like this was user-error or a result of malware?

I did not see any malicious malware in your first logs.

I suspect that a bad AVG or a Windows update that was not done correctly was the cause.
I never installed Spybot. I only had one Security Virus Protection Notron.
Now have the paid version for their 360 product which includes a Firewall and very satisfied with it.
Your call if you want to keep Spybot with AVG and Malwarebytes.

 

I am still getting the Solve PC Issue notification saying that my Windows Security Center Service is still not on, despite AVG being uninstalled


AVG does not give so easy.

Re-install the same version you removed.

Make sure all Windows and Programs and closed when installing it.
Just use one browser to download and install it.

Keep me posted.
===

#15 Rhapzodic

Rhapzodic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 23 January 2017 - 04:21 PM

Thanks for the transparency with the Norton recommendation.

 

I'm okay not having AVG back on my computer since it has been a nightmare to get rid of.  I'll try out Microsoft Security Essentials as antivirus and at least keep MalwareBytes around and keep Norton in the back of my mind in case other things go wrong.

 

And as long as my antivirus and firewall are up, should I just ignore the Windows Security Center service being off?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users