Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to identify a bug. Can't download Farbar/others from BC


  • This topic is locked This topic is locked
61 replies to this topic

#1 iwidhtp

iwidhtp

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 16 August 2017 - 01:33 PM

The PC with the problem is running Windows Vista Business, Service Pk 2, 32 bit. I have AVG free for antivirus. About a week ago, I started getting an AVG warning about  a 'suspicious file', that was possibly a rootkit. It was recommended that I quarantine the file, which I did, and then AVG recommended a 'boot scan', which I did, but it didn't find anything. Since the original warning, the PC has progressively gotten worse. Simple files are slow to open. Opening Firefox can take a minute or two, and sometimes a reboot is required to get online. Once online, some websites either won't or are very slow to open. I've tried to download some troubleshooting software on this PC, and the backward grey circle just keeps spinning and if it ever turns blue and spins forward, it still at times won't load the page or software. I tried to download AdwCleaner, Farbar Recovery and other software from BleepingComp., to no avail. I have also found a file in the registry, swcustcfg, that I can't edit or delete. I worked on this file because I had seen in one of the many scans I've done, something about 'SVC: swcustcfg ->->?', being an issue, sorry I can't remember where I saw that. I'm working from a different PC now and hoping you can help me figure this out. Much thanks in advance, Roy

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-08-2017
Ran by Freda(Administrator) (administrator) on VISTA (16-08-2017 13:00:15)
Running from K:\Rootkit
Loaded Profiles: Freda(Administrator) (Available Profiles: Freda(Administrator))
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\AVGSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\avgui.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\aswidsagent.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(AT&T) C:\Program Files\AT&T\AT&T AllAccess\AllAccess.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\setup\instup.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [220288 2017-08-01] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files\AVG\Antivirus\AvLaunch.exe [263232 2017-08-07] (AVG Technologies CZ, s.r.o.)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\Run: [AllAccess.exe] => C:\Program Files\AT&T\AT&T AllAccess\AllAccess.exe [164776 2017-03-23] (AT&T)
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-10] (Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 172.26.38.1
Tcpip\..\Interfaces\{0EFDC1E9-BA90-4252-AAFB-A44381C7C1DE}: [DhcpNameServer] 172.26.38.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
SearchScopes: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000 -> {21296433-6054-4DC0-89DA-CF35E37A6220} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={372817BF-555B-4B9D-BEF4-AAE22BF9CE1F}&mid=411771a0f63647d2bb19d168ddcd6fdd-7cbc942cfa16d24f84c1335462c4c7536c43c45c&lang=en&ds=AVG&coid=avgtbavg&cmpid=0616avz&pr=fr&d=2016-06-08 15:15:54&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms}
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455}

FireFox:
========
FF ProfilePath: C:\Users\Freda\AppData\Roaming\Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 [2017-08-16]
FF NewTab: Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 -> about:newtab
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 -> Search Provided by Yahoo
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 -> Search Provided by Yahoo
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 -> Search Provided by Yahoo
FF Homepage: Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883 -> hxxps://www.yahoo.com/
FF Extension: (Form History Control) - C:\Users\Freda\AppData\Roaming\Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883\Extensions\formhistory@yahoo.com [2016-12-13]
FF Extension: (Flashblock) - C:\Users\Freda\AppData\Roaming\Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-01-28]
FF Extension: (Video DownloadHelper) - C:\Users\Freda\AppData\Roaming\Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2017-05-09]
FF Extension: (Adblock Plus) - C:\Users\Freda\AppData\Roaming\Mozilla\Firefox\Profiles\bawc4y16.default-1454018544883\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-06-21]
FF ProfilePath: C:\Users\Freda\AppData\Roaming\KompoZer\Profiles\a9mczkb2.default [2017-02-02]
FF Extension: (Site Deployment Checker) - C:\Program Files\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-04-13] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-04-11] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_26_0_0_137.dll [2017-07-12] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1220162.dll [2015-08-31] (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-04] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2742556778-2244366580-3918831902-1000: www.exent.com/GameTreatWidget -> C:\Program Files\Free Ride Games\npGameTreatWidget.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdminHelper.exe; C:\Program Files\AT&T\AT&T AllAccess\AdminHelper.exe [62376 2017-03-23] ()
S4 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [272384 2017-08-14] (Adobe Systems Incorporated) [File not signed]
R2 AVG Antivirus; C:\Program Files\AVG\Antivirus\AVGSvc.exe [264432 2017-08-07] (AVG Technologies CZ, s.r.o.)
R3 avgbIDSAgent; C:\Program Files\AVG\Antivirus\aswidsagent.exe [5866488 2017-08-07] (AVG Technologies CZ, s.r.o.)
S4 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [1189720 2017-08-01] (AVG Technologies CZ, s.r.o.)
S4 Freemake Improver; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [107008 2016-10-21] (Freemake) [File not signed]
S4 IDriverT; C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-07-18] (Malwarebytes Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [880640 2006-11-05] (Sonic Solutions) [File not signed]
S4 RoxWatch9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [159744 2006-11-05] (Sonic Solutions) [File not signed]
S4 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [73728 2006-09-14] (MicroVision Development, Inc.) [File not signed]
S4 SwiCardDetectSvc; C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe [248288 2012-12-17] (Sierra Wireless, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-20] (Microsoft Corporation)
R1 avgbdisk; C:\Windows\system32\drivers\avgbdiskx.sys [135872 2017-08-07] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\system32\drivers\avgbidsdriverx.sys [260616 2017-08-07] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\system32\drivers\avgbidshx.sys [151024 2017-08-07] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\system32\drivers\avgblogx.sys [270344 2017-08-07] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\system32\drivers\avgbunivx.sys [43992 2017-08-07] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\system32\drivers\avgHwid.sys [35264 2017-08-07] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\system32\drivers\avgMonFlt.sys [116344 2017-08-12] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\system32\drivers\avgRdr.sys [62528 2017-08-07] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\system32\drivers\avgRvrt.sys [63280 2017-08-07] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\system32\drivers\avgSnx.sys [766728 2017-08-12] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\system32\drivers\avgSP.sys [489416 2017-08-07] (AVG Technologies CZ, s.r.o.)
R3 avgStmXP; C:\Windows\system32\drivers\avgStmXP.sys [195128 2017-08-07] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\system32\drivers\avgVmm.sys [288728 2017-08-07] (AVG Technologies CZ, s.r.o.)
S3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [301608 2016-11-14] (Broadcom Corporation.)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [59896 2017-07-18] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
S3 swg3kser00; C:\Windows\System32\DRIVERS\swg3kser00.sys [226480 2014-03-18] (Sierra Wireless Incorporated)
S3 swiwdmbx; C:\Windows\System32\DRIVERS\swiwdmbx.sys [89080 2014-03-18] (Sierra Wireless Inc.)
R3 swiwdmbxum; C:\Windows\System32\DRIVERS\swiwdmbxum.sys [89080 2014-03-18] (Sierra Wireless Inc.)
S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [211712 2014-03-18] (Sierra Wireless Inc.)
R3 swUMnet00; C:\Windows\System32\DRIVERS\swUMnet00.sys [320816 2014-03-18] (Sierra Wireless Incorporated)
R3 swUMser00; C:\Windows\System32\DRIVERS\swUMser00.sys [226480 2014-03-18] (Sierra Wireless Incorporated)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-16 12:57 - 2017-08-16 13:00 - 000000000 ____D C:\FRST
2017-08-16 12:26 - 2017-08-16 12:33 - 000000000 ____D C:\Users\Freda\Desktop\RootkitFinder
2017-08-15 16:25 - 2017-08-15 16:25 - 000000000 ____D C:\Users\Freda\Downloads\Autoruns
2017-08-15 13:33 - 2017-08-15 13:33 - 000000000 ____D C:\NPE
2017-08-15 13:32 - 2017-08-16 12:58 - 001103132 _____ C:\Windows\ntbtlog.txt
2017-08-15 13:30 - 2017-08-15 14:04 - 000000000 ____D C:\Users\Freda\AppData\Local\NPE
2017-08-15 13:30 - 2017-08-15 13:30 - 003422432 _____ (Symantec Corporation) C:\Users\Freda\Downloads\NPE.exe
2017-08-15 13:21 - 2017-08-12 11:44 - 000784152 _____ (McAfee, Inc.) C:\Users\Freda\Downloads\rootkitremover.exe
2017-08-14 10:44 - 2017-08-14 11:06 - 000000000 ____D C:\Users\Freda\Desktop\mbar
2017-08-14 10:23 - 2017-08-14 10:30 - 000000000 ____D C:\Program Files\Moon Valley Software
2017-08-14 10:22 - 2017-08-14 10:22 - 000000000 ____D C:\Users\Freda\Downloads\securitycheck
2017-08-14 10:20 - 2017-08-14 10:20 - 000332235 _____ C:\Users\Freda\Downloads\securitycheck.zip
2017-08-13 19:13 - 2017-08-13 19:13 - 000589526 _____ C:\Users\Freda\AppData\Local\census.cache
2017-08-13 19:08 - 2017-08-13 19:08 - 000261129 _____ C:\Users\Freda\AppData\Local\ars.cache
2017-08-13 18:48 - 2017-08-13 18:48 - 000000010 _____ C:\Users\Freda\AppData\Local\sponge.last.runtime.cache
2017-08-13 18:37 - 2017-08-13 18:37 - 000000000 ____D C:\Windows\Trend Micro
2017-08-13 18:37 - 2017-08-13 18:37 - 000000000 ____D C:\Users\Freda\AppData\Local\Trend Micro
2017-08-13 18:32 - 2017-08-13 18:32 - 000000036 _____ C:\Users\Freda\AppData\Local\housecall.guid.cache
2017-08-13 18:32 - 2016-08-22 14:20 - 000323808 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2017-08-13 18:31 - 2017-08-13 18:31 - 002105760 _____ (Trend Micro Inc.) C:\Users\Freda\Downloads\HousecallLauncher.exe
2017-08-13 18:05 - 2017-08-13 18:20 - 000000000 ____D C:\Users\Freda\Doctor Web
2017-08-13 17:58 - 2017-08-13 18:04 - 156576352 _____ C:\Users\Freda\Downloads\Dr. Web.exe
2017-08-13 13:18 - 2017-08-13 13:18 - 000012934 _____ C:\ComboFix.txt
2017-08-13 12:21 - 2017-08-13 13:18 - 000000000 ____D C:\Qoobox
2017-08-13 12:21 - 2011-06-26 01:45 - 000256000 _____ C:\Windows\PEV.exe
2017-08-13 12:21 - 2010-11-07 12:20 - 000208896 _____ C:\Windows\MBR.exe
2017-08-13 12:21 - 2009-04-19 23:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2017-08-13 12:21 - 2000-08-30 19:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2017-08-13 12:21 - 2000-08-30 19:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-08-13 12:21 - 2000-08-30 19:00 - 000098816 _____ C:\Windows\sed.exe
2017-08-13 12:21 - 2000-08-30 19:00 - 000080412 _____ C:\Windows\grep.exe
2017-08-13 12:21 - 2000-08-30 19:00 - 000068096 _____ C:\Windows\zip.exe
2017-08-13 12:20 - 2017-08-13 13:17 - 000000000 ____D C:\Windows\erdnt
2017-08-13 12:13 - 2017-08-13 12:14 - 000190336 _____ C:\TDSSKiller.3.1.0.15_13.08.2017_12.13.18_log.txt
2017-08-13 11:40 - 2017-08-13 11:40 - 000000000 ____D C:\$AV_AVG
2017-08-13 10:50 - 2017-08-07 16:34 - 000304400 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-08-12 11:14 - 2017-08-13 12:04 - 000002590 _____ C:\Users\Freda\Desktop\Rkill.txt
2017-08-07 16:35 - 2017-08-07 16:35 - 000000000 ____D C:\Users\Freda\AppData\Roaming\AVG
2017-08-07 16:34 - 2017-08-12 11:07 - 000766728 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2017-08-07 16:34 - 2017-08-12 11:07 - 000116344 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgMonFlt.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000489416 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSP.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000288728 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000270344 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgblogx.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000260616 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdriverx.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000195128 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgStmXP.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000151024 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidshx.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000135872 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbdiskx.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000063280 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000062528 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000043992 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbunivx.sys
2017-08-07 16:34 - 2017-08-07 16:34 - 000035264 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2017-08-07 16:32 - 2017-08-13 10:49 - 000000747 _____ C:\Users\Public\Desktop\AVG.lnk
2017-08-07 16:28 - 2017-08-13 10:49 - 000000000 ____D C:\Users\Freda\AppData\Local\AvgSetupLog
2017-08-07 16:27 - 2017-08-07 16:27 - 003627104 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Freda\Downloads\Antivirus_Free_1817.exe
2017-08-07 16:07 - 2017-08-07 16:17 - 000000000 ____D C:\AVG_Remover
2017-08-07 15:42 - 2017-08-07 15:43 - 000000000 ____D C:\AVG REPAIR
2017-07-29 14:40 - 2017-07-29 14:40 - 000000000 ____D C:\Users\Freda\AppData\Roaming\FreeStone Group
2017-07-29 14:40 - 2017-07-29 14:40 - 000000000 ____D C:\Program Files\Video Card Stability Test
2017-07-21 16:06 - 2017-07-21 16:07 - 000000000 _____ C:\Windows\system32\last.dump
2017-07-21 15:33 - 2017-07-21 15:33 - 003449304 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Freda\Downloads\AVG_Protection_Free_1606.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-16 13:00 - 2015-08-31 14:53 - 000000000 ____D C:\Users\Freda\AppData\Local\AllAccess
2017-08-16 12:56 - 2016-11-15 15:28 - 000000000 ____D C:\Users\Freda\AppData\LocalLow\Mozilla
2017-08-16 11:43 - 2006-11-02 08:01 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-16 11:43 - 2006-11-02 07:47 - 000005264 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2017-08-16 11:43 - 2006-11-02 07:47 - 000005264 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2017-08-15 18:18 - 2014-04-08 12:30 - 000000012 _____ C:\Windows\bthservsdp.dat
2017-08-15 18:18 - 2006-11-02 08:01 - 000032602 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-08-15 16:45 - 2014-06-07 12:15 - 000000000 ____D C:\Windows\pss
2017-08-15 15:14 - 2006-11-02 07:47 - 000407016 _____ C:\Windows\system32\FNTCACHE.DAT
2017-08-15 14:07 - 2016-11-15 14:12 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-08-15 14:07 - 2014-12-20 13:46 - 000000000 ____D C:\Program Files\FreeGamePick.com
2017-08-15 12:15 - 2009-04-21 17:13 - 000000000 ____D C:\Dltemp
2017-08-14 11:13 - 2014-04-09 16:27 - 000170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-08-14 10:47 - 2006-11-02 06:18 - 000000000 ____D C:\Windows\inf
2017-08-14 10:47 - 2006-11-02 05:33 - 000792536 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-14 10:45 - 2014-04-09 16:26 - 000094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-08-14 10:37 - 2014-06-10 11:40 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2017-08-14 10:37 - 2014-06-10 11:40 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2017-08-14 10:37 - 2014-04-09 19:29 - 000000000 ____D C:\Windows\system32\Macromed
2017-08-13 19:15 - 2014-04-08 11:01 - 000000000 ____D C:\Users\Freda
2017-08-13 13:18 - 2014-06-05 18:14 - 000000000 ____D C:\Users\Freda\AppData\Local\Apps\2.0
2017-08-13 13:15 - 2006-11-02 05:23 - 000000215 _____ C:\Windows\system.ini
2017-08-12 13:51 - 2015-06-18 14:57 - 000000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2017-08-12 13:02 - 2013-04-18 21:21 - 000000000 ____D C:\Program Files\Google
2017-08-12 11:06 - 2006-11-02 06:18 - 000000000 ___SD C:\Windows\Downloaded Program Files
2017-08-07 16:32 - 2014-04-09 16:18 - 000000000 ____D C:\Program Files\AVG
2017-07-29 15:06 - 2014-05-31 10:10 - 000002565 _____ C:\Users\Freda\Desktop\Paint Shop Pro 7.lnk
2017-07-29 14:08 - 2006-11-02 07:47 - 000067584 _____ C:\Windows\system32\umstartup.etl
2017-07-21 15:44 - 2014-05-11 10:44 - 000000000 ____D C:\Users\Freda\AppData\Local\AVG
2017-07-21 15:34 - 2014-04-08 11:01 - 000131864 _____ C:\Users\Freda\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-18 13:38 - 2015-09-15 18:02 - 000000000 ____D C:\Users\Freda\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2015-05-06 12:35 - 2015-05-06 12:35 - 000037607 _____ () C:\Program Files\Common Files\license.rtf
2015-05-06 12:35 - 2015-05-06 12:35 - 000008046 _____ () C:\Program Files\Common Files\setupBanner.jpg
2017-08-13 19:08 - 2017-08-13 19:08 - 000261129 _____ () C:\Users\Freda\AppData\Local\ars.cache
2017-08-13 19:13 - 2017-08-13 19:13 - 000589526 _____ () C:\Users\Freda\AppData\Local\census.cache
2014-04-08 11:01 - 2014-04-08 13:26 - 000000680 _____ () C:\Users\Freda\AppData\Local\d3d9caps.dat
2014-04-09 09:09 - 2017-04-10 14:56 - 000115200 _____ () C:\Users\Freda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-08-13 18:32 - 2017-08-13 18:32 - 000000036 _____ () C:\Users\Freda\AppData\Local\housecall.guid.cache
2017-06-30 20:26 - 2017-06-30 20:26 - 000001290 _____ () C:\Users\Freda\AppData\Local\recently-used.xbel
2017-08-13 18:48 - 2017-08-13 18:48 - 000000010 _____ () C:\Users\Freda\AppData\Local\sponge.last.runtime.cache

Some files in TEMP:
====================
2017-08-13 13:15 - 2017-08-13 13:15 - 000053248 _____ () C:\Users\Freda\AppData\Local\Temp\catchme.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-08-16 11:50

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-08-2017
Ran by Freda(Administrator) (16-08-2017 13:01:11)
Running from K:\Rootkit
Microsoft® Windows Vista™ Business  Service Pack 2 (X86) (2014-04-08 17:31:49)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2742556778-2244366580-3918831902-500 - Administrator - Disabled)
Freda(Administrator) (S-1-5-21-2742556778-2244366580-3918831902-1000 - Administrator - Enabled) => C:\Users\Freda
Guest (S-1-5-21-2742556778-2244366580-3918831902-501 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Antivirus (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG Antivirus (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 bit Windows Card Reader Driver (HKLM\...\{CE6DEE87-1C87-42ED-A108-7369BFE9076F}) (Version: 1.1.0.0 - TEAC)
ACDSee 32 (HKLM\...\ACDSee 32) (Version:  - )
Adobe Flash Player 26 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 26.0.0.151 - Adobe Systems Incorporated)
Adobe Flash Player 26 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 26.0.0.137 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM\...\Adobe Shockwave Player) (Version: 12.2.0.162 - Adobe Systems, Inc.)
Anvil Studio 2015 (HKLM\...\{7FA3A47B-6D6A-4BD5-9D59-F03669645252}) (Version: 15.05.01 - Willow Software)
Any Video Converter 5.7.3 (HKLM\...\Any Video Converter_is1) (Version:  - Any-Video-Converter.com)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AT&T AllAccess (HKLM\...\{8E5CFC53-E54C-4F28-BBC5-7C2A1E334F56}) (Version: 10.3.16.2 - AT&T)
ATI Catalyst Install Manager (HKLM\...\{D8A081EB-19BB-CA58-A86E-AEF0D1E0B243}) (Version: 3.0.710.0 - ATI Technologies, Inc.)
AVG (HKLM\...\{AAA44C6A-BB6F-46CA-918F-C88F02C8E301}) (Version: 1.201.2 - AVG Technologies) Hidden
AVG AntiVirus FREE (HKLM\...\AVG Antivirus) (Version: 17.5.3022 - AVG Technologies)
BitMeter (HKLM\...\BitMeter) (Version:  - )
Canon MP Navigator EX 1.0 (HKLM\...\MP Navigator EX 1.0) (Version:  - )
Canon MP610 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series) (Version:  - )
Canon MP610 series User Registration (HKLM\...\Canon MP610 series User Registration) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
Canon Utilities Easy-PhotoPrint EX (HKLM\...\Easy-PhotoPrint EX) (Version:  - )
Canon Utilities Solution Menu (HKLM\...\CanonSolutionMenu) (Version:  - )
ccc-core-static (HKLM\...\{A5A3D3E5-D31B-94AB-AD40-0C4A6B46F896}) (Version: 2009.0127.2137.38780 - ATI) Hidden
Dell Resource CD (HKLM\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.00.0000 - Dell Inc.)
Dell System Detect (HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\9204f5692a8faf3b) (Version: 5.8.0.16 - Dell)
Eye Candy 4000 (HKLM\...\Eye Candy 4000) (Version:  - )
FMW 1 (HKLM\...\{9530731D-DCB3-4702-8295-7BABE1703877}) (Version: 1.222.1 - AVG Technologies) Hidden
Freemake Video Converter version 4.1.9 (HKLM\...\Freemake Video Converter_is1) (Version: 4.1.9 - Ellora Assets Corporation)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
Google Earth (HKLM\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Homespun Collection (HKLM\...\{62201736-0A1F-4C6F-9C59-1AA3360CEA50}) (Version:  - )
Inkscape 0.91 (HKLM\...\{81922150-317E-4BB0-A31D-FF1C14F707C5}) (Version: 0.91 - inkscape.org)
Inkscape Multiple Pages Support (HKLM\...\inkscape-pages) (Version:  - )
Intel® PRO Network Connections 12.1.11.0 (HKLM\...\PROSetDX) (Version:  - Intel)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
Macromedia Dreamweaver 4 (HKLM\...\{ABDA9912-5D00-11D4-BAE7-9367CA097955}) (Version: 4.0 - Macromedia)
Macromedia Extension Manager (HKLM\...\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}) (Version: 1.2 - Macromedia)
Malwarebytes Anti-Exploit version 1.10.1.24 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.10.1.24 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Media Player Codec Pack 4.3.5 (HKLM\...\Media Player - Codec Pack) (Version: 4.3.5 - Media Player Codec Pack)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Expression Web 4 (HKLM\...\Web_4.0.1460.0) (Version: 4.0.1460.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 52.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 52.0.2 (x86 en-US)) (Version: 52.0.2 - Mozilla)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyFonts Font Manager (HKLM\...\MyFonts Font Manager) (Version:  - )
MyFreeCodec (HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\MyFreeCodec) (Version:  - )
OpenOffice 4.1.1 (HKLM\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Paint Shop Pro 7 (HKLM\...\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}) (Version: 7.0.2.0000 - Jasc Software Inc)
PC Inspector File Recovery (HKLM\...\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}) (Version: 4.0 - )
Pdfedit (HKLM\...\{6C11089A-E23F-4E9B-B12C-316BF1A4376B}) (Version: 4.5.0.0 - PdfEdit team)
Print Artist 2003 (HKLM\...\Print Artist 2003) (Version:  - )
Quake III Arena (HKLM\...\Quake III Arena) (Version:  - )
Revo Uninstaller 1.93 (HKLM\...\Revo Uninstaller) (Version: 1.93 - VS Revo Group)
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator DE (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio MyDVD DE (HKLM\...\{D639085F-4B6E-4105-9F37-A0DBB023E2FB}) (Version: 9.0.116 - Roxio, Inc.)
Roxio Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Roxio)
Samsung Kies (HKLM\...\{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.2.14014_7 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies (HKLM\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.2.14014_7 - Samsung Electronics Co., Ltd.)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.34.0 - SAMSUNG Electronics Co., Ltd.)
ScanSoft OmniPage SE 4 (HKLM\...\{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}) (Version: 15.2.0020 - Nuance Communications, Inc.)
SierraAddressBook 3.0 (HKLM\...\{7CE979C6-E5FF-41C5-B6CC-4EE18071563B}) (Version:  - )
Skins (HKLM\...\{60082130-7177-B669-5232-A4D8983DAAAB}) (Version: 2009.0127.2137.38780 - ATI) Hidden
Sonic Activation Module (HKLM\...\{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}) (Version: 1.0 - Sonic Solutions) Hidden
swMSM (HKLM\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Video Card Stability Test (HKLM\...\Video Card Stability Test) (Version: v.1.0.0.3 - FreeStone Group)
Vista Shortcut Manager (HKLM\...\{47609E69-4C5E-48B1-A889-24C6B82B5C04}) (Version: 2.0 - Frameworkx)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WIDCOMM Bluetooth Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.7500 - Broadcom Corporation)
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Word Viewer 2013 2013 (HKLM\...\Word Viewer 2013 2013) (Version:  - )
Xara3D6 (HKLM\...\{8344D4A2-FE9C-4275-AE51-0FD07CC9A5DB}) (Version: 1.00.0000 - Xara Group Ltd.)
Xilisoft Video Converter Ultimate (HKLM\...\Xilisoft Video Converter Ultimate) (Version: 5.1.24.0531 - Xilisoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{38911D8E-E448-11D0-84A3-00DD01104159}\InprocServer32 -> C:\Windows\system32\comct332.ocx (Microsoft Corporation )
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{38911D90-E448-11D0-84A3-00DD01104159}\InprocServer32 -> C:\Windows\system32\comct332.ocx (Microsoft Corporation )
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\InprocServer32 -> C:\Windows\system32\comct332.ocx (Microsoft Corporation )
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
ContextMenuHandlers1: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVG\Antivirus\ashShell.dll [2017-08-07] (AVG Technologies CZ, s.r.o.)
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll [2009-01-27] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVG\Antivirus\ashShell.dll [2017-08-07] (AVG Technologies CZ, s.r.o.)
ContextMenuHandlers6: [IconLayout] -> {19F500E0-9964-11cf-B63D-08002B317C03} => C:\Windows\system32\Layout.dll [2014-06-07] (Microsoft)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {17F82F83-E575-408C-9555-C312A02FE842} - System32\Tasks\LaunchApp => C:\Program Files\MyPC Backup\MyPC Backup.exe <==== ATTENTION
Task: {228E0464-653F-4DD5-BDEB-7FB5619099DD} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2017-08-14] (Adobe Systems Incorporated)
Task: {42BD0375-6600-4262-8CEE-CD093AE5A170} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe
Task: {618AB68B-98DC-4865-98B3-114F711B84D0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {61A5CB00-1090-41AF-BE35-0827C61C6910} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {79050FA1-8716-4A85-86B1-2D3CE630B17D} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files\Common Files\Java\Java Update\jusched.exe
Task: {821AEE75-9CC7-402B-97C3-A6F4BF063CF5} - System32\Tasks\Adobe Reader and Acrobat Manager => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-03] (Adobe Systems Incorporated)
Task: {954F986D-13A1-4D87-83D0-3D6DEB45B9F8} - System32\Tasks\{F85DD5AC-DCBB-423C-932D-1A5D426F17FB} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\AVG\Setup\avgsetupx.exe" -c /mode=offline /uninstall=zen
Task: {C0CED522-400C-4A4C-9E9D-90C8C5976A3F} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - Freda => C:\Windows.old.000\Program Files\Windows Calendar\WinCal.exe
Task: {FC540304-668C-4D34-B4CF-BE06162E778C} - System32\Tasks\Antivirus Emergency Update => C:\Program Files\AVG\Antivirus\AvEmUpdate.exe [2017-08-07] (AVG Technologies CZ, s.r.o.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-08-07 16:34 - 2017-08-07 16:34 - 000171344 _____ () C:\Program Files\AVG\Antivirus\JsonRpcServer.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 000193784 _____ () C:\Program Files\AVG\Antivirus\event_routing_rpc.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 000225376 _____ () C:\Program Files\AVG\Antivirus\tasks_core.dll
2017-08-15 12:15 - 2017-08-15 12:15 - 005891544 _____ () C:\Program Files\AVG\Antivirus\defs\17081506\algo.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 000690392 _____ () C:\Program Files\AVG\Antivirus\ffl2.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 000232784 _____ () C:\Program Files\AVG\Antivirus\streamback.dll
2017-08-16 12:22 - 2017-08-16 12:22 - 005891544 _____ () C:\Program Files\AVG\Antivirus\defs\17081602\algo.dll
2008-06-03 03:35 - 2009-01-28 11:33 - 000159744 _____ () C:\Windows\system32\atitmmxx.dll
2017-08-07 16:30 - 2017-08-07 16:29 - 048920064 _____ () C:\Program Files\AVG\UiDll\2623\libcef.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 001060280 _____ () C:\Program Files\AVG\Antivirus\AvChrome.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 048936448 _____ () C:\Program Files\AVG\Antivirus\libcef.dll
2017-08-07 16:34 - 2017-08-07 16:34 - 000136048 _____ () c:\Program Files\AVG\Antivirus\vaarclient.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000212576 _____ () C:\Program Files\AT&T\AT&T AllAccess\AppBehaviour.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 001032288 _____ () C:\Program Files\AT&T\AT&T AllAccess\UIToolkit.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000385632 _____ () C:\Program Files\AT&T\AT&T AllAccess\Device.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000318048 _____ () C:\Program Files\AT&T\AT&T AllAccess\DB.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000638048 _____ () C:\Program Files\AT&T\AT&T AllAccess\Toolkit.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000151648 _____ () C:\Program Files\AT&T\AT&T AllAccess\pcre3.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000055904 _____ () C:\Program Files\AT&T\AT&T AllAccess\Preferences.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000137824 _____ () C:\Program Files\AT&T\AT&T AllAccess\Discovery.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000101984 _____ () C:\Program Files\AT&T\AT&T AllAccess\ComCore.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000320096 _____ () C:\Program Files\AT&T\AT&T AllAccess\UConnectAppBehaviour.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000207968 _____ () C:\Program Files\AT&T\AT&T AllAccess\AAGManager.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000026720 _____ () C:\Program Files\AT&T\AT&T AllAccess\QToolkit.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000210528 _____ () C:\Program Files\AT&T\AT&T AllAccess\Sms.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000075360 _____ () C:\Program Files\AT&T\AT&T AllAccess\Encoding.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000403552 _____ () C:\Program Files\AT&T\AT&T AllAccess\WebClient.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000134752 _____ () C:\Program Files\AT&T\AT&T AllAccess\SmartConnectConnectionManager.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000072288 _____ () C:\Program Files\AT&T\AT&T AllAccess\ErrorsManager.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000188512 _____ () C:\Program Files\AT&T\AT&T AllAccess\UsageMeter.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000209504 _____ () C:\Program Files\AT&T\AT&T AllAccess\Connection.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000129120 _____ () C:\Program Files\AT&T\AT&T AllAccess\SmartConnect.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000225376 _____ () C:\Program Files\AT&T\AT&T AllAccess\Wifi.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000078944 _____ () C:\Program Files\AT&T\AT&T AllAccess\NotificationsManager.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000820736 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\UConnectConnection.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000104544 _____ () C:\Program Files\AT&T\AT&T AllAccess\SIMOTA.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000647680 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Messages.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000016992 _____ () C:\Program Files\AT&T\AT&T AllAccess\Data.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000185952 _____ () C:\Program Files\AT&T\AT&T AllAccess\Contacts.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000596480 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\GeolocationGip.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000256096 _____ () C:\Program Files\AT&T\AT&T AllAccess\GNSS.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000247904 _____ () C:\Program Files\AT&T\AT&T AllAccess\HotSpotsLocationLib.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000173568 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Notifications.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000286208 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\LiveUpdate.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000355424 _____ () C:\Program Files\AT&T\AT&T AllAccess\LiveUpdateLib.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000362496 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\InternetSharing.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000227424 _____ () C:\Program Files\AT&T\AT&T AllAccess\MobileHotspot.dll
2017-03-23 16:35 - 2017-03-23 16:35 - 000126048 _____ () C:\Program Files\AT&T\AT&T AllAccess\System.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000244224 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Account.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000182272 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Errors.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000451072 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DiagnosticGip.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000137824 _____ () C:\Program Files\AT&T\AT&T AllAccess\Diagnostic.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000090112 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SWUpgrader.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000066048 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Win6Wifi.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000043520 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SmartConnectStrategyACM.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000051712 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SmartConnectModem.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000043520 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SmartConnectWifi.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000077312 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\Reporting.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000076288 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\NetworkConnectivity.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000035328 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DiscoveryGeneric.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000025088 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DiscoveryMobileBroadband.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000019968 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DiscoveryNdis.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000030720 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DiscoveryVPorts.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000088064 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DeviceInfo.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000077312 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SmsAdapter.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000017920 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\SwiQMIManufacturerAPI.plugin
2017-03-23 16:35 - 2017-03-23 16:35 - 000051296 _____ () C:\Program Files\AT&T\AT&T AllAccess\SwiQMIAPIHelper.dll
2017-03-23 16:36 - 2017-03-23 16:36 - 000048640 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\FWSierraUpgrader.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000056320 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\DeviceSimContactsAdapter.plugin
2017-03-23 16:36 - 2017-03-23 16:36 - 000041984 _____ () C:\Program Files\AT&T\AT&T AllAccess\resources\plugins\NdisSwiQMIConnection.plugin

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Freda\Desktop\APCO CREDIT UNION.jpg:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\Jingle All The Way (4th and 5th Grade).mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD2.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\santa.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\skadoodlevideo.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\video3gpp_0.avi:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\videoplayback.mp4:Roxio EMC Stream [38]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\imageres.dll,-68 <==== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\dell.com -> dell.com
IE trusted site: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\friendsofjamesrogers.com -> hxxp://www.friendsofjamesrogers.com
IE trusted site: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\...\onlyimaginegraphics.com -> hxxp://www.onlyimaginegraphics.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:23 - 2006-09-18 16:41 - 000000761 ____N C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 172.26.38.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdminHelper.exe => 2
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Ati External Event Utility => 2
MSCONFIG\Services: avgsvc => 2
MSCONFIG\Services: btwdins => 2
MSCONFIG\Services: Freemake Improver => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: IDriverT => 3
MSCONFIG\Services: MbaeSvc => 2
MSCONFIG\Services: MBAMService => 2
MSCONFIG\Services: RoxMediaDB9 => 3
MSCONFIG\Services: RoxWatch9 => 2
MSCONFIG\Services: stllssvr => 3
MSCONFIG\Services: SwiCardDetectSvc => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bitmeter2.lnk => C:\Windows\pss\Bitmeter2.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\Windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CodecPackUpdateChecker.lnk => C:\Windows\pss\CodecPackUpdateChecker.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SpybotSD.lnk => C:\Windows\pss\SpybotSD.lnk.CommonStartup
MSCONFIG\startupreg: AllAccess.exe => C:\Program Files\AT&T\AT&T AllAccess\AllAccess.exe
MSCONFIG\startupreg: AllAccess_AppStart.exe => "C:\Program Files\AT&T\AT&T AllAccess\AllAccess_AppStart.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: CanonMyPrinter => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
MSCONFIG\startupreg: CanonSolutionMenu => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
MSCONFIG\startupreg: Codec Settings UAC Manager => "C:\Windows\system32\C2MP\CodecUACManager.exe"
MSCONFIG\startupreg: DellSystemDetect => C:\Users\Freda\AppData\Local\Apps\2.0\ZEYEGAYG.ZG7\3ZTP75ME.0JK\dell..tion_0f612f649c4a10af_0005.0008_b3168e842b9276ec\DellSystemDetect.exe
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: KiesPreload => C:\Program Files\Samsung\Kies\Kies.exe /preload
MSCONFIG\startupreg: KiesTrayAgent => C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
MSCONFIG\startupreg: Malwarebytes Anti-Exploit => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
MSCONFIG\startupreg: OpwareSE4 => "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
MSCONFIG\startupreg: ProductUpdater => C:\Program Files\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: StartCCC => "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide
MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [{3918E06B-B79B-4FDF-AEB9-21EF772AEEAD}] => (Allow) C:\Program Files\Windows Mail\WinMail.exe
FirewallRules: [{DB3B7D00-B716-43FF-9A5D-653B76E47E5B}] => (Allow) C:\Program Files\Windows Mail\WinMail.exe
FirewallRules: [Microsoft-Windows-RemovableStorageManagement-Client-RPCSS-TCP-In] => (Allow) %systemroot%\system32\rsmsink.exe
FirewallRules: [Microsoft-Windows-RemovableStorageManagement-Client-DCOM-In] => (Allow) %systemroot%\system32\rsmsink.exe
FirewallRules: [TCP Query User{10CFD52F-26C2-41DF-94D4-2A0CD32A90B2}C:\program files\1ws_ftp\ws_ftp95.exe] => (Allow) C:\program files\1ws_ftp\ws_ftp95.exe
FirewallRules: [UDP Query User{465AF1B5-CCDF-45CE-AEC1-04FAF740EA65}C:\program files\1ws_ftp\ws_ftp95.exe] => (Allow) C:\program files\1ws_ftp\ws_ftp95.exe
FirewallRules: [{11AE451A-E2A4-4102-86D1-38C5322FBD4C}] => (Allow) C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{0DADF36A-408D-40AB-9D8E-0612734BCDE8}C:\program files\quake iii arena\quake3.exe] => (Block) C:\program files\quake iii arena\quake3.exe
FirewallRules: [UDP Query User{8A8A90E1-7B81-4739-BDF2-4E9FC0258F6C}C:\program files\quake iii arena\quake3.exe] => (Block) C:\program files\quake iii arena\quake3.exe
FirewallRules: [{39A02A7D-4248-4B3E-BBCB-89471DA65173}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{72E68628-96F5-4DBF-A07E-F16CBF1A29D9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{F3465CA7-5D34-4C3C-AC25-5DDDECCD1E42}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{D5375106-3A32-4C6D-9D30-A069D9DBCCF3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7C5B9444-2679-495B-B3BA-B058CD22649A}] => (Allow) c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{907F9981-3770-40D9-9ED7-73B2220B299A}] => (Allow) C:\Users\Freda\AppData\Local\Temp\~os9849.tmp\pmropn.exe
FirewallRules: [{C2418850-CCB5-4050-8374-FF0D4E0712F6}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe
FirewallRules: [{AE287211-0530-48BC-B98A-C4377AAE6E47}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe
FirewallRules: [{28290C9D-54DD-4069-B25D-81667FB9C98E}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{8A098598-C34F-4E2D-BF5C-0BBAD7E9986E}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [TCP Query User{F085DDED-E576-4580-BC24-F4CACD9B08EF}C:\program files\quake iii arena\quake3.exe] => (Block) C:\program files\quake iii arena\quake3.exe
FirewallRules: [UDP Query User{7CFB9F78-6D75-4E1F-BE60-69A456C85F2A}C:\program files\quake iii arena\quake3.exe] => (Block) C:\program files\quake iii arena\quake3.exe
FirewallRules: [TCP Query User{09F013B2-584B-45C0-BC04-3B03DC62CA06}C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe] => (Block) C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe
FirewallRules: [UDP Query User{94AB94FE-B41D-4936-9F4F-8688B0F6366F}C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe] => (Block) C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe
FirewallRules: [{67114E53-CAD1-46D0-AD02-54EE0A4B099B}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{8A71928D-DEF6-4C1F-80E3-2CE26366134C}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{EACDCEF6-C27A-4692-8F1A-519371499EA4}] => (Allow) C:\Users\Freda\AppData\Local\Temp\HouseCall\tmase\drs\DrScaner.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AT&T\AT&T AllAccess\SwiApiMuxX.exe] => Enabled:SwiApiMuxX

==================== Restore Points =========================

11-02-2017 16:33:59 Revo Uninstaller's restore point - Adaptec UDF Reader
24-02-2017 04:00:10 Windows Update
28-04-2017 12:13:56 Removed AVG
01-07-2017 15:59:21 Installed AT&T AllAccess
13-08-2017 13:03:27 ComboFix created restore point
14-08-2017 10:30:00 Revo Uninstaller's restore point - Security Check
15-08-2017 13:57:30 Norton_Power_Eraser_20170815135730439

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/16/2017 12:20:27 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\ROY'S STUFF\DUMP\AA.AAA> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (08/16/2017 11:44:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/15/2017 04:49:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/15/2017 04:25:08 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Freda\Downloads\Autoruns\Autoruns64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/15/2017 04:25:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Freda\Downloads\Autoruns\autorunsc64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/15/2017 04:25:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Freda\Downloads\Autoruns\Autoruns64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/15/2017 03:17:24 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: FreemakeUtilsService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
Stack:
   at FreemakeUtilsService.Statistics.Manager.ApplyNewTargetsConfigs()
   at FreemakeUtilsService.Statistics.Manager.TargetsConfigSyncCompleted(System.Object, System.EventArgs)
   at FreemakeUtilsService.Common.Synchronizer.OnWorkerCompleted(System.Object, System.ComponentModel.RunWorkerCompletedEventArgs)
   at System.ComponentModel.BackgroundWorker.OnRunWorkerCompleted(System.ComponentModel.RunWorkerCompletedEventArgs)
   at System.ComponentModel.BackgroundWorker.AsyncOperationCompleted(System.Object)
   at System.Threading.QueueUserWorkItemCallback.WaitCallback_Context(System.Object)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()

Error: (08/15/2017 03:16:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/15/2017 02:29:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/15/2017 02:28:57 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.


System errors:
=============
Error: (08/15/2017 04:47:12 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Error: (08/15/2017 04:47:12 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Error: (08/15/2017 03:17:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Freemake Improver service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2017 03:16:34 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 10.85.221.80 for the Network Card with network address 00A0C6000007 has been denied by the DHCP server 10.70.35.49 (The DHCP Server sent a DHCPNACK message).

Error: (08/15/2017 02:29:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (08/15/2017 02:29:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (08/15/2017 02:29:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (08/15/2017 02:29:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (08/15/2017 02:29:33 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
avgbdisk
avgbidsdriver
avgbidsh
avgblog
avgbuniv
avgRdr
avgRvrt
avgSnx
avgSP
avgVmm
CSC
DfsC
ESProtectionDriver
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
Smb
spldr
tdx
Wanarpv6
ws2ifsl

Error: (08/15/2017 02:29:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.


CodeIntegrity:
===================================
  Date: 2017-08-16 13:01:07.521
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:01:07.287
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:01:07.053
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:01:06.819
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:00:50.782
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:00:50.548
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:00:50.314
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-16 13:00:50.080
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-15 15:36:46.406
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-15 15:36:46.157
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q8200 @ 2.33GHz
Percentage of memory in use: 50%
Total physical RAM: 3325.27 MB
Available physical RAM: 1649.95 MB
Total Virtual: 6870.5 MB
Available Virtual: 5289.07 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:465.72 GB) (Free:77.76 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive k: (ESD-USB) (Removable) (Total:3.74 GB) (Free:1.22 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (MBR Code: Windows 7 or 8) (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 17 August 2017 - 07:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={372817BF-555B-4B9D-BEF4-AAE22BF9CE1F}&mid=411771a0f63647d2bb19d168ddcd6fdd-7cbc942cfa16d24f84c1335462c4c7536c43c45c&lang=en&ds=AVG&coid=avgtbavg&cmpid=0616avz&pr=fr&d=2016-06-08 15:15:54&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF Plugin HKU\S-1-5-21-2742556778-2244366580-3918831902-1000: www.exent.com/GameTreatWidget -> C:\Program Files\Free Ride Games\npGameTreatWidget.dll [No File]
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {17F82F83-E575-408C-9555-C312A02FE842} - System32\Tasks\LaunchApp => C:\Program Files\MyPC Backup\MyPC Backup.exe <==== ATTENTION
AlternateDataStreams: C:\Users\Freda\Desktop\APCO CREDIT UNION.jpg:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\Jingle All The Way (4th and 5th Grade).mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD2.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\santa.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\skadoodlevideo.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\video3gpp_0.avi:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\videoplayback.mp4:Roxio EMC Stream [38]
FirewallRules: [{907F9981-3770-40D9-9ED7-73B2220B299A}] => (Allow) C:\Users\Freda\AppData\Local\Temp\~os9849.tmp\pmropn.exe
C:\Program Files\MyPC Backup
C:\Users\Freda\AppData\Local\Temp\~os9849.tmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 17 August 2017 - 01:49 PM

Thanks for your help and I'll do my best to follow your instructions.  After running FRST to create the fixlog file, I was notified that I needed to restart the computer, which you didn't mention, I assume I should.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 16-08-2017
Ran by Freda(Administrator) (17-08-2017 13:25:58) Run:1
Running from K:\Rootkit
Loaded Profiles: Freda(Administrator) (Available Profiles: Freda(Administrator))
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={372817BF-555B-4B9D-BEF4-AAE22BF9CE1F}&mid=411771a0f63647d2bb19d168ddcd6fdd-7cbc942cfa16d24f84c1335462c4c7536c43c45c&lang=en&ds=AVG&coid=avgtbavg&cmpid=0616avz&pr=fr&d=2016-06-08 15:15:54&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF Plugin HKU\S-1-5-21-2742556778-2244366580-3918831902-1000: www.exent.com/GameTreatWidget -> C:\Program Files\Free Ride Games\npGameTreatWidget.dll [No File]
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {17F82F83-E575-408C-9555-C312A02FE842} - System32\Tasks\LaunchApp => C:\Program Files\MyPC Backup\MyPC Backup.exe <==== ATTENTION
AlternateDataStreams: C:\Users\Freda\Desktop\APCO CREDIT UNION.jpg:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\Jingle All The Way (4th and 5th Grade).mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD2.gif:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\santa.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\skadoodlevideo.mp4:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\video3gpp_0.avi:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\Freda\Desktop\videoplayback.mp4:Roxio EMC Stream [38]
FirewallRules: [{907F9981-3770-40D9-9ED7-73B2220B299A}] => (Allow) C:\Users\Freda\AppData\Local\Temp\~os9849.tmp\pmropn.exe
C:\Program Files\MyPC Backup
C:\Users\Freda\AppData\Local\Temp\~os9849.tmp

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION => restored successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"C:\Windows\system32\GroupPolicy\Machine" => not found.
C:\Windows\system32\GroupPolicy\User => moved successfully
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully.
HKLM\Software\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000\Software\MozillaPlugins\www.exent.com/GameTreatWidget => key removed successfully.
C:\Program Files\Free Ride Games\npGameTreatWidget.dll => not found.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4} => key removed successfully.
HKU\S-1-5-21-2742556778-2244366580-3918831902-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07} => key removed successfully.
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\00avg => key removed successfully.
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{17F82F83-E575-408C-9555-C312A02FE842} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{17F82F83-E575-408C-9555-C312A02FE842} => key removed successfully.
C:\Windows\System32\Tasks\LaunchApp => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchApp => key removed successfully.
C:\Users\Freda\Desktop\APCO CREDIT UNION.jpg => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\Jingle All The Way (4th and 5th Grade).mp4 => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD.gif => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\JOLLY_CHRISTMAS_AD2.gif => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\santa.mp4 => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\skadoodlevideo.mp4 => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\video3gpp_0.avi => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\Freda\Desktop\videoplayback.mp4 => ":Roxio EMC Stream" ADS removed successfully..
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{907F9981-3770-40D9-9ED7-73B2220B299A} => value removed successfully.
"C:\Program Files\MyPC Backup" => not found.
"C:\Users\Freda\AppData\Local\Temp\~os9849.tmp" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18757686 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 176010253 B
Edge => 0 B
Chrome => 0 B
Firefox => 49411510 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 18359729 B
LocalService => 13496600 B
NetworkService => 69972 B
Freda => 249918033 B

RecycleBin => 10338769 B
EmptyTemp: => 519.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 13:27:52 ====



#4 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 17 August 2017 - 02:44 PM

I went ahead and did the reboot. Tried going to my homepage-very,very slow. Some of the images never loaded and the little blue circle never quit spinning. From there, I browsed over to BC and tried downloading Adwcleaner, Combofix, and Farbar Recovery. Each one did bring up their respective download page, but I didn't complete the download process. I then hit the home button and again it took way too long to start loading the page and again many of the images didn't load. I then tried to run AVG antivirus, and it failed to start. Next I went to Windows Defender to check its status. It was turned off by a "group policy", which I know nothing about. The PC seems to be altering its actions, yesterday I couldn't get to the afore mentioned download pages, but I could today. For now, I'll wait for your next suggestion.


Edited by iwidhtp, 17 August 2017 - 02:45 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 18 August 2017 - 06:51 AM

Let see what else we can find.

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

#6 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 18 August 2017 - 10:19 AM

I tried the 'Anti-Rootkit BETA' link 3 times, but nothing happened except the little blue circle kept spinning. On the 4th attempt, I right clicked the link and opened in a new tab. I did get to the download page and clicked the DOWNLOAD button, but only got partial downloads, several times. I eventually had to use another PC to download the file. I then transferred it, by flash drive, to the troubled PC desktop. Then I followed your instructions and the scan came back clean. Here is the log file.

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.08.18.07
  rootkit: v2017.08.02.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Freda(Administrator) :: VISTA [administrator]

8/18/2017 9:50:33 AM
mbar-log-2017-08-18 (09-50-33).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 241006
Time elapsed: 16 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 18 August 2017 - 01:03 PM


Hi,

I had seen in one of the many scans I've done, something about 'SVC: swcustcfg ->->?', being an issue,


This looks like a problem with AVG.

Remove AVg using the Removal tool suggested in this article. (I will work on your Vista.)

https://support.avg.com/answers?id=906b0000000DnZVAA0

I would test the system before reinstalling AVG. If all is well then reinstall the program.

Keep me posted.

#8 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 18 August 2017 - 04:53 PM

I uninstalled AVG according to the directions from AVG site. Afterwards, I first looked at registry to see if 'swcustcfg' was still there, it was. But as before, I was unable to open or edit the file??? Don't know if that file pertains to AVG. Next, I browsed back to my homepage and to BC without a problem. From BC, I went to the links that I couldn't get to earlier, I also downloaded some of the same support programs that I couldn't earlier. I then reinstalled AVG Free. I browsed back to my homepage and some of the images hadn't loaded, and the blue circle was spinning. I then clicked the shortcut to BC and nothing happened, the blue circle still spinning.!!! Just now as I was typing this, a window opened in the taskbar. I clicked it to open and it was this, Attached File  AVG.jpg   83.25KB   0 downloads. I hope that worked. I'm not sure how to attach files to this forum.  In case you can't read the blurred print, it says:

 

SVC: swcustcfg >   ???             Rootkit: hidden service


Edited by iwidhtp, 18 August 2017 - 09:55 PM.


#9 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 18 August 2017 - 06:53 PM

Since reinstalling AVG, and getting the Rootkit warning, I've tried some more browsing. It's terrible. And I just got the AVG Rootkit warning window again. As I was saying, browsing is a mess. Most, if not all, pages fail to completely load and the blue circle keeps spinning, this can go on for several minutes until I stop loading the page. Only once have I seen the browser actually time out. So for now, I have AVG Free installed, browsing is horrific, and I'm getting the AVG Rootkit warning which refers to swcustcfg as a hidden Rootkit. I have noticed there being 2 swcustcfg files in the registry at times. One of them I can edit, the other I can't. At other times, there's only 1 swcustcfg file, and it can't be edited. That's all for now.


Edited by iwidhtp, 19 August 2017 - 07:20 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 19 August 2017 - 08:44 AM



You can always try to get help from the AVG forum. This may take some time.

I suggest your remove AVG using their removal tool again.

Restart the computer normally when completed.

Install an other security program. Choose from this list.

Free Antivirus programs:
https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/?p=2316629

Run the application and let me know if the problem persists.

#11 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 19 August 2017 - 10:05 AM

Will do and let you know the outcome. Thanks for staying with me.



#12 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 20 August 2017 - 08:57 AM

Well, I went 2 steps forward and 4 back. I am now unable to get on the internet with the troubled PC. This is a totally different situation from what you've been working on. I need to explain my internet setup. I live in a remote area where broadband is not available. The best service I can get is AT&T cellular using a USB modem(AC340U). This device uses a program called 'AT&T All Access' to interface with the PC. I found out(online), that the file 'swcustcfg' is part of that interface. So, after I had used the AVG Clear and Remove tools to uninstall AVG, I also uninstalled the All Access program, thinking that would remove the 'swcustcfg' file, which has been giving the Rootkit warning. It didn't change that file, which  is locked and untouchable, so I reinstalled the All Access program. But now, I can't access the internet with the troubled PC and I've been working on that issue since my last post, which I sent from a different PC using the same USB modem. I have to switch the modem from one PC to the other, for internet service, when it works. Until I'm able to rectify the new problem, there's no way to continue with the original one. What do you suggest? If I can get it back online, I could start a new thread.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 20 August 2017 - 12:57 PM



Hi,

An expert with LAN settings should be able to help you better that I can.
This is not my forte.


Start a new topic in the NetWorking Forum.
https://www.bleepingcomputer.com/forums/f/21/networking/

Explain you situation as you did in your last message to me.

Before you create the new topic download and run this Minitoolbox program.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Now create the new topic explain your problem and post the logs for their review.

====

I will keep this topic open for 6 days if you need to return please do.

#14 iwidhtp

iwidhtp
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 20 August 2017 - 02:57 PM

Hi and thanks again. Here is the MTB file:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Freda(Administrator) (administrator) on 20-08-2017 at 14:49:21
Running from "C:\Users\Freda\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Model: Inspiron 530 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================

Intel® 82562V-2 10/100 Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global defaultcurhoplimit=64 icmpredirects=enabled
set subinterface interface=3 subinterface=ethernet_5 mtu=1500
set subinterface interface=3 subinterface=ethernet_7 mtu=1477
set subinterface interface=3 subinterface=ethernet_6 mtu=1500
add address name="Local Area Connection" address=192.168.0.2


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Vista
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection
   Physical Address. . . . . . . . . : 00-21-9B-29-86-2E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b99d:187:8037:b576%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 251666843
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-D5-EA-42-00-21-9B-29-86-2E
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{5B447F7B-E747-4494-BCB0-A29118902AA3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  fec0:0:0:ffff::1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  fec0:0:0:ffff::1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 10 ...00 21 9b 29 86 2e ...... Intel® 82562V-2 10/100 Network Connection
  1 ........................... Software Loopback Interface 1
 17 ...00 00 00 00 00 00 00 e0  isatap.{5B447F7B-E747-4494-BCB0-A29118902AA3}
 11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    276
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    276
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    276 fe80::/64                On-link
 10    276 fe80::b99d:187:8037:b576/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\wshbth.dll [34304] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 31 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/20/2017 12:40:44 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the file specified.

Error: (08/20/2017 12:40:41 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the file specified.

Error: (08/20/2017 12:26:52 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the file specified.

Error: (08/20/2017 12:26:39 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.

 DETAIL - The system cannot find the file specified.

Error: (08/20/2017 12:22:43 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context:  Application, SystemIndex Catalog

Error: (08/20/2017 12:22:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 12:19:33 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the file specified.

Error: (08/20/2017 10:00:22 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 09:43:12 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 09:34:00 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {2adbb69c-07b5-470d-9565-3dc6f604d0a8}


System errors:
=============
Error: (08/19/2017 04:47:06 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 04:09:26 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 04:06:17 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 04:04:53 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 04:00:23 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 03:48:22 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 03:37:50 PM) (Source: Service Control Manager) (User: )
Description: AVG Antivirus%%2 = The system cannot find the file specified.


Error: (08/19/2017 03:37:01 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.

Error: (08/19/2017 03:01:44 PM) (Source: Service Control Manager) (User: )
Description: Windows Update

Error: (08/19/2017 11:14:36 AM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Canon MP610 series Printer with shared resource name Canon MP610 series Printer. Error 2114. The printer cannot be used by others on the network.


Microsoft Office Sessions:
=========================
Error: (08/20/2017 12:40:44 PM) (Source: profsvc)(User: VISTA)
Description: The system cannot find the file specified.

Error: (08/20/2017 12:40:41 PM) (Source: profsvc)(User: VISTA)
Description: The system cannot find the file specified.

Error: (08/20/2017 12:26:52 PM) (Source: profsvc)(User: VISTA)
Description: The system cannot find the file specified.

Error: (08/20/2017 12:26:39 PM) (Source: profsvc)(User: VISTA)
Description: The system cannot find the file specified.

Error: (08/20/2017 12:22:43 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Error: (08/20/2017 12:22:23 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 12:19:33 PM) (Source: profsvc)(User: VISTA)
Description: The system cannot find the file specified.

Error: (08/20/2017 10:00:22 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 09:43:12 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/20/2017 09:34:00 AM) (Source: VSS)(User: )
Description: 0x80070005

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {2adbb69c-07b5-470d-9565-3dc6f604d0a8}


CodeIntegrity Errors:
===================================
  Date: 2017-08-18 09:52:16.691
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:16.473
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:16.255
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:16.036
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:15.818
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:15.599
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:15.365
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:15.147
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:14.929
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2017-08-18 09:52:14.710
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


**** End of log ****
 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 PM

Posted 21 August 2017 - 07:47 AM

Hi,



Quoted from the last log.

Error: (08/20/2017 12:40:44 PM) (Source: profsvc) (User: VISTA)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.


Please create a new user account.

How to.
http://www.dummies.com/computers/operating-systems/windows-xp-vista/how-to-create-a-new-user-in-windows-vista/

After a normal restart with the new User test it and let me know if you have any difficulties.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users