Cryptowall and encrypted data. Am I infected now?

Hi. I'm using Windows 7 Professional 64-bit and recently I have been infected by Cryptowall 4.0

I am soon going to "format" after moving my data to an external HD but I would like to be sure if right now I'm still infected

I tried already Malwarebytes and although right after the infection it quarantined a few files, I tried it again in safe mode and it doesn't detect anything now (apart from a few, very old, false positives).

Am I still infected?

Thanks in advance

to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.

• Read and follow the instructions in the sequence they are posted.
• print or copy & save instructions.
• back up all your private data / music / important files on another (external) drive before using our tools.
• Do not install / uninstall any applications, unless otherwise instructed.
• Use only that tools you have been instructed to use.
• Copy and Paste the log files inside your post, unless otherwise instructed.
• Ask for clarification, if you have any questions.
• Stay with this topic til you get the all clean post.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  Vista / Windows 7/8 users right-click and select Run As Administrator.

• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".

• 'Could not load protection driver'. Click 'OK'.
• 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

• If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

Please download AdwCleaner by Xplode and save to your Desktop.

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
  If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***

I have done part 1; I will post the rest later, maybe tomorrow (sorry I am a bit busy lately)

 

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  Vista / Windows 7/8 users right-click and select Run As Administrator.

• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Avira Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 73  
 Java version 32-bit out of Date!
 Adobe Flash Player 20.0.0.306  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (44.0.2)
 Mozilla Thunderbird 31.4.0 Thunderbird out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 8%
````````````````````End of Log``````````````````````

 

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".

With some infections, you may see two messages boxes.

• 'Could not load protection driver'. Click 'OK'.
• 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

• If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

"Scan finished, no malware found"

Part 3: I opened the log without actually do the "clean"; for now I did the scan only. Can I clean all this result? I guess so but I'll wait for a reply before doing that and part 4

 

Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
  If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***

# AdwCleaner v5.101 - Creato file registro eventi 09/03/2016 in 10:20:40
# Aggiornato 07/03/2016 da Xplode
# Database : 2016-03-08.1 [Server]
# Sistema operativo : Windows 7 Ultimate Service Pack 1 (x64)
# Nome utente : SpinalBlood - SPINALBLOOD-PC
# In esecuzione da : C:\Users\SpinalBlood\Desktop\AdwCleaner.exe
# Opzione : Analisi
# Supporto : http://toolslib.net/forum

***** [ Servizi ] *****


***** [ Cartelle ] *****

Cartella Trovato : C:\ProgramData\Ask

***** [ File ] *****


***** [ DLL ] *****


***** [ Collegamenti ] *****


***** [ Attività pianificate ] *****


***** [ Registry ] *****

Chiave Trovato : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2974C985-8151-4DE5-B23C-B875F0A8522F}
Chiave Trovato : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2974C985-8151-4DE5-B23C-B875F0A8522F}
Chiave Trovato : HKCU\Software\APN PIP
Chiave Trovato : HKCU\Software\eSupport.com
Chiave Trovato : HKCU\Software\AppDataLow\Software\AskToolbar
Chiave Trovato : HKLM\SOFTWARE\PIP
Chiave Trovato : HKLM\SOFTWARE\Solvusoft
Chiave Trovato : HKLM\SOFTWARE\Trymedia Systems
Chiave Trovato : HKU\S-1-5-21-2635201451-3454795460-3219537420-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\APN PIP
Chiave Trovato : HKU\S-1-5-21-2635201451-3454795460-3219537420-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\eSupport.com
Chiave Trovato : HKU\S-1-5-21-2635201451-3454795460-3219537420-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\Software\AskToolbar
Chiave Trovato : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [ Browser web ] *****


*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [1750 byte] - [09/03/2016 10:20:40]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [1842 byte] ##########

Result.txt has not been generated apparently. I'll paste MTB.txt

 

MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Copy and paste the contents of that logfile in your next reply.

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by SpinalBlood (administrator) on 09-03-2016 at 11:11:04
Running from "C:\Users\SpinalBlood\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Model: To Be Filled By O.E.M. Manufacturer: To Be Filled By O.E.M.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Configurazione IP di Windows

Cache del resolver DNS svuotata.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Connessione alla rete locale (LAN) (Connected)


# ----------------------------------
# Configurazione IPv4
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# Fine configurazione IPv4



Configurazione IP di Windows

   Nome host . . . . . . . . . . . . . . : SpinalBlood-PC
   Suffisso DNS primario . . . . . . . . :
   Tipo nodo . . . . . . . . . . . . . . : Ibrido
   Routing IP abilitato. . . . . . . . . : No
   Proxy WINS abilitato . . . . . . . .  : No
   Elenco di ricerca suffissi DNS. . . . : lan

Scheda Ethernet Connessione alla rete locale (LAN):

   Suffisso DNS specifico per connessione: lan
   Descrizione . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Indirizzo fisico. . . . . . . . . . . : BC-5F-F4-7E-C8-41
   DHCP abilitato. . . . . . . . . . . . : S
   Configurazione automatica abilitata   : S
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::5199:44e9:92b3:5943%11(Preferenziale)
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.1.111(Preferenziale)
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Lease ottenuto. . . . . . . . . . . . : mer, 09 marzo 2016 09:17:50
   Scadenza lease . . . . . . . . . . .  : mer, 09 marzo 2016 21:19:50
   Gateway predefinito . . . . . . . . . : 192.168.1.254
   Server DHCP . . . . . . . . . . . . . : 192.168.1.254
   IAID DHCPv6 . . . . . . . . . . . : 247226356
   DUID Client DHCPv6. . . . . . . . : 00-01-00-01-18-99-84-48-BC-5F-F4-7E-C8-41
   Server DNS . . . . . . . . . . . . .  : 192.168.1.254
   NetBIOS su TCP/IP . . . . . . . . . . : Attivato
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.254

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Nome:    google.com
Addresses:  2a00:1450:4001:812::200e
      216.58.214.110


Esecuzione di Ping google.com [172.217.19.206] con 32 byte di dati:
Risposta da 172.217.19.206: byte=32 durata=11ms TTL=52
Risposta da 172.217.19.206: byte=32 durata=11ms TTL=52

Statistiche Ping per 172.217.19.206:
    Pacchetti: Trasmessi = 2, Ricevuti = 2,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 11ms, Massimo =  11ms, Medio =  11ms
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.254

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Nome:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      2001:4998:44:204::a7
      206.190.36.45
      98.139.183.24
      98.138.253.109


Esecuzione di Ping yahoo.com [98.139.183.24] con 32 byte di dati:
Risposta da 98.139.183.24: byte=32 durata=127ms TTL=49
Risposta da 98.139.183.24: byte=32 durata=127ms TTL=49

Statistiche Ping per 98.139.183.24:
    Pacchetti: Trasmessi = 2, Ricevuti = 2,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 127ms, Massimo =  127ms, Medio =  127ms

Esecuzione di Ping 127.0.0.1 con 32 byte di dati:
Risposta da 127.0.0.1: byte=32 durata<1ms TTL=128
Risposta da 127.0.0.1: byte=32 durata<1ms TTL=128

Statistiche Ping per 127.0.0.1:
    Pacchetti: Trasmessi = 2, Ricevuti = 2,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 0ms, Massimo =  0ms, Medio =  0ms
===========================================================================
Elenco interfacce
 11...bc 5f f4 7e c8 41 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Tabella route
===========================================================================
Route attive:
     Indirizzo rete             Mask          Gateway     Interfaccia Metrica
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.111     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.111    276
    192.168.1.111  255.255.255.255         On-link     192.168.1.111    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.111    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.111    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.111    276
===========================================================================
Route permanenti:
  Nessuna

IPv6 Tabella route
===========================================================================
Route attive:
 Interf Metrica Rete Destinazione      Gateway
  1    306 ::1/128                  On-link
 11    276 fe80::/64                On-link
 11    276 fe80::5199:44e9:92b3:5943/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Route permanenti:
  Nessuna
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/09/2016 09:18:05 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/09/2016 09:17:46 AM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/09/2016 12:01:24 AM) (Source: Application Error) (User: )
Description: Nome dell'applicazione che ha generato l'errore: miranda32.exe, versione: 0.10.23.0, timestamp: 0x53761f90
Nome del modulo che ha generato l'errore: unknown, versione: 0.0.0.0, timestamp: 0x00000000
Codice eccezione: 0xc000041d
Offset errore 0x74f14f5d
ID processo che ha generato l'errore: 0x20fc
Ora di avvio dell'applicazione che ha generato l'errore: 0xmiranda32.exe0
Percorso dell'applicazione che ha generato l'errore: miranda32.exe1
Percorso del modulo che ha generato l'errore: miranda32.exe2
ID segnalazione: miranda32.exe3

Error: (03/08/2016 11:49:22 PM) (Source: Application Error) (User: )
Description: Nome dell'applicazione che ha generato l'errore: ACDSee.exe, versione: 3.0.0.0, timestamp: 0x384ff0a7
Nome del modulo che ha generato l'errore: ACDSee.exe, versione: 3.0.0.0, timestamp: 0x384ff0a7
Codice eccezione: 0xc0000005
Offset errore 0x00025ad8
ID processo che ha generato l'errore: 0xa610
Ora di avvio dell'applicazione che ha generato l'errore: 0xACDSee.exe0
Percorso dell'applicazione che ha generato l'errore: ACDSee.exe1
Percorso del modulo che ha generato l'errore: ACDSee.exe2
ID segnalazione: ACDSee.exe3

Error: (03/08/2016 12:01:59 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/08/2016 12:01:35 PM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/07/2016 11:05:40 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/07/2016 11:05:26 PM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/07/2016 11:01:47 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/07/2016 11:01:32 PM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2


System errors:
=============
Error: (03/09/2016 09:17:58 AM) (Source: Service Control Manager) (User: )
Description: All'avvio non è stato possibile caricare i seguenti driver:
StarOpen
vflt

Error: (03/09/2016 09:17:38 AM) (Source: Application Popup) (User: )
Description: Caricamento del driver \SystemRoot\SysWow64\Drivers\StarOpen.SYS bloccato a causa di incompatibilità con il sistema in uso. Rivolgersi al fornitore del software per richiedere una versione compatibile del driver.

Error: (03/08/2016 12:58:49 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 20.

Error: (03/08/2016 12:01:47 PM) (Source: Service Control Manager) (User: )
Description: All'avvio non è stato possibile caricare i seguenti driver:
StarOpen
vflt

Error: (03/08/2016 12:01:28 PM) (Source: Application Popup) (User: )
Description: Caricamento del driver \SystemRoot\SysWow64\Drivers\StarOpen.SYS bloccato a causa di incompatibilità con il sistema in uso. Rivolgersi al fornitore del software per richiedere una versione compatibile del driver.

Error: (03/07/2016 11:05:38 PM) (Source: Service Control Manager) (User: )
Description: All'avvio non è stato possibile caricare i seguenti driver:
StarOpen
vflt

Error: (03/07/2016 11:05:20 PM) (Source: Application Popup) (User: )
Description: Caricamento del driver \SystemRoot\SysWow64\Drivers\StarOpen.SYS bloccato a causa di incompatibilità con il sistema in uso. Rivolgersi al fornitore del software per richiedere una versione compatibile del driver.

Error: (03/07/2016 11:01:46 PM) (Source: Service Control Manager) (User: )
Description: All'avvio non è stato possibile caricare i seguenti driver:
StarOpen
vflt

Error: (03/07/2016 11:01:25 PM) (Source: Application Popup) (User: )
Description: Caricamento del driver \SystemRoot\SysWow64\Drivers\StarOpen.SYS bloccato a causa di incompatibilità con il sistema in uso. Rivolgersi al fornitore del software per richiedere una versione compatibile del driver.

Error: (03/07/2016 11:25:43 AM) (Source: Service Control Manager) (User: )
Description: All'avvio non è stato possibile caricare i seguenti driver:
StarOpen
vflt


Microsoft Office Sessions:
=========================
Error: (03/09/2016 09:18:05 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/09/2016 09:17:46 AM) (Source: ISCT Agent)(User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/09/2016 12:01:24 AM) (Source: Application Error)(User: )
Description: miranda32.exe0.10.23.053761f90unknown0.0.0.000000000c000041d74f14f5d20fc01d17931774b7eafC:\Program Files (x86)\Miranda IM\miranda32.exeunknownad9e3dd3-e581-11e5-9e1e-bc5ff47ec841

Error: (03/08/2016 11:49:22 PM) (Source: Application Error)(User: )
Description: ACDSee.exe3.0.0.0384ff0a7ACDSee.exe3.0.0.0384ff0a7c000000500025ad8a61001d1798c9d4151dfC:\PROGRA~2\ACDSYS~1\ACDSEE~1\ACDSee.exeC:\PROGRA~2\ACDSYS~1\ACDSEE~1\ACDSee.exeff4cc23d-e57f-11e5-9e1e-bc5ff47ec841

Error: (03/08/2016 12:01:59 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/08/2016 12:01:35 PM) (Source: ISCT Agent)(User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/07/2016 11:05:40 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/07/2016 11:05:26 PM) (Source: ISCT Agent)(User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (03/07/2016 11:01:47 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/07/2016 11:01:32 PM) (Source: ISCT Agent)(User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2


CodeIntegrity Errors:
===================================
  Date: 2016-03-09 09:17:38.194
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-09 09:17:38.162
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-08 12:01:28.549
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-08 12:01:28.518
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 23:05:20.960
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 23:05:20.928
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 23:01:25.303
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 23:01:25.272
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 11:25:20.016
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

  Date: 2016-03-07 11:25:19.984
  Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.


=========================== Installed Programs ============================

µTorrent (HKCU\...\uTorrent) (Version: 3.4.5.41712 - BitTorrent Inc.)
7+ Taskbar Tweaker v5.1 (HKCU\...\7 Taskbar Tweaker) (Version: 5.1 - RaMMicHaeL)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ACDSee Trial Version (HKLM-x32\...\ACDSee Trial Version) (Version:  - )
Acrobat.com (HKLM-x32\...\{628C2C7D-8AD1-E614-E8E2-6EEAD8D5F2D0}) (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.5.502.146 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
AMIP (remove only) (HKLM-x32\...\AMIP) (Version:  - )
AMIPConfigurator (remove only) (HKLM-x32\...\AMIPConfigurator) (Version:  - )
Anvil Studio (HKLM-x32\...\{EF61D123-98C1-42A3-9406-29CC0238285D}) (Version: 14.08.12 - Willow Software)
Anvil Studio (HKLM-x32\...\ST5UNST #1) (Version:  - )
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASRock eXtreme Tuner v0.1.248 (HKLM-x32\...\ASRock eXtreme Tuner_is1) (Version:  - )
ASRock InstantBoot v1.29 (HKLM-x32\...\ASRock InstantBoot_is1) (Version:  - )
ASRock XFast RAM v2.0.9 (HKLM\...\ASRock XFast RAM_is1) (Version:  - ASRock Inc.)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.15.145 - Avira Operations GmbH & Co. KG)
BASSMIDI System Synth (HKLM-x32\...\BASSMIDI System Synth) (Version:  - )
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.5306 - CDBurnerXP)
CDex - Open Source Digital Audio CD Extractor (HKLM-x32\...\CDex) (Version: 1.70.5.2014 - Georgy Berdyshev)
Chi Vuol Essere Milionario? Party Edition (HKLM-x32\...\{90DA7F39-B9D4-4FB1-93A0-6B10F83E35E2}) (Version: 1.00.0000 - Eidos)
Classic Shell (HKLM\...\{D4B3454F-7529-4F5F-851D-2C36933F7D64}) (Version: 4.2.5 - IvoSoft)
CloneCD (HKLM-x32\...\CloneCD) (Version:  - SlySoft)
clrmamepro (HKLM-x32\...\clrmamepro) (Version: 4.00.18.0 - Roman Scherzer)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Cool Edit Pro 2.0 (HKLM-x32\...\Cool Edit Pro 2.0) (Version:  - )
CoolSoft VirtualMIDISynth 1.15.2 (HKLM-x32\...\CoolSoft VirtualMIDISynth) (Version: 1.15.2.0 - CoolSoft)
Counter-Strike (HKLM-x32\...\Steam App 10) (Version:  - Valve)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.47.1.0333 - Disc Soft Ltd)
DemonStar Full v3.25 (HKLM-x32\...\DemonStar Full v3.25) (Version:  - )
eMule AdunanzA (HKLM-x32\...\eMule AdunanzA) (Version: 3.18 - AduTeam)
Extract-CloneCD 5.3.1.4 Final version 1.5 (HKLM-x32\...\Extract-CloneCD 5.3.1.4 Final_is1) (Version: 1.5 - )
ffdshow v1.3.4531 [2014-06-28] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4531.0 - )
Fiddler (HKLM-x32\...\Fiddler2) (Version: 4.4.9.6 - Telerik)
FileTouch 2.0 (HKLM-x32\...\PC Magazine's FileTouch_is1) (Version: 2.0 - PC Magazine)
FlashGet 1.9.6.1073 (HKLM-x32\...\FlashGet) (Version: 1.9.6.1073 - http://www.FlashGet.com)
fpArchie for Windows 95 version 0.8 beta 1 (HKLM-x32\...\fpArchie) (Version:  - )
Freemake Video Converter versione 4.1.5 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.5 - Ellora Assets Corporation)
GIF Movie Gear 2.6 (HKLM-x32\...\GIFMovieGear1) (Version:  - )
GoldWave v4.26 (HKLM-x32\...\GoldWave v4.26) (Version:  - )
Heroes of Might and Magic III Complete (HKLM-x32\...\Heroes of Might and Magic III Complete) (Version:  - )
HyperCam (HKLM-x32\...\HyperCam) (Version:  - )
Intel® Driver Update Utility 2.0 (HKLM-x32\...\{59DB38EB-F864-4E10-841D-38CFBCF864B0}) (Version: 2.0.0.29 - Intel) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.3.1427 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4061 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.2.0.1006 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 3.0.0.63463 - Intel Corporation)
Intel® Smart Connect Technology 2.0 x64 (HKLM\...\{BC2A33D9-A853-4214-8DE6-BCFFA5EDA3DE}) (Version: 2.0.1083.0 - Intel)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java 8 Update 73 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)
Kega Game Video Decoder (32 Bit) (HKLM-x32\...\KegaGameVideo) (Version:  - )
Kyodai Mahjongg 2006 v1.42 (HKLM-x32\...\Kyodai Mahjongg 2006_is1) (Version:  - Rene-Gilles Deberdt)
Lock Folder XP (HKLM-x32\...\{57CDBAE6-0896-4E78-88F0-C673E4BB44FD}) (Version: 3.9.2.0 - Everstrike Software)
Magic ISO Maker v5.5 (build 0281) (HKLM-x32\...\Magic ISO Maker v5.5 (build 0281)) (Version:  - )
Malwarebytes Anti-Malware versione 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (Italiano) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1040) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{90110410-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{4fd02573-5f12-4ae4-8027-c63f8e1115af}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Miranda NG (HKLM-x32\...\Miranda NG_is1) (Version: 0.94.9 - Miranda NG Team)
Mozilla Firefox 44.0.2 (x86 it) (HKLM-x32\...\Mozilla Firefox 44.0.2 (x86 it)) (Version: 44.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 44.0.2.5884 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 it) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 it)) (Version: 31.4.0 - Mozilla)
MPC-HC 1.7.10 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.10 - MPC-HC Team)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
munt 1.3.0 (HKLM-x32\...\munt 1.3.0) (Version: 1.3.0 - muntemu.org)
Neo Final Burn Alpha (HKCU\...\Neo Final Burn Alpha) (Version: 00.02.96.73 - 0746 factory)
NoteWorthy Composer (HKLM-x32\...\NoteWorthy Composer) (Version:  - )
Pacchetto driver Windows - XBCD Project HID  (16/05/2008 1.1.0) (HKLM\...\C6DCA6D8EFAB374E8F91A705567555FF4DAF025D) (Version: 16/05/2008 1.1.0 - XBCD Project)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 2.1.1 - pdfforge)
PFPortChecker 1.0.39 (HKLM-x32\...\PFPortChecker) (Version: 1.0.39 - Portforward.com)
puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6482 - Realtek Semiconductor Corp.)
RealWorld Paint (HKLM-x32\...\{B6694991-632B-4DA4-B636-58A862645144}) (Version: 13.1.0 - RealWorld Graphics)
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
Serandom ScreenSaver v2 (HKLM-x32\...\Serandom ScreenSaver v2) (Version:  - )
Seterra 4.02 (HKLM-x32\...\{7C7C274C-DBC8-47FE-923F-9AAD59A4F9F4}}_is1) (Version: 4.02 - Marianne Wartoft AB)
SHOUTcast DNAS (remove only) (HKLM-x32\...\SCDNAS) (Version:  - )
SHOUTcast Source DSP Plug-in v2 (HKLM-x32\...\SHOUTcast Source DSP) (Version: 2.3.2 - Nullsoft, Inc)
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.0 - Krzysztof Kowalczyk)
Supporto applicazioni Apple (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
System Requirements Lab for Intel (HKLM-x32\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
Tag&Rename (HKLM-x32\...\Tag&Rename_is1) (Version: 2.0.5 - SOFTPOINTER Ltd.)
THX TruStudio (HKLM-x32\...\{AFB907F5-C0E6-4753-8284-DE955EF86AC2}) (Version: 1.00.01 - Creative Technology Limited)
Viena (HKLM-x32\...\Viena) (Version:  - )
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WinISO 5.2 (HKLM-x32\...\WinISO_is1) (Version:  - WinISO Computing Inc.)
Worms Armageddon (HKLM-x32\...\Worms Armageddon) (Version:  - )
Worms World Party (HKLM-x32\...\{9A200E68-D5F4-4E70-910F-2871753A0E2B}) (Version:  - )
XBCD Uninstaller (HKLM\...\{04054166-0801-48A9-89E0-BC4B53FE7A81}_is1) (Version: 0.2.7 - XBCD Project)
X-Mouse Button Control 2.6.2 (HKLM-x32\...\X-Mouse Button Control) (Version: 2.6.2 - Highresolution Enterprises)
Xvid 1.1.3 final uninstall (HKLM-x32\...\Xvid_is1) (Version: 1.1 - Xvid team (Koepi))

========================= Devices: ================================

Name: Shrew Soft Lightweight Filter
Description: Shrew Soft Lightweight Filter
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: vflt
Device ID: ROOT\LEGACY_VFLT\0000
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 30%
Total physical RAM: 3791.05 MB
Available physical RAM: 2633.08 MB
Total Virtual: 7580.31 MB
Available Virtual: 6151.23 MB

========================= Partitions: =====================================

1 Drive c: (Sistema) (Fixed) (Total:139.63 GB) (Free:99.16 GB) NTFS
2 Drive d: (Dati) (Fixed) (Total:791.78 GB) (Free:514.59 GB) NTFS
3 Drive e: (H1BUNDLE) (CDROM) (Total:0.15 GB) (Free:0 GB) CDFS
4 Drive v: (WA) (CDROM) (Total:0.61 GB) (Free:0 GB) CDFS

========================= Users: ========================================

Account utente per \\SPINALBLOOD-PC

Administrator            Guest                    SpinalBlood              
Esecuzione comando riuscita.

========================= Minidump Files ==================================

C:\Windows\Minidump\092015-12152-01.dmp
========================= Restore Points ==================================


**** End of log ****
 

I have uninstalled eMule AdunanzA

When I tried to uninstall µTorrent, the antivirus "Avira Free Antivirus" stopped me:

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD3748.tmp.1457519788\HTA\3rdparty\OCComSDK.dll.
Azione intrapresa: Nega accesso

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD230D.tmp.1457519783\HTA\3rdparty\OCComSDK.dll.
Azione intrapresa: Trasmissione allo scanner

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD230D.tmp.1457519783\HTA\3rdparty\OCSetupHlp.dll.
Azione intrapresa: Trasmissione allo scanner

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD3748.tmp.1457519788\HTA\3rdparty\OCSetupHlp.dll.
Azione intrapresa: Trasmissione allo scanner

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD3748.tmp.1457519788\HTA\3rdparty\OCComSDK.dll.
Azione intrapresa: Trasmissione allo scanner

I don't recall launching utorrent after being infected by Cryptowall

Apparently I can't totally stop the antivirus, only disabling the real time protection; Avira has some process in background, but I can't terminate all of them, it denies me (but I think it's normal and not because of the infections, it also happened when I tried a very long time ago

Is it enough to disable the real protection?

Or shall I try to disable its services from the startup (via msconfig), or perhaps trying to uninstall utorrent in safe mode instead?

(I will continue this evening)

Edited by Glacius, 09 March 2016 - 05:54 AM.

Is it enough to disable the real protection?

Yes

Done. For now the files mentioned in post #9 are still there

• Scan your system for malware
• If malware is found, click on the Cleanup
• button to remove any threats and reboot if prompted to do so.

• Wait while the system shuts down and the cleanup process is performed.
• then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

• Click on the Scan button.
• AdwCleaner will begin to scan your computer like it did before.
• When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
• This time, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***

• JRT will begin to backup your registry and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, the log JRT.txt is saved on your desktop and will automatically open.

Hello,

Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator

• Scan your system for malware
• If malware is found, click on the Cleanup
• button to remove any threats and reboot if prompted to do so.

• Wait while the system shuts down and the cleanup process is performed.
• then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

I aborted the operation since the antivirus stopped me (or I should say, the scan was still ongoing but I decided to cancel it):

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD3748.tmp.1457519788\HTA\3rdparty\OCSetupHlp.dll.
Azione intrapresa: Nega accesso

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD3748.tmp.1457519788\HTA\3rdparty\OCComSDK.dll.
Azione intrapresa: Nega accesso

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD230D.tmp.1457519783\HTA\3rdparty\OCSetupHlp.dll.
Azione intrapresa: Nega accesso

Il modello di 'PUA/OpenCandy.Gen [riskware]'
è stato rilevato nel file 'C:\Users\SpinalBlood\AppData\Local\Temp\HYD230D.tmp.1457519783\HTA\3rdparty\OCComSDK.dll.
Azione intrapresa: Nega accesso

This is odd since the first time this didn't happen. But they seem the same files as the ones in post #9

Should I disable the antivirus again, I guess?

I might try disabling it for all the scans of this topic from now on, hopefully these virus will not take any action since I'm also not using safe mode for now

Edited by Glacius, 10 March 2016 - 09:58 PM.