Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira message "desinfect system"; windows shutdown button disappeared


  • This topic is locked This topic is locked
53 replies to this topic

#1 ChristianN

ChristianN

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 05 February 2017 - 11:30 AM

Hi all,

 

First of all thanks a lot in advance for your help.

 

About one week ago I did a system check with Avira Antivirus and at some point the check stopped and a message by Avira appeared saying something like "desinfecting system". When I wanted to click for details Avira did not respond anymore and I had to restart my computer. I then looked into the Avira report history, but I could only find these standard reports like "update succesful" or "no virus found", but no warning, virus, or anything linked to the previous "desinfecting system" message. In the follwing days I performed several virus scans, none of them showing anything suspicious either.

 

Yesterday my windows shutdown button had then disappeared (first time happening to me) and I shut down the computer with the power off button instead. After a restart, the shutdown button was there again and a subsequent Avira scan didn't show anything suspicious.

 

I'm therefore wondering if I might have any hidden malware on my computer, or if you have any other explanation why this might have happened.

 

I have attached the FRST and Addition files (unfortunately in German). While scanning with FRST, the programme stopped responding for a short time at a service called "AppID", but then continued scanning by itself. Not sure if this information is of any importance.

 

Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x64) Version: 05-02-2017
durchgeführt von Christian (Administrator) auf CHRISTIAN-PC (05-02-2017 16:26:00)
Gestartet von C:\Users\Christian\Desktop
Geladene Profile: Christian (Verfügbare Profile: UpdatusUser & Christian)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: FF)
Start-Modus: Normal
Anleitung für Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Prozesse (Nicht auf der Ausnahmeliste) =================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe
(Digital Wave Ltd.) C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe
(Microsoft) C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(SAMSUNG ELECTRONICS CO., Ltd.) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe
() C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe
(Cambridge Silicon Radio Limited) C:\Program Files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Spotify Ltd) C:\Users\Christian\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SCCSpeedBoot.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12558440 2011-07-12] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2784552 2011-05-13] (Synaptics Incorporated)
HKLM\...\Run: [CsrHCRPServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe [1134288 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrAudioguiCtrl] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe [511696 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrSyncMLServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe [244944 2012-03-22] ()
HKLM\...\Run: [vksts] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe [25792 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [HarmonyUserStartup] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe [39128 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CSRHarmonySkypePlugin] => C:\Program Files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe [146656 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [TrayApplication] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe [529616 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [917576 2016-12-13] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [61896 2016-12-29] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-08-28] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\Run: [Kies3PDLR.exe] => C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\Kies3PDLR.exe Run Kies3
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\Run: [Spotify Web Helper] => C:\Users\Christian\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1446000 2017-02-03] (Spotify Ltd)
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\MountPoints2: {b0c8e88b-f5e8-11e1-88cf-e8039aa3c383} - G:\setup.exe
HKU\S-1-5-21-819639659-4150350305-585420797-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Mystify.scr [242688 2010-11-21] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei

==================== Internet (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)

Tcpip\Parameters: [DhcpNameServer] {comment: deleted manually in FRST file}
Tcpip\..\Interfaces\{4406857F-7E4F-49E1-94C8-B26322DDDE38}: [DhcpNameServer] {comment: deleted manually in FRST file}
Tcpip\..\Interfaces\{B3E35B74-CE6F-4DA8-8D9C-FDC531EA4D68}: [DhcpNameServer] {comment: deleted manually in FRST file}

Internet Explorer:
==================
HKU\S-1-5-21-819639659-4150350305-585420797-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKU\S-1-5-21-819639659-4150350305-585420797-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
Toolbar: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> Kein Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  Keine Datei
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default [2017-02-05]
FF Homepage: Mozilla\Firefox\Profiles\0zma2l0y.default -> hxxp://www.google.de/
FF Extension: (NoScript) - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-01-18]
FF Extension: (DVDVideoSoft YouTube MP3 and Video Download) - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi [2012-12-11] [ist nicht signiert]
FF Extension: (BetterPrivacy) - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-11-02]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => nicht gefunden
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-08] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Dienste (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [1089592 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [476736 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [476736 2016-12-13] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1490296 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [372272 2016-12-29] (Avira Operations GmbH & Co. KG)
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [Datei ist nicht signiert]
R2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtOBEX-Dienst; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-22] (Cambridge Silicon Radio Limited)
R2 DigitalWave.Update.Service; C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe [387944 2016-05-11] (Digital Wave Ltd.)
R2 NovaPdfServer; C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [204576 2014-04-30] (Microsoft)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] () [Datei ist nicht signiert]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Treiber (Nicht auf der Ausnahmeliste) ======================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R2 avgntflt; C:\windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-13] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\windows\System32\DRIVERS\avipbb.sys [148032 2016-12-13] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\windows\System32\DRIVERS\avkmgr.sys [28600 2013-09-30] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\windows\System32\DRIVERS\avnetflt.sys [79696 2016-05-16] (Avira Operations GmbH & Co. KG)
S3 csravrcp; C:\windows\System32\DRIVERS\csravrcp.sys [26304 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBthAudioHF; C:\windows\System32\DRIVERS\CsrBthAudioHF.sys [39120 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBtPort; C:\windows\System32\DRIVERS\CsrBtPort.sys [2784968 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrhfgcc; C:\windows\System32\DRIVERS\csrhfgcc.sys [38080 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrpan; C:\windows\System32\DRIVERS\csrpan.sys [39616 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrserial; C:\windows\System32\DRIVERS\csrserial.sys [61128 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusb; C:\windows\System32\Drivers\csrusb.sys [47296 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusbfilter; C:\windows\System32\Drivers\csrusbfilter.sys [23752 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csr_bthav; C:\windows\System32\drivers\csrbthav.sys [99520 2012-03-22] (Cambridge Silicon Radio Limited)
R1 dtsoftbus01; C:\windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-09-03] (DT Soft Ltd)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2012-04-14] (Windows ® 2003 DDK 3790 provider)
R2 SGDrv; C:\windows\System32\DRIVERS\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)

==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Ein Monat: Erstellte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2017-02-05 16:26 - 2017-02-05 16:28 - 00017851 _____ C:\Users\Christian\Desktop\FRST.txt
2017-02-05 16:11 - 2017-02-05 16:12 - 00034411 _____ C:\Users\Christian\Desktop\Addition_alt.txt
2017-02-05 16:09 - 2017-02-05 16:26 - 00000000 ____D C:\FRST
2017-02-05 16:09 - 2017-02-05 16:12 - 00031360 _____ C:\Users\Christian\Desktop\FRST_alt.txt
2017-02-05 16:06 - 2017-02-05 16:06 - 02421248 _____ (Farbar) C:\Users\Christian\Desktop\FRST64.exe
2017-02-05 15:28 - 2017-02-05 15:28 - 00000000 ____D C:\Users\Christian\Desktop\Neuer Ordner (5)
2017-02-05 15:09 - 2017-02-05 15:09 - 00000000 _____ C:\windows\wiso.ini
2017-02-05 14:56 - 2017-02-05 14:56 - 00000133 _____ C:\Users\Christian\Desktop\Bleeping Computer.txt
2017-02-04 11:54 - 2017-02-04 11:54 - 00000067 _____ C:\Users\Christian\Desktop\Schummel Paella.txt
2017-02-03 18:37 - 2017-02-03 18:37 - 00000248 _____ C:\Users\Christian\Desktop\Doku im Ersten.txt
2017-02-02 22:22 - 2017-02-02 22:28 - 00000000 ____D C:\Users\Christian\Desktop\Summer of Love
2017-01-10 19:42 - 2017-01-05 19:55 - 00154856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2017-01-10 19:42 - 2017-01-05 19:55 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2017-01-10 19:42 - 2017-01-05 19:52 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00345600 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00123904 _____ (Microsoft Corporation) C:\windows\system32\bcrypt.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2017-01-10 19:42 - 2017-01-05 19:52 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00261120 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00254464 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00082944 _____ (Microsoft Corporation) C:\windows\SysWOW64\bcrypt.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2017-01-10 19:42 - 2017-01-05 18:43 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2017-01-10 19:42 - 2017-01-05 18:42 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2017-01-10 19:42 - 2017-01-05 18:32 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2017-01-10 19:42 - 2017-01-05 18:25 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2017-01-10 19:42 - 2017-01-05 18:24 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2017-01-10 19:42 - 2017-01-05 18:24 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2017-01-10 19:42 - 2017-01-05 18:24 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2017-01-10 19:42 - 2017-01-05 18:23 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2017-01-10 19:42 - 2017-01-05 18:19 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2017-01-10 19:30 - 2017-01-10 19:30 - 00413225 _____ C:\Users\Christian\Desktop\Tarifübersicht LBS.pdf

==================== Ein Monat: Geänderte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2017-02-05 16:22 - 2009-07-14 06:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2017-02-05 16:17 - 2016-11-21 21:00 - 00000000 ____D C:\Users\Christian\AppData\LocalLow\Mozilla
2017-02-05 16:10 - 2009-07-14 05:45 - 00028848 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-05 16:10 - 2009-07-14 05:45 - 00028848 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-05 15:09 - 2012-01-09 11:46 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-02-04 19:32 - 2015-06-20 11:08 - 00000000 ____D C:\Users\Christian\AppData\Roaming\Spotify
2017-02-04 19:27 - 2015-06-20 11:09 - 00000000 ____D C:\Users\Christian\AppData\Local\Spotify
2017-01-31 07:36 - 2014-06-24 10:49 - 00000000 ____D C:\ProgramData\Package Cache
2017-01-30 21:25 - 2013-10-02 10:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-01-30 19:11 - 2016-11-21 20:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-30 19:11 - 2012-07-09 18:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-01-22 15:17 - 2015-11-06 19:27 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-22 15:07 - 2012-01-09 11:48 - 00000000 ____D C:\Users\UpdatusUser
2017-01-12 20:08 - 2009-07-14 04:20 - 00000000 ____D C:\windows\rescache
2017-01-10 23:09 - 2013-07-20 18:50 - 00000000 ____D C:\windows\system32\MRT
2017-01-10 23:07 - 2012-09-03 17:26 - 135657872 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2017-01-10 22:28 - 2016-11-09 20:02 - 00004476 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task

==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======

2014-03-19 10:42 - 2014-03-19 10:42 - 0003584 _____ () C:\Users\Christian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-12-15 00:52 - 2013-12-15 00:52 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-07-09 21:51 - 2012-07-09 21:51 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2012-01-09 13:08 - 2012-01-09 13:09 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2012-01-09 13:01 - 2012-01-09 13:03 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2012-01-09 13:06 - 2012-01-09 13:07 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2012-01-09 13:03 - 2012-01-09 13:06 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2012-01-09 13:07 - 2012-01-09 13:08 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log

Einige Dateien in TEMP:
====================
2012-01-07 02:22 - 2012-01-07 02:22 - 0246440 _____ (Ask.com) C:\Users\Christian\AppData\Local\Temp\AskSLib.dll
2004-10-23 08:14 - 2004-10-23 08:14 - 0684032 _____ (Electronic Arts Inc.) C:\Users\Christian\AppData\Local\Temp\AutoRun.exe
2013-01-09 00:54 - 2004-10-15 05:59 - 0577536 _____ (Electronic Arts Inc.) C:\Users\Christian\AppData\Local\Temp\AutoRunGUI.dll
2013-10-02 10:26 - 2014-06-24 10:49 - 0000000 ____D () C:\Users\Christian\AppData\Local\Temp\avgnt.exe
2012-12-25 02:36 - 2012-12-25 02:36 - 0046592 _____ (Sony DADC Austria AG) C:\Users\Christian\AppData\Local\Temp\drm_dialogs.dll
2012-12-25 02:34 - 2012-12-25 02:37 - 0196608 _____ (Sony DADC Austria AG) C:\Users\Christian\AppData\Local\Temp\drm_dyndata_7270006.dll
2015-03-29 15:13 - 2015-03-29 15:13 - 0041984 _____ () C:\Users\Christian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphtfxyx.dll
2014-01-25 13:47 - 2004-10-23 08:14 - 0335872 _____ (Electronic Arts Inc.) C:\Users\Christian\AppData\Local\Temp\eauninstall.exe
2012-07-29 19:22 - 2012-07-29 19:22 - 0000241 _____ () C:\Users\Christian\AppData\Local\Temp\fp_pl_pfs_installer.exe
2014-07-03 16:39 - 2014-03-24 23:55 - 0099096 _____ () C:\Users\Christian\AppData\Local\Temp\LMkRstPt.exe
2014-01-25 13:47 - 2004-10-15 05:59 - 0073728 _____ (EA) C:\Users\Christian\AppData\Local\Temp\Need for Speed Underground 2_uninst.exe
2006-10-28 13:17 - 2006-10-28 13:17 - 0145184 ____R (Microsoft Corporation) C:\Users\Christian\AppData\Local\Temp\ose00000.exe
2013-06-15 08:59 - 2015-03-13 21:35 - 45209696 _____ (Skype Technologies S.A.) C:\Users\Christian\AppData\Local\Temp\SkypeSetup.exe
2015-03-29 15:19 - 2014-07-21 10:17 - 6162488 _____ (Spotify Ltd) C:\Users\Christian\AppData\Local\Temp\SpotifyUninstall.exe
2016-01-24 15:32 - 2006-05-24 18:10 - 0455600 _____ (Macrovision Corporation) C:\Users\Christian\AppData\Local\Temp\_is3AD0.exe
2006-05-24 18:10 - 2006-05-24 18:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Christian\AppData\Local\Temp\_is5A11.exe
2006-05-24 18:10 - 2006-05-24 18:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Christian\AppData\Local\Temp\_isC02B.exe

==================== Bamital & volsnap ======================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\windows\system32\winlogon.exe => Datei ist digital signiert
C:\windows\system32\wininit.exe => Datei ist digital signiert
C:\windows\SysWOW64\wininit.exe => Datei ist digital signiert
C:\windows\explorer.exe => Datei ist digital signiert
C:\windows\SysWOW64\explorer.exe => Datei ist digital signiert
C:\windows\system32\svchost.exe => Datei ist digital signiert
C:\windows\SysWOW64\svchost.exe => Datei ist digital signiert
C:\windows\system32\services.exe => Datei ist digital signiert
C:\windows\system32\User32.dll => Datei ist digital signiert
C:\windows\SysWOW64\User32.dll => Datei ist digital signiert
C:\windows\system32\userinit.exe => Datei ist digital signiert
C:\windows\SysWOW64\userinit.exe => Datei ist digital signiert
C:\windows\system32\rpcss.dll => Datei ist digital signiert
C:\windows\system32\dnsapi.dll => Datei ist digital signiert
C:\windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\windows\system32\Drivers\volsnap.sys => Datei ist digital signiert

LastRegBack: 2017-02-02 00:43

==================== Ende von FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 05 February 2017 - 04:54 PM

Hello ChristianN and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 05 February 2017 - 05:34 PM

Hello ChristianN,

Please do the following;
 
Please Uninstall: Free YouTube To MP3 Converter
====================
 
Run FRST fixlist

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
CreateRestorePoint:
CloseProcesses:

C:\windows\TEMP\bfecfd06-a508-454d-a95b-17cabd8e5c04\AgileDotNetRT64.dll
C:\windows\TEMP\ce98dbf9-9a5d-4dd4-aa9f-e7ee1148a36d\AgileDotNetRT64.dll
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\MountPoints2: {b0c8e88b-f5e8-11e1-88cf-e8039aa3c383} - G:\setup.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> Kein Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  Keine Datei
FF Extension: (DVDVideoSoft YouTube MP3 and Video Download) - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi [2012-12-11] [ist nicht signiert]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => nicht gefunden
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
C:\ProgramData\Ament.ini
2012-01-09 13:08 - 2012-01-09 13:09 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2012-01-09 13:01 - 2012-01-09 13:03 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2012-01-09 13:06 - 2012-01-09 13:07 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2012-01-09 13:03 - 2012-01-09 13:06 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2012-01-09 13:07 - 2012-01-09 13:08 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log

CMD: ipconfig /flushdns
EmptyTemp:
Reboot:
End

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.
======================================================
 
Please be sure to run our tools with administrator rights.

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 
Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 06 February 2017 - 12:13 PM

Hi Yilmaz,

 

Thanks a lot for your reply. Unfortunately I don't have time to run your instructions today, but will do so as soon as possible (hopefully tomorrow).

 

One question beforehand: I have not done any backup of my personal data until now, as I want to avoid my external drive to be infected as well. So my question is if my personal data might get lost during the process? If so, is there any way to backup my data such that I will not infect the system again when I want to copy the data back from my external drive to the computer after the process has been finished?

 

Thanks a lot!



#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 06 February 2017 - 12:49 PM

Nothing will happen to your legal data. But, if you want, you can do backup in your external drive.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 07 February 2017 - 01:32 PM

Hi Yilmaz. Thanks for the fast reply. Below I will post the two logs. Just two remarks:

1) After having finished the ComboFix application, it did not save any report on my desktop (although the programme itself is located on the desktop.) However, an unnamed file in the notepad opened, I assume that this is the log and I will post it below.

2) All the files which start with "CSR" should be related to a bluetooth stick and the necessary drivers, which I have installed about a month ago. I have seen that these files appear quite often in the logs. Is there a reason why they appear here?



#7 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 07 February 2017 - 01:33 PM

Entferungsergebnis von Farbar Recovery Scan Tool (x64) Version: 05-02-2017
durchgeführt von Christian (07-02-2017 18:35:40) Run:1
Gestartet von C:\Users\Christian\Desktop
Geladene Profile: UpdatusUser & Christian (Verfügbare Profile: UpdatusUser & Christian)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
CreateRestorePoint:
CloseProcesses:

C:\windows\TEMP\bfecfd06-a508-454d-a95b-17cabd8e5c04\AgileDotNetRT64.dll
C:\windows\TEMP\ce98dbf9-9a5d-4dd4-aa9f-e7ee1148a36d\AgileDotNetRT64.dll
HKU\S-1-5-21-819639659-4150350305-585420797-1001\...\MountPoints2: {b0c8e88b-f5e8-11e1-88cf-e8039aa3c383} - G:\setup.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-819639659-4150350305-585420797-1001 -> Kein Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  Keine Datei
FF Extension: (DVDVideoSoft YouTube MP3 and Video Download) - C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi [2012-12-11] [ist nicht signiert]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => nicht gefunden
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> Keine Datei
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
C:\ProgramData\Ament.ini
2012-01-09 13:08 - 2012-01-09 13:09 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2012-01-09 13:01 - 2012-01-09 13:03 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2012-01-09 13:06 - 2012-01-09 13:07 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2012-01-09 13:03 - 2012-01-09 13:06 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2012-01-09 13:07 - 2012-01-09 13:08 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log

CMD: ipconfig /flushdns
EmptyTemp:
Reboot:
End
*****************

Wiederherstellungspunkt wurde erfolgreich erstellt.
Prozesse erfolgreich geschlossen.
C:\windows\TEMP\bfecfd06-a508-454d-a95b-17cabd8e5c04\AgileDotNetRT64.dll => erfolgreich verschoben
C:\windows\TEMP\ce98dbf9-9a5d-4dd4-aa9f-e7ee1148a36d\AgileDotNetRT64.dll => erfolgreich verschoben
HKU\S-1-5-21-819639659-4150350305-585420797-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0c8e88b-f5e8-11e1-88cf-e8039aa3c383} => Schlüssel erfolgreich entfernt
HKCR\CLSID\{b0c8e88b-f5e8-11e1-88cf-e8039aa3c383} => Schlüssel nicht gefunden.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich wiederhergestellt
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Schlüssel erfolgreich entfernt
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Schlüssel nicht gefunden.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich wiederhergestellt
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Schlüssel erfolgreich entfernt
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Schlüssel nicht gefunden.
HKU\S-1-5-21-819639659-4150350305-585420797-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich entfernt
HKU\S-1-5-21-819639659-4150350305-585420797-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Wert erfolgreich entfernt
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Schlüssel nicht gefunden.
C:\Users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\Extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi => erfolgreich verschoben
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F003DA68-8256-4b37-A6C4-350FA04494DF} => Wert erfolgreich entfernt
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => Schlüssel erfolgreich entfernt
C:\windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll => erfolgreich verschoben
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => Schlüssel erfolgreich entfernt
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => Schlüssel erfolgreich entfernt
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1 => Schlüssel erfolgreich entfernt
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Schlüssel nicht gefunden.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2 => Schlüssel erfolgreich entfernt
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Schlüssel nicht gefunden.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3 => Schlüssel erfolgreich entfernt
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Schlüssel nicht gefunden.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4 => Schlüssel erfolgreich entfernt
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => Schlüssel nicht gefunden.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => Schlüssel erfolgreich entfernt
C:\ProgramData\Ament.ini => erfolgreich verschoben
C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log => erfolgreich verschoben
C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log => erfolgreich verschoben
C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log => erfolgreich verschoben
C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log => erfolgreich verschoben
C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log => erfolgreich verschoben

========= ipconfig /flushdns =========


Windows-IP-Konfiguration

Der DNS-Aufl”sungscache wurde geleert.

========= Ende von CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 143147087 B
Java, Flash, Steam htmlcache => 26 B
Windows/system/drivers => 902086621 B
Edge => 0 B
Chrome => 0 B
Firefox => 89349896 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 111198 B
systemprofile32 => 335179 B
LocalService => 49632 B
NetworkService => 20662 B
UpdatusUser => 0 B
Christian => 6839405418 B

RecycleBin => 0 B
EmptyTemp: => 7.4 GB temporäre Dateien entfernt.

================================


Das System musste neu gestartet werden.

==== Ende von Fixlog 18:40:38 ====



#8 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 07 February 2017 - 01:35 PM

ComboFix 17-01-29.01 - Christian 07.02.2017  18:55:53.1.4 - x64
Microsoft Windows 7 Home Premium   {manually deleted from Log File} [GMT 1:00]
ausgeführt von:: c:\users\Christian\Desktop\ComboFix.exe
AV: Avira Antivirus *Disabled/Updated* {manually deleted from Log File}
SP: Avira Antivirus *Disabled/Updated* {manually deleted from Log File}
SP: Windows Defender *Disabled/Updated* {manually deleted from Log File}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\bfecfd06-a508-454d-a95b-17cabd8e5c04\AgileDotNetRT64.dll
c:\windows\TEMP\ce98dbf9-9a5d-4dd4-aa9f-e7ee1148a36d\AgileDotNetRT64.dll
.
.
(((((((((((((((((((((((   Dateien erstellt von 2017-01-07 bis 2017-02-07  ))))))))))))))))))))))))))))))
.
.
2017-02-07 18:04 . 2017-02-07 18:04    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2017-02-07 18:04 . 2017-02-07 18:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
2017-02-05 15:09 . 2017-02-07 17:42    --------    d-----w-    C:\FRST
2017-01-29 21:00 . 2017-01-29 21:00    17352    ----a-w-    c:\program files (x86)\Mozilla Firefox\qipcap.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-01-10 22:07 . 2012-09-03 16:26    135657872    -c--a-w-    c:\windows\system32\MRT.exe
2017-01-08 10:58 . 2011-03-28 09:36    24800    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2016-12-12 23:14 . 2016-10-06 18:57    35864    ----a-w-    c:\windows\system32\drivers\avusbflt.sys
2016-12-12 23:14 . 2013-03-27 10:59    176464    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2016-12-12 23:14 . 2013-03-27 10:59    148032    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2016-11-29 21:34 . 2016-11-29 21:34    28352    ----a-w-    c:\windows\SysWow64\aspnet_counters.dll
2016-11-29 21:34 . 2016-11-29 21:34    19112    ----a-w-    c:\windows\SysWow64\msvcr110_clr0400.dll
2016-11-29 21:34 . 2016-11-29 21:34    19112    ----a-w-    c:\windows\SysWow64\msvcr100_clr0400.dll
2016-11-29 21:34 . 2016-11-29 21:34    19112    ----a-w-    c:\windows\SysWow64\msvcp110_clr0400.dll
2016-11-29 21:27 . 2016-11-29 21:27    30400    ----a-w-    c:\windows\system32\aspnet_counters.dll
2016-11-29 21:27 . 2016-11-29 21:27    19112    ----a-w-    c:\windows\system32\msvcr110_clr0400.dll
2016-11-29 21:27 . 2016-11-29 21:27    19112    ----a-w-    c:\windows\system32\msvcr100_clr0400.dll
2016-11-29 21:27 . 2016-11-29 21:27    19112    ----a-w-    c:\windows\system32\msvcp110_clr0400.dll
2016-11-21 18:12 . 2016-12-14 19:21    109568    ----a-w-    c:\windows\system32\hlink.dll
2016-11-20 16:19 . 2016-12-14 19:21    84992    ----a-w-    c:\windows\SysWow64\hlink.dll
2016-11-20 14:07 . 2016-12-14 19:21    467392    ----a-w-    c:\windows\system32\drivers\cng.sys
2016-11-17 16:41 . 2016-12-14 19:21    370920    ----a-w-    c:\windows\system32\clfs.sys
2016-11-14 23:27 . 2016-12-14 19:21    394448    ----a-w-    c:\windows\system32\iedkcs32.dll
2016-11-12 19:48 . 2016-12-14 19:21    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2016-11-12 19:48 . 2016-12-14 19:21    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2016-11-12 19:28 . 2016-12-14 19:21    66560    ----a-w-    c:\windows\system32\iesetup.dll
2016-11-12 19:26 . 2016-12-14 19:21    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2016-11-12 19:26 . 2016-12-14 19:21    417792    ----a-w-    c:\windows\system32\html.iec
2016-11-12 19:25 . 2016-12-14 19:21    88064    ----a-w-    c:\windows\system32\MshtmlDac.dll
2016-11-12 19:25 . 2016-12-14 19:21    576000    ----a-w-    c:\windows\system32\vbscript.dll
2016-11-12 19:21 . 2016-12-14 19:21    2896384    ----a-w-    c:\windows\system32\iertutil.dll
2016-11-12 19:15 . 2016-12-14 19:21    54784    ----a-w-    c:\windows\system32\jsproxy.dll
2016-11-12 19:14 . 2016-12-14 19:21    34304    ----a-w-    c:\windows\system32\iernonce.dll
2016-11-12 19:09 . 2016-12-14 19:21    615936    ----a-w-    c:\windows\system32\ieui.dll
2016-11-12 19:08 . 2016-12-14 19:21    114688    ----a-w-    c:\windows\system32\ieetwcollector.exe
2016-11-12 19:08 . 2016-12-14 19:21    144384    ----a-w-    c:\windows\system32\ieUnatt.exe
2016-11-12 19:08 . 2016-12-14 19:21    25759744    ----a-w-    c:\windows\system32\mshtml.dll
2016-11-12 19:07 . 2016-12-14 19:21    814080    ----a-w-    c:\windows\system32\jscript9diag.dll
2016-11-12 19:07 . 2016-12-14 19:21    817664    ----a-w-    c:\windows\system32\jscript.dll
2016-11-12 18:56 . 2016-12-14 19:21    968704    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2016-11-12 18:53 . 2016-12-14 19:21    6049280    ----a-w-    c:\windows\system32\jscript9.dll
2016-11-12 18:52 . 2016-12-14 19:21    489984    ----a-w-    c:\windows\system32\dxtmsft.dll
2016-11-12 18:47 . 2016-12-14 19:21    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2016-11-12 18:41 . 2016-12-14 19:21    77824    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2016-11-12 18:40 . 2016-12-14 19:21    107520    ----a-w-    c:\windows\system32\inseng.dll
2016-11-12 18:35 . 2016-12-14 19:21    199680    ----a-w-    c:\windows\system32\msrating.dll
2016-11-12 18:34 . 2016-12-14 19:21    92160    ----a-w-    c:\windows\system32\mshtmled.dll
2016-11-12 18:31 . 2016-12-14 19:21    315392    ----a-w-    c:\windows\system32\dxtrans.dll
2016-11-12 18:30 . 2016-12-14 19:21    62464    ----a-w-    c:\windows\SysWow64\iesetup.dll
2016-11-12 18:29 . 2016-12-14 19:21    47616    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2016-11-12 18:29 . 2016-12-14 19:21    498688    ----a-w-    c:\windows\SysWow64\vbscript.dll
2016-11-12 18:29 . 2016-12-14 19:21    341504    ----a-w-    c:\windows\SysWow64\html.iec
2016-11-12 18:28 . 2016-12-14 19:21    152064    ----a-w-    c:\windows\system32\occache.dll
2016-11-12 18:27 . 2016-12-14 19:21    64000    ----a-w-    c:\windows\SysWow64\MshtmlDac.dll
2016-11-12 18:14 . 2016-12-14 19:21    115712    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2016-11-12 18:14 . 2016-12-14 19:21    262144    ----a-w-    c:\windows\system32\webcheck.dll
2016-11-12 18:14 . 2016-12-14 19:21    620032    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2016-11-12 18:11 . 2016-12-14 19:21    725504    ----a-w-    c:\windows\system32\ie4uinit.exe
2016-11-12 18:10 . 2016-12-14 19:21    806912    ----a-w-    c:\windows\system32\msfeeds.dll
2016-11-12 18:08 . 2016-12-14 19:21    1359360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2016-11-12 18:08 . 2016-12-14 19:21    2131456    ----a-w-    c:\windows\system32\inetcpl.cpl
2016-11-12 17:57 . 2016-12-14 19:21    60416    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2016-11-12 17:41 . 2016-12-14 19:21    15257088    ----a-w-    c:\windows\system32\ieframe.dll
2016-11-12 17:37 . 2016-12-14 19:21    4608000    ----a-w-    c:\windows\SysWow64\jscript9.dll
2016-11-12 17:36 . 2016-12-14 19:21    2055680    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2016-11-12 17:36 . 2016-12-14 19:21    1155072    ----a-w-    c:\windows\SysWow64\mshtmlmedia.dll
2016-11-12 17:35 . 2016-12-14 19:21    2920960    ----a-w-    c:\windows\system32\wininet.dll
2016-11-12 17:20 . 2016-12-14 19:21    1543680    ----a-w-    c:\windows\system32\urlmon.dll
2016-11-12 17:11 . 2016-12-14 19:21    800768    ----a-w-    c:\windows\system32\ieapfltr.dll
2016-11-12 17:05 . 2016-12-14 19:21    2444800    ----a-w-    c:\windows\SysWow64\wininet.dll
2016-11-10 16:32 . 2016-12-14 19:21    1009152    ----a-w-    c:\windows\system32\user32.dll
2016-11-10 16:19 . 2016-12-14 19:21    833024    ----a-w-    c:\windows\SysWow64\user32.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"Spotify Web Helper"="c:\users\Christian\AppData\Roaming\Spotify\SpotifyWebHelper.exe" [2017-02-03 1446000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2016-12-12 917576]
"Avira SystrayStartTrigger"="c:\program files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe" [2016-12-29 61896]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2011-08-02 46952]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2011-08-02 30568]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-05 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-05 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-08-28 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 AntiVirMailService;Avira Email-Schutz;c:\program files (x86)\Avira\AntiVir Desktop\avmailc7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avmailc7.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 csr_bthav;Bluetooth AV-Profil;c:\windows\system32\drivers\csrbthav.sys;c:\windows\SYSNATIVE\drivers\csrbthav.sys [x]
R3 csravrcp;Bluetooth AVRCP-Profil;c:\windows\system32\DRIVERS\csravrcp.sys;c:\windows\SYSNATIVE\DRIVERS\csravrcp.sys [x]
R3 CsrBthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\CsrBthAudioHF.sys;c:\windows\SYSNATIVE\DRIVERS\CsrBthAudioHF.sys [x]
R3 CsrBtPort;CSR Bluetooth-Gerätetreiber;c:\windows\system32\DRIVERS\CsrBtPort.sys;c:\windows\SYSNATIVE\DRIVERS\CsrBtPort.sys [x]
R3 csrhfgcc;Bluetooth HFG-Anrufsteuerungsprofil;c:\windows\system32\DRIVERS\csrhfgcc.sys;c:\windows\SYSNATIVE\DRIVERS\csrhfgcc.sys [x]
R3 csrpan;Bluetooth Personal Area Network Device Driver;c:\windows\system32\DRIVERS\csrpan.sys;c:\windows\SYSNATIVE\DRIVERS\csrpan.sys [x]
R3 csrserial;SPP-Gerätetreiber;c:\windows\system32\DRIVERS\csrserial.sys;c:\windows\SYSNATIVE\DRIVERS\csrserial.sys [x]
R3 csrusb;CSR USB-Treiber für Bluetooth-Dongle;c:\windows\system32\Drivers\csrusb.sys;c:\windows\SYSNATIVE\Drivers\csrusb.sys [x]
R3 csrusbfilter;CSR USB filter driver;c:\windows\system32\Drivers\csrusbfilter.sys;c:\windows\SYSNATIVE\Drivers\csrusbfilter.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Browser-Schutz;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys;c:\windows\SYSNATIVE\Drivers\SABI.sys [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\Launcher\Avira.ServiceHost.exe;c:\program files (x86)\Avira\Launcher\Avira.ServiceHost.exe [x]
S2 avnetflt;avnetflt;c:\windows\system32\DRIVERS\avnetflt.sys;c:\windows\SYSNATIVE\DRIVERS\avnetflt.sys [x]
S2 BtSwitcherService;Bluetooth Switcher Service;c:\program files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe;c:\program files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [x]
S2 CSRBtAudioService;CSR Bluetooth Audio-Service;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [x]
S2 CsrBtOBEX-Dienst;CSR OBEX-Dienst;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [x]
S2 CsrBtService;CSR Bluetooth-Dienst;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe;c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 NovaPdfServer;novaPDF Server;c:\program files\Softland\novaPDF 8\Server\novapdfs.exe;c:\program files\Softland\novaPDF 8\Server\novapdfs.exe [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 SGDrv;SGDrv;c:\windows\system32\DRIVERS\SGdrv64.sys;c:\windows\SYSNATIVE\DRIVERS\SGdrv64.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr QWAVE wcncsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2016-12-23 18:10    323152    ----a-w-    c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-12 12558440]
"CsrHCRPServer"="c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe" [2012-03-22 1134288]
"CsrAudioguiCtrl"="c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe" [2012-03-22 511696]
"CsrSyncMLServer"="c:\program files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe" [2012-03-22 244944]
"vksts"="c:\program files\CSR\CSR Harmony Wireless Software Stack\vksts.exe" [2012-03-22 25792]
"HarmonyUserStartup"="c:\program files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe" [2012-03-22 39128]
"CSRHarmonySkypePlugin"="c:\program files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe" [2012-03-22 146656]
"TrayApplication"="c:\program files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe" [2012-03-22 529616]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.de/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\0zma2l0y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Kies3PDLR.exe - c:\program files (x86)\Samsung\Kies3\FirmwareUpdate\Kies3PDLR.exe
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,0c,b3,27,cb,0b,e9,18,ee,98,35,60,2d,80,3a,e3,9a,8d,aa,15,7b,2a,bd,
   72,08,d8,cb,24,be,7b,c8,fa,91,05,d7,c1,ff,b2,f3,24,15,19,86,09,88,da,5f,fa,\
"??"=hex:1d,e7,ad,df,ea,55,20,84,3b,df,4a,f9,49,ae,37,64
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2017-02-07  19:06:32
ComboFix-quarantined-files.txt  2017-02-07 18:06
.
Vor Suchlauf: 12 Verzeichnis(se), 64.423.452.672 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 64.396.111.872 Bytes frei
.
- - End Of File - -



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 07 February 2017 - 02:19 PM

Hi ChristianN;

 

Please do this;

 

Step 1:

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 09 February 2017 - 01:46 PM

Hi Yilmaz,

 

I have done the Malwarebytes Scan two times, as I have seen that the first time was without rootkit scan. Please find below both scan reports.

The RogueKiller I have not installed due to rather negative reviews.

 

As some feedback, do you have any indications so far that my computer has been or is infected by any malware? Have the programmes that your initial FRST code and the CombiFix eliminated been malware or just a general clean-up of useless programmes and adware?

 

Thank you for you help!


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/8/17
Scan Time: 7:36 PM
Logfile: Malwarebytes_8 Feb_posted.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1212
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: CHRISTIAN-PC\Christian

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404395
Time Elapsed: 9 min, 35 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#11 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 09 February 2017 - 01:47 PM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/9/17
Scan Time: 6:39 AM
Logfile: Malwarebytes_9 Feb_posted.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1216
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: CHRISTIAN-PC\Christian

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 371625
Time Elapsed: 5 hr, 14 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 09 February 2017 - 03:13 PM

But,both logs are the same. Please send roguekiller Log


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 12 February 2017 - 10:00 AM

Hi Yilmaz. I hadn't installed RogueKiller due to the quite negative reviews, but will do it then. However, I will be away the next days, hope I can post the log on Friday.

Could you please tell me if you have any indications so far that my computer is or has been infected? Thanks a lot and have a nice Sunday.



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 12 February 2017 - 02:15 PM

 I hadn't installed RogueKiller due to the quite negative reviews, but will do it then. However, I will be away the next days, hope I can post the log on Friday.

Could you please tell me if you have any indications so far that my computer is or has been infected? Thanks a lot and have a nice Sunday.

We are use it safely  RoueKiller software.

Your operating  system autorun virüs infected.But lets proceed with the tests to make sure the virus or virus's aren't lingering around.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 ChristianN

ChristianN
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 16 February 2017 - 01:12 PM

HI Yilamz, sorry for the delay. I have now downloaded RogueKiller, please find attached the scan report. Thanks for your help!


RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Christian [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/16/2017 18:24:43 (Duration : 00:35:49)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1000\Software\Myfree Codec -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1000\Software\Myfree Codec -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02162017181911859\Software\Myfree Codec -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02162017181911859\Software\Myfree Codec -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1001\Software\OCS -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1001\Software\OCS -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02162017181912117\Software\OCS -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-819639659-4150350305-585420797-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02162017181912117\Software\OCS -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4406857F-7E4F-49E1-94C8-B26322DDDE38} | DhcpNameServer : 172.25.185.254 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4406857F-7E4F-49E1-94C8-B26322DDDE38} | DhcpNameServer : 172.25.185.254 ([])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Program Files (x86)\MyFree Codec -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LM012 HN-M500MBB +++++
--- User ---
[MBR] f680ef6edaffe1d17013fb46a6a6bcea
[BSP] 57660cd3197b4c71bd2c31ed71b76fea : Kiwi MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 134144 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 274933760 | Size: 318817 MB
3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 927870976 | Size: 23878 MB
User = LL1 ... OK
User = LL2 ... OK






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users