Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msft_Kernel_avusbflt_01011.Wdf


  • This topic is locked This topic is locked
27 replies to this topic

#1 5Donkeys

5Donkeys

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 01 August 2017 - 05:51 PM

Hello & thanks in advance for your help :)

 

I'm not a PC specialist, so please be patient with me. I'll try to understand as much as possible...

 

I tried to follow the steps from your "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" as good as possible. Point 1 was too complicated for me, I think I'm not smart enough for that :huh:  :unsure: ...

 

I have Windows 8.1. In attachment is a Screenshot of my System Info.

 

First I noticed something changed when I had this cse.google in Firefox, the Custom Search Engine (Found the solution to it by deleting an Add-On in Firefox).

I tried to get rid of it by following this tutorial on Youtube

 

Following the steps until minute 11:20 (where I stopped following the tutorial), I noticed that I have subject file and found out that it is a virus.

I found BleepingComputer when searching for a solution, but to be honest, I was not able to cope with the information in the thread (log file aso., it's Chinese to me).

Do you have a simple, step by step solution I could follow?

Can I not just delete the Msft_Kernel_avusbflt_01011.Wdf file which is in the folder C:\Windows\System32\drivers or is it more complicated?

 

Below are the contents of the FRST.txt and Addition.txt log files.

 

 

Thank you so much for your support!!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-07-2017
Ran by Martinez Séverine (administrator) on MARTINEZ-PC (02-08-2017 00:28:49)
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Loaded Profiles: Martinez Séverine (Available Profiles: Martinez Séverine & Margot & Nicolas)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Gadwin Systems, Inc) D:\GADWIN Printscreen\PrintScreen\PrintScreen.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
() C:\Users\Martinez Séverine\AppData\Local\Temp\paint.net.4.0.17.install.exe
() C:\Users\Martinez Séverine\AppData\Local\Temp\PdnSetup\SetupShim.exe
(dotPDN LLC) C:\Users\Martinez Séverine\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
(Microsoft Corporation) C:\Windows\System32\SystemPropertiesAdvanced.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7203032 2013-10-22] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-11-01] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WSHelperSetup.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1691136 2012-05-31] (Wondershare)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [97512 2017-06-13] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [918008 2017-07-04] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Run: [Gadwin PrintScreen] => D:\GADWIN Printscreen\PrintScreen\PrintScreen.exe [495616 2008-12-09] (Gadwin Systems, Inc)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [479744 2014-10-29] (Microsoft Corporation)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [589312 2014-10-29] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21437568 2014-05-08] (Skype Technologies S.A.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 194.154.192.101 194.154.192.102
Tcpip\..\Interfaces\{4615ED4D-CC28-4CEF-B3F0-4E12AE193CF9}: [DhcpNameServer] 192.168.224.1
Tcpip\..\Interfaces\{A27EA5B4-3E64-4402-80BA-CD79954585D6}: [DhcpNameServer] 194.154.192.101 194.154.192.102

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duckduckgo.com/
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-10-13] (Oracle Corporation)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-13] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default [2017-08-02]
FF NewTab: Mozilla\Firefox\Profiles\auauo9nc.default -> hxxps://duckduckgo.com/
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\auauo9nc.default -> DuckDuckGo
FF Homepage: Mozilla\Firefox\Profiles\auauo9nc.default -> hxxps://duckduckgo.com/#
FF Extension: (Avira Browser Safety) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\abs@avira.com [2017-08-01]
FF Extension: (Avira Browser Safety) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\abs@avira.com.xpi [2017-07-19]
FF Extension: (German Dictionary) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\de-DE@dictionaries.addons.mozilla.org [2015-12-12] [not signed]
FF Extension: (Dictionnaire français) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\fr-dicollecte@dictionaries.addons.mozilla.org [2017-01-23]
FF Extension: (Français Language Pack) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\langpack-fr@firefox.mozilla.org.xpi [2017-05-03]
FF Extension: (Avira Password Manager) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\passwordmanager@avira.com [2017-08-01]
FF Extension: (Avira SafeSearch Plus) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\safesearchplus2@avira.com [2017-08-01]
FF Extension: (New Tab Homepage) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2015-10-09]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)
FF Plugin-x32: @canon.com/EPPEX -> D:\CANON Easy Photo Print\NPEZFFPI.DLL [2013-04-19] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-13] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-11-01] (Advanced Micro Devices, Inc.) [File not signed]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1128432 2017-07-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [490968 2017-07-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [490968 2017-07-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1524216 2017-07-04] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [377976 2017-06-13] (Avira Operations GmbH & Co. KG)
R2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [322616 2017-07-13] (Avira Operations GmbH & Co. KG)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [752224 2017-01-16] (DEVGURU Co., LTD.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-19] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2013-09-24] (Advanced Micro Devices)
R0 avdevprot; C:\Windows\System32\DRIVERS\avdevprot.sys [60920 2017-07-04] (Avira Operations GmbH & Co. KG)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [167504 2017-07-04] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [164824 2017-07-04] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [44488 2017-07-04] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [88488 2017-07-04] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [38048 2017-07-04] (Avira Operations GmbH & Co. KG)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
R3 phantomtap; C:\Windows\system32\DRIVERS\phantomtap.sys [35664 2017-07-13] (The OpenVPN Project)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-07-28] (Apple, Inc.) [File not signed]
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-02 00:28 - 2017-08-02 00:28 - 000000000 ____D C:\FRST
2017-08-01 23:36 - 2017-08-01 23:36 - 000000836 _____ C:\Users\Public\Desktop\paint.net.lnk
2017-08-01 23:36 - 2017-08-01 23:36 - 000000836 _____ C:\ProgramData\Desktop\paint.net.lnk
2017-08-01 15:56 - 2017-08-02 00:10 - 000051390 _____ C:\Windows\ntbtlog.txt
2017-08-01 14:34 - 2017-08-01 14:34 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\AviraSpeedup
2017-08-01 14:33 - 2017-08-01 14:33 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\CEF
2017-08-01 14:29 - 2017-08-01 14:29 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\Avira_Operations_Gmbh_&_C
2017-08-01 14:28 - 2017-08-01 14:28 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2017-08-01 14:28 - 2017-07-04 13:28 - 000167504 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000164824 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000088488 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000060920 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avdevprot.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000044488 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000038048 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2017-08-01 14:17 - 2017-08-01 14:17 - 000000000 ____D C:\Windows\System32\Tasks\Avira
2017-08-01 14:17 - 2017-08-01 14:17 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\Avira
2017-08-01 14:16 - 2017-08-01 14:16 - 000001056 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk
2017-08-01 14:16 - 2017-08-01 14:16 - 000001056 _____ C:\ProgramData\Desktop\Avira Phantom VPN.lnk
2017-08-01 14:12 - 2017-08-01 18:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-08-01 14:12 - 2017-08-01 14:12 - 000001224 _____ C:\Users\Public\Desktop\Avira Connect.lnk
2017-08-01 14:12 - 2017-08-01 14:12 - 000001224 _____ C:\ProgramData\Desktop\Avira Connect.lnk
2017-08-01 14:09 - 2017-08-01 14:09 - 000000072 _____ C:\Windows\wininit.ini
2017-07-28 18:15 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170728-181504.backup
2017-07-28 18:10 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170728-181044.backup
2017-07-27 18:37 - 2017-07-27 21:26 - 000000000 ____D C:\Program Files (x86)\MSECache
2017-07-27 18:12 - 2017-07-28 18:07 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2017-07-27 18:12 - 2017-07-27 18:12 - 000000382 _____ C:\Windows\ODBC.INI
2017-07-13 13:32 - 2017-07-13 13:32 - 000035664 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\phantomtap.sys
2017-07-12 15:30 - 2017-06-29 08:27 - 025734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 15:30 - 2017-06-29 08:02 - 000576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 15:30 - 2017-06-29 07:50 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 15:30 - 2017-06-29 07:44 - 005975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 15:30 - 2017-06-29 07:23 - 020270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 15:30 - 2017-06-29 07:23 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 15:30 - 2017-06-29 07:17 - 001033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-07-12 15:30 - 2017-06-29 07:13 - 000663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 15:30 - 2017-06-29 07:09 - 000806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 15:30 - 2017-06-29 06:58 - 015253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 15:30 - 2017-06-29 06:53 - 003240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 15:30 - 2017-06-29 06:52 - 004549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 15:30 - 2017-06-29 06:51 - 000880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-07-12 15:30 - 2017-06-29 06:47 - 000693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 15:30 - 2017-06-29 06:43 - 013663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 15:30 - 2017-06-29 06:41 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 15:30 - 2017-06-29 06:29 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 15:30 - 2017-06-29 06:28 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 15:30 - 2017-06-29 06:24 - 001314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 15:30 - 2017-06-29 06:23 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 15:30 - 2017-06-27 16:29 - 007796736 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-07-12 15:30 - 2017-06-27 16:29 - 007077376 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2017-07-12 15:30 - 2017-06-27 16:26 - 005274112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2017-07-12 15:30 - 2017-06-27 16:26 - 005268992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-07-12 15:30 - 2017-06-22 16:22 - 004169216 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 15:30 - 2017-06-17 18:45 - 003631616 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-07-12 15:30 - 2017-06-17 18:34 - 002749952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-07-12 15:30 - 2017-06-17 18:11 - 002551808 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-07-12 15:30 - 2017-06-17 18:05 - 001920000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-07-12 15:30 - 2017-06-16 00:02 - 000990040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 15:30 - 2017-06-15 15:45 - 007440728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 001674520 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-07-12 15:30 - 2017-06-15 15:45 - 001534064 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 001499920 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-07-12 15:30 - 2017-06-15 15:45 - 001370320 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 000086360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pdc.sys
2017-07-12 15:30 - 2017-06-12 02:06 - 000376672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\clfs.sys
2017-07-12 15:30 - 2017-06-12 00:21 - 000590848 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 15:30 - 2017-06-11 23:43 - 000371200 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 15:30 - 2017-06-11 23:25 - 000478720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 15:30 - 2017-06-11 23:15 - 001436672 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 15:30 - 2017-06-11 23:08 - 000358912 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 15:30 - 2017-06-11 23:07 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 15:30 - 2017-06-11 23:00 - 000962560 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 15:30 - 2017-06-11 22:58 - 000334336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 15:30 - 2017-06-11 22:40 - 001323008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 15:30 - 2017-06-11 22:35 - 000325120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 15:30 - 2017-06-11 22:31 - 000781312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 15:30 - 2017-06-11 17:15 - 002013528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 15:30 - 2017-06-06 22:52 - 003120640 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 15:30 - 2017-06-06 22:42 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\autoconv.exe
2017-07-12 15:30 - 2017-06-06 22:38 - 000039424 _____ (Microsoft Corporation) C:\Windows\system32\cnvfat.dll
2017-07-12 15:30 - 2017-06-06 22:36 - 000168448 _____ (Microsoft Corporation) C:\Windows\system32\uudf.dll
2017-07-12 15:30 - 2017-06-06 22:36 - 000020992 _____ (Microsoft Corporation) C:\Windows\system32\convert.exe
2017-07-12 15:30 - 2017-06-06 22:35 - 000517120 _____ (Microsoft Corporation) C:\Windows\system32\uReFS.dll
2017-07-12 15:30 - 2017-06-06 21:13 - 000177664 _____ (Microsoft Corporation) C:\Windows\system32\ulib.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000557568 _____ (Microsoft Corporation) C:\Windows\system32\untfs.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000220672 _____ (Microsoft Corporation) C:\Windows\system32\ifsutil.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000131072 _____ (Microsoft Corporation) C:\Windows\system32\ufat.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\uexfat.dll
2017-07-12 15:30 - 2017-06-06 21:08 - 002712576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 15:30 - 2017-06-06 21:03 - 000837632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\autoconv.exe
2017-07-12 15:30 - 2017-06-06 20:59 - 000034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cnvfat.dll
2017-07-12 15:30 - 2017-06-06 20:57 - 000141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uudf.dll
2017-07-12 15:30 - 2017-06-06 20:56 - 000375296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uReFS.dll
2017-07-12 15:30 - 2017-06-06 20:03 - 000143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ulib.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000513536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\untfs.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000197120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ifsutil.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000106496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ufat.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uexfat.dll
2017-07-12 15:30 - 2017-06-03 18:27 - 002346496 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-07-12 15:30 - 2017-06-03 18:03 - 001549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-07-12 15:30 - 2017-05-31 23:20 - 000470360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 15:30 - 2017-05-16 00:09 - 000057688 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\stornvme.sys
2017-07-12 15:30 - 2017-05-15 22:03 - 000379744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-07-12 15:30 - 2017-05-09 16:37 - 000658432 _____ (Microsoft Corporation) C:\Windows\system32\WSDApi.dll
2017-07-12 15:30 - 2017-05-09 16:35 - 000555520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSDApi.dll
2017-07-12 15:30 - 2017-05-09 16:29 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wsdchngr.dll
2017-07-12 15:30 - 2017-05-09 16:29 - 000014848 _____ (Microsoft Corporation) C:\Windows\system32\snmptrap.exe
2017-07-12 15:30 - 2017-05-09 16:28 - 000193024 _____ (Microsoft Corporation) C:\Windows\system32\DAFWSD.dll
2017-07-12 15:30 - 2017-05-09 16:28 - 000030208 _____ (Microsoft Corporation) C:\Windows\system32\wsdchngr.dll
2017-07-12 15:30 - 2017-05-09 16:12 - 000448576 _____ C:\Windows\system32\ApnDatabase.xml
2017-07-12 15:30 - 2017-05-06 18:45 - 001114624 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2017-07-12 15:30 - 2017-05-06 18:41 - 000056832 _____ (Microsoft Corporation) C:\Windows\system32\rdsdwmdr.dll
2017-07-12 15:30 - 2017-05-02 22:09 - 000686592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-07-12 15:30 - 2017-05-02 22:08 - 000415744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-07-12 15:30 - 2017-05-02 22:08 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-07-12 15:30 - 2017-05-02 20:41 - 000044032 _____ (Microsoft Corporation) C:\Windows\system32\sscore.dll
2017-07-12 15:30 - 2017-05-02 20:31 - 000329216 _____ (Microsoft Corporation) C:\Windows\system32\srvsvc.dll
2017-07-12 15:30 - 2017-05-02 20:31 - 000207360 _____ (Microsoft Corporation) C:\Windows\system32\smbwmiv2.dll
2017-07-12 15:30 - 2017-05-02 19:35 - 000031744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sscore.dll
2017-07-12 15:30 - 2017-04-30 18:48 - 000080078 _____ C:\Windows\system32\normidna.nls
2017-07-12 15:30 - 2017-04-28 03:13 - 001292288 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2017-07-12 15:30 - 2017-04-28 03:11 - 001060352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2017-07-12 15:19 - 2017-05-04 01:11 - 000103600 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-07-12 15:19 - 2017-05-03 15:43 - 001555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 001206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-07-06 22:53 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170706-225302.backup
2017-07-06 22:13 - 2017-07-06 22:13 - 000000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2017-07-06 22:02 - 2017-07-06 22:02 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\Downloaded Installations
2017-07-06 22:02 - 2017-07-06 22:02 - 000000000 ____D C:\Program Files\Enigma Software Group
2017-07-06 21:42 - 2017-07-06 21:42 - 000000000 ____D C:\Windows\pss

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-02 00:11 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\AppReadiness
2017-08-02 00:10 - 2014-07-02 09:33 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\ClassicShell
2017-08-01 23:41 - 2014-07-02 05:31 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4196555498-3720175132-1304911588-1001
2017-08-01 23:36 - 2014-07-06 22:24 - 000000836 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2017-08-01 23:16 - 2014-03-18 12:03 - 000865068 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-01 23:16 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\Inf
2017-08-01 19:07 - 2016-11-21 17:16 - 000000000 ____D C:\Users\Martinez Séverine\AppData\LocalLow\Mozilla
2017-08-01 19:04 - 2013-08-22 16:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-01 18:49 - 2014-07-03 15:53 - 000000000 ____D C:\Desktop background pictures
2017-08-01 18:34 - 2014-09-13 22:43 - 000000000 ____D C:\ProgramData\Avira
2017-08-01 18:33 - 2014-09-13 22:43 - 000000000 ____D C:\Program Files (x86)\Avira
2017-08-01 17:00 - 2013-08-22 16:44 - 000471968 _____ C:\Windows\system32\FNTCACHE.DAT
2017-08-01 16:05 - 2017-05-05 23:17 - 000000000 ____D C:\Users\Martinez Séverine\Desktop\Drucken
2017-08-01 14:36 - 2015-01-26 20:18 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-08-01 14:36 - 2014-07-02 15:11 - 000000000 ____D C:\Windows\Panther
2017-08-01 14:12 - 2014-07-02 05:35 - 000000000 ____D C:\ProgramData\Package Cache
2017-08-01 14:04 - 2014-10-07 14:53 - 000000000 ____D C:\Users\Margot\AppData\Roaming\Avira
2017-08-01 14:04 - 2014-09-13 22:54 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\Avira
2017-07-31 14:45 - 2013-08-22 15:25 - 000524288 ___SH C:\Windows\system32\config\BBI
2017-07-31 12:24 - 2017-01-18 18:21 - 000000000 ____D C:\Users\Nicolas\AppData\Roaming\ClassicShell
2017-07-28 18:07 - 2017-01-18 18:17 - 000000000 ____D C:\Users\Nicolas
2017-07-28 18:07 - 2014-07-04 22:14 - 000000000 ____D C:\Users\Margot
2017-07-27 18:30 - 2014-07-02 14:57 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-27 18:10 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\System
2017-07-27 16:10 - 2013-08-22 17:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-07-26 18:43 - 2017-06-14 16:08 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\qBittorrent
2017-07-22 15:00 - 2013-08-22 17:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-07-19 19:28 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\rescache
2017-07-12 18:19 - 2014-12-12 00:34 - 000000000 ____D C:\Windows\system32\appraiser
2017-07-12 15:40 - 2014-07-02 14:57 - 000000000 ____D C:\Windows\system32\MRT
2017-07-12 15:38 - 2013-08-22 17:20 - 000000000 ____D C:\Windows\CbsTemp
2017-07-12 15:31 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\system32\Macromed
2017-07-12 15:30 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-07-11 14:31 - 2016-11-21 21:40 - 000000000 ____D C:\Users\Margot\AppData\LocalLow\Mozilla
2017-07-11 14:20 - 2014-07-04 22:19 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4196555498-3720175132-1304911588-1003
2017-07-08 00:02 - 2014-07-02 05:26 - 000000000 ____D C:\Users\Martinez Séverine
2017-07-07 17:05 - 2014-07-04 20:49 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-07-06 22:24 - 2015-04-28 16:54 - 000000000 ____D C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2017-07-06 22:24 - 2014-07-05 14:43 - 000000000 ____D C:\ProgramData\Apple
2017-07-06 17:32 - 2014-07-02 09:19 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-07-03 21:02 - 2017-01-19 00:09 - 000000000 ____D C:\Users\Nicolas\AppData\LocalLow\Mozilla
2017-07-03 20:16 - 2017-01-18 18:23 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4196555498-3720175132-1304911588-1004

==================== Files in the root of some directories =======

2014-07-02 05:40 - 2014-07-02 05:40 - 000000000 ____H () C:\ProgramData\DP45977C.lfl
2017-06-25 12:56 - 2017-06-25 13:00 - 000000367 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
2014-10-07 14:48 - 2014-10-07 14:48 - 000000000 ____D () C:\Users\Margot\AppData\Local\Temp\avgnt.exe
2017-08-01 23:30 - 2017-08-01 23:30 - 007235264 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\paint.net.4.0.17.install.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-07-27 15:28

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by Martinez Séverine (02-08-2017 00:29:24)
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Windows 8.1 (Update) (X64) (2014-07-02 03:26:32)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4196555498-3720175132-1304911588-500 - Administrator - Disabled)
Guest (S-1-5-21-4196555498-3720175132-1304911588-501 - Limited - Disabled)
Margot (S-1-5-21-4196555498-3720175132-1304911588-1003 - Limited - Enabled) => C:\Users\Margot
Martinez Séverine (S-1-5-21-4196555498-3720175132-1304911588-1001 - Administrator - Enabled) => C:\Users\Martinez Séverine
Nicolas (S-1-5-21-4196555498-3720175132-1304911588-1004 - Limited - Enabled) => C:\Users\Nicolas

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {B3F630BD-538D-1B4A-14FA-14B63235278F}
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avira Antivirus (Enabled - Up to date) {0897D159-75B7-14C4-2E4A-2FC449B26D32}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.110 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
AMD Catalyst Install Manager (HKLM\...\{82DEBC0B-5BAD-5918-2EDB-7C78BE01BA59}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.28.28 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{661C79C2-D156-419C-81CA-D1A2523B0841}) (Version: 1.2.91.10326 - Avira Operations GmbH & Co. KG) Hidden
Avira Connect (HKLM-x32\...\{dd9049b8-31d1-40bd-8c8c-97a7b087a78f}) (Version: 1.2.91.10326 - Avira Operations GmbH & Co. KG)
Avira Phantom VPN (HKLM-x32\...\Avira Phantom VPN) (Version: 2.9.1.24376 - Avira Operations GmbH & Co. KG)
BufferChm (HKLM-x32\...\{FA0FF682-CC70-4C57-93CD-E276F3E7537E}) (Version: 140.0.298.000 - Hewlett-Packard) Hidden
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: 4.1.6 - Canon Inc.)
Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - Acro Software Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (HKLM-x32\...\{D0DFDFA8-1C04-407B-9CB2-A25AB20DD54D}) (Version: 140.0.0.0 - Hewlett-Packard) Hidden
DocProc (HKLM-x32\...\{9B362566-EC1B-4700-BB9C-EC661BDE2175}) (Version: 140.0.185.000 - Hewlett-Packard) Hidden
Dropbox (HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Dropbox) (Version: 2.8.4 - Dropbox, Inc.)
Gadwin PrintScreen (HKLM-x32\...\Gadwin PrintScreen) (Version: 4.4 - Gadwin Systems, Inc.)
HP Update (HKLM-x32\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
hpg5590 (HKLM-x32\...\{10B58EAF-76E3-4382-95B2-4B6C6CB5B49E}) (Version: 140.000.000.000 - Nom de votre société) Hidden
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 54.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 54.0.1.6388 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MuseScore 1.3 (HKLM-x32\...\MuseScore) (Version: 1.3.0 - Werner Schweer and Others)
paint.net (HKLM\...\{02D89175-E08F-401B-BA30-8B7512B57724}) (Version: 4.0.17 - dotPDN LLC)
qBittorrent 3.3.13 (HKLM-x32\...\qBittorrent) (Version: 3.3.13 - The qBittorrent project)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7071 - Realtek Semiconductor Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.63.0 - Samsung Electronics Co., Ltd.)
Scan (HKLM-x32\...\{B860FDB8-EC49-47D2-8E9C-3B6C1F437134}) (Version: 14.0.1.0 - Hewlett-Packard) Hidden
Scratch 2 Offline Editor (HKLM-x32\...\{05CBF5E1-BE0B-D8C0-5175-D62BC1F8A21D}) (Version: 255 - Massachusetts Institute of Technology) Hidden
Scratch 2 Offline Editor (HKLM-x32\...\edu.media.mit.Scratch2Editor) (Version: 454 - Massachusetts Institute of Technology)
Skype™ 6.16 (HKLM-x32\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.16.105 - Skype Technologies S.A.)
Smart Switch (HKLM-x32\...\{74FA5314-85C8-4E2A-907D-D9ECCCB770A7}) (Version: 4.1.17022.20 - Samsung Electronics Co., Ltd.) Hidden
Smart Switch (HKLM-x32\...\InstallShield_{74FA5314-85C8-4E2A-907D-D9ECCCB770A7}) (Version: 4.1.17022.20 - Samsung Electronics Co., Ltd.)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.29480 - TeamViewer)
Text-To-Speech-Runtime (HKLM-x32\...\{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}) (Version: 1.0.0.0 - Magix Development GmbH)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebReg (HKLM-x32\...\{8EE94FD8-5F52-4463-A340-185D16328158}) (Version: 140.0.297.017 - Hewlett-Packard) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
WinRAR 5.31 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Zahlenbuch 1 (HKLM-x32\...\Zahlenbuch 1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileCoAuthLib64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ContextMenuHandlers1: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-07-04] (Avira Operations GmbH & Co. KG)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext64.dll [2016-02-04] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext.dll [2016-02-04] (Alexander Roshal)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2013-11-01] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-07-04] (Avira Operations GmbH & Co. KG)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2014-04-20] (IvoSoft)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext64.dll [2016-02-04] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext.dll [2016-02-04] (Alexander Roshal)
ContextMenuHandlers1_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ContextMenuHandlers4_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)
ContextMenuHandlers5_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox, Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {BC841E27-F833-4A38-9B56-38EDA5ADC311} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2017-07-27] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\DriverToolkit Autorun.job => D:\HP Scanjet 4370\DriverToolkit\DriverToolkit.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2015-06-15 22:08 - 2013-10-23 15:24 - 000087600 _____ () C:\Windows\System32\cpwmon64.dll
2013-11-01 11:46 - 2013-11-01 11:46 - 000102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2017-08-01 23:30 - 2017-08-01 23:30 - 007235264 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\paint.net.4.0.17.install.exe
2017-07-21 03:03 - 2017-07-21 03:03 - 000133192 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\PdnSetup\SetupShim.exe
2017-07-21 03:04 - 2017-07-21 03:04 - 001091144 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\PdnSetup\x64\PaintDotNet.SystemLayer.Native.x64.dll
2017-08-01 23:36 - 2017-08-01 23:36 - 000010752 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\nsgFFA4.tmp\System.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.

IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2013-08-22 15:25 - 000000824 ____N C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Martinez Séverine\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 194.154.192.101 - 194.154.192.102
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKLM\...\StartupApproved\Run32: => "HP Software Update"
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\StartupApproved\Run: => "cacaoweb"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{C27AB382-FA7C-40B6-99B0-F937AAF4A625}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{5369A80C-383D-4896-9673-7DAD321B2536}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{EDAAFE55-EC5A-4E41-9B14-7DE243CB723B}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{CFA0BFE2-B87B-4BC2-B2CC-B994E8257137}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{91959BEA-31D7-4DB3-BB98-F06AFF0D4506}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [TCP Query User{7BE00473-951F-4A8D-BF06-DD65B7879D9C}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{3807AB16-8A67-45C8-A309-D80364157B93}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{20CC5836-A03E-4CAF-BFFA-3AD7E7658513}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{D2895C0E-DEEA-41A0-B813-FF00798F5937}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{E0306EFC-59F5-47F6-8359-1FF35CA13FAB}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{8A44A126-323F-44F5-9337-792350F2716E}] => (Allow) LPort=2869
FirewallRules: [{38FBC4D5-75D6-4E8C-B836-88ABEFF66640}] => (Allow) LPort=1900
FirewallRules: [{845ACCEF-95E9-4ECB-9F74-0B29421B4A35}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3FB5CB4E-96B9-4243-8712-5B1D52265E8F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{398CF602-3895-4C2E-90F0-F204C152AC98}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{A15B9686-9CAA-4436-B095-B4EA7D2199AA}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{8025B988-3192-4D7A-9575-CB3C901E187E}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{4525ED1E-87BF-4F66-9687-8859E2E8D4C5}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{AC7D4296-DA90-4D6B-8AFD-AAC90C64F297}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{A231AC9C-C1F4-4566-A417-15C039A57A14}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [TCP Query User{60D576CF-B141-47B8-BA91-F608CE489B1A}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{15E79FBD-2DCB-4FDC-8F8C-6F8E68D17A18}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [{D3148C65-6208-4989-B0E8-56D3E9718DD7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D539F3F4-10B2-4B12-8075-536FFD215EB3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{F22165F9-64A1-4F79-A76C-B9CB6DDEF604}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [UDP Query User{E729EE87-7030-45EB-A584-21FBAEF75A01}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [{98148015-9000-41C3-9C35-4BF906F56043}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{5FB4F86E-A59C-45D2-86D2-DE32C9C85586}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{D936B8BA-A945-4043-A7A2-C68B800CC84B}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS348B\HPDiagnosticCoreUI.exe
FirewallRules: [{4CFC9AD5-9993-47A4-9F25-7C14D6593CEA}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS348B\HPDiagnosticCoreUI.exe
FirewallRules: [{89D60B3C-638A-4782-AD42-2419FA6DE4B1}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS352F\HPDiagnosticCoreUI.exe
FirewallRules: [{B1050C5C-4A51-44BB-AEAB-72FA4DBB43A9}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS352F\HPDiagnosticCoreUI.exe
FirewallRules: [{63F6FEE5-E1A7-4551-A78B-8A56F4D3F317}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{1CF62F40-50C0-4544-A406-A9918F598FEF}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{EB231610-939F-4603-9A39-48431285DBE2}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{7030F71B-843E-4B21-B649-E2E0C6E59A55}] => (Allow) C:\Program Files (x86)\HP\hp software update\hpwucli.exe
StandardProfile\AuthorizedApplications: [D:\FOTOBUCH\fotobuch.de\Designer 2.0\Designer.exe] => Designer.exe

==================== Restore Points =========================

27-07-2017 18:11:37 Installé Microsoft Office Standard Edition 2003
01-08-2017 14:36:41 Avira System Speedup Optimization

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/02/2017 12:30:30 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1272) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/02/2017 12:30:30 AM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1272) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/02/2017 12:30:20 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1272) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/02/2017 12:30:20 AM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1272) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/02/2017 12:30:10 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1272) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/02/2017 12:30:10 AM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1272) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/02/2017 12:29:40 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1272) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/02/2017 12:29:40 AM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1272) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/02/2017 12:29:30 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1272) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/02/2017 12:29:30 AM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1272) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (08/01/2017 08:14:16 PM) (Source: DCOM) (EventID: 10010) (User: Martinez-PC)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.

Error: (08/01/2017 08:13:46 PM) (Source: DCOM) (EventID: 10010) (User: Martinez-PC)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.

Error: (08/01/2017 07:05:48 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
An instance of the service is already running.

Error: (08/01/2017 07:05:48 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Group Policy Client service, but this action failed with the following error:
An instance of the service is already running.

Error: (08/01/2017 07:04:48 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error:
An instance of the service is already running.

Error: (08/01/2017 07:03:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (08/01/2017 07:03:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/01/2017 07:03:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/01/2017 07:03:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (08/01/2017 07:03:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.


CodeIntegrity:
===================================
  Date: 2015-06-15 15:48:46.132
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\PDFCRE~1\PDFCRE~1\PDFSpool.exe) attempted to load \Device\HarddiskVolume1\PDF CREATOR\PDFCreator\PDFCreator.exe that did not meet the Microsoft signing level requirements.

  Date: 2015-06-15 15:48:24.400
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\PDFCRE~1\PDFCRE~1\PDFSpool.exe) attempted to load \Device\HarddiskVolume1\PDF CREATOR\PDFCreator\PDFCreator.exe that did not meet the Microsoft signing level requirements.

  Date: 2014-08-24 20:45:08.603
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:45:08.431
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:38.151
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:38.026
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.792
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.667
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.339
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.214
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: AMD A4-6300 APU with Radeon™ HD Graphics
Percentage of memory in use: 56%
Total physical RAM: 3268.81 MB
Available physical RAM: 1422.04 MB
Total Virtual: 4132.81 MB
Available Virtual: 1448.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.45 GB) (Free:55.29 GB) NTFS
Drive d: (PROGRAMME) (Fixed) (Total:116.44 GB) (Free:112.83 GB) NTFS
Drive f: (HDD) (Fixed) (Total:29.99 GB) (Free:10.77 GB) NTFS
Drive g: (PHOTOS (800GByte)) (Fixed) (Total:815.07 GB) (Free:429.13 GB) NTFS
Drive h: (DATA) (Fixed) (Total:194.88 GB) (Free:144.68 GB) NTFS
Drive i: (VERBATIM HD) (Fixed) (Total:2047.49 GB) (Free:1843.52 GB) FAT32
Drive l: (VERBATIM HD) (Fixed) (Total:746.33 GB) (Free:746.33 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 24D034DD)
Partition 1: (Not Active) - (Size=116.4 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=815.1 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: DFBD69BF)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.4 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: ACE22E9E)
Partition 1: (Not Active) - (Size=8 GB) - (Type=1C)
Partition 2: (Active) - (Size=30 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=194.9 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (Size: 2048 GB) (Disk ID: F6C23F19)
Partition 1: (Not Active) - (Size=2048 GB) - (Type=0C)

========================================================
Disk: 5 (Size: 746.5 GB) (Disk ID: 750990D4)
Partition 1: (Not Active) - (Size=746.5 GB) - (Type=0C)

==================== End of Addition.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 02 August 2017 - 07:22 AM

5Donkeys:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 02 August 2017 - 12:06 PM

5Donkeys:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: In going over your logs I noticed that you have qBittorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step2: I am seeing a Task Entry in the Addition.txt file. I am not seeing Driver Toolkit in the list of installed programs.
 

Task: C:\Windows\Tasks\DriverToolkit Autorun.job => D:\HP Scanjet 4370\DriverToolkit\DriverToolkit.exe


Bleeping Computer does not recommend the use of driver updaters. Please see this link for additional information on driver updater programs.

If you wish to keep that "orphaned task", please remove the line from the FRST "fixlist" script before executing the fix. Just copy and paste the script into Notepad, remove the line, and then re-copy the remaining script to the Windows Clipboard.

.

:step3: The listed file is HIGHLY suspicious.
Please upload the following file to VirusTotal.:

C:\Users\Martinez Séverine\AppData\Local\Temp\nsgFFA4.tmp\System.dll
  • Please press the Scan it! button to produce a fresh scan.
  • When the scan completes, please copy and paste the URL/link at the top of the screen into your next reply so that I can review the scan results.
  • Please do not delete the file if it comes back positive as malware. I would like to review the VirusTotal results to see what else might be associated with this possible malware to make sure that we "nuke" everything in one pass.  Often some classes of malware will "re-spawn" if all of the components are not removed simultaneously.

.

:step4: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll => No File
2017-07-07 17:05 - 2014-07-04 20:49 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
Task: C:\Windows\Tasks\DriverToolkit Autorun.job => D:\HP Scanjet 4370\DriverToolkit\DriverToolkit.exe
FirewallRules: [TCP Query User{AC7D4296-DA90-4D6B-8AFD-AAC90C64F297}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{A231AC9C-C1F4-4566-A417-15C039A57A14}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [TCP Query User{60D576CF-B141-47B8-BA91-F608CE489B1A}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{15E79FBD-2DCB-4FDC-8F8C-6F8E68D17A18}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
C:\users\martinez séverine\appdata\roaming\cacaoweb
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#4 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 03 August 2017 - 09:53 AM

Hello Phil,

thanks a lot for your quick and detailed replies. Of course, you can call me by my first name, it's Séverine. Nice to meet you!

I fill follow the instructions as good as possible and ask you if something is unclear to me.

- I copied all my personal documents and pictures to an external driver. This took hours, that's why I didn't answer to the post earlier - sorry for that!

- CD/DVD emulation software has been disabled with Defogger following the link and instructions you provided.

- I did not use Firefox but to come to this thread and to follow the links provided by BC since I first posted. As I'm not sure since when I'm infected, will I need to change all my passwords when you give me the "all clear"?

:step1: qBittorrent has been removed as per your instructions. There is no need for this.

:step2: How can I find out if I have Driver Toolkit and how can I make it visible for you?
If Driver Updaters are not needed and even counterproductive, I'm ready to get rid of them.
I followed your link and read the comments of Aura and buddy215. Should I follow all the instructions of buddy215?

:step3:  I tried to find C:\Users\Martinez Séverine\AppData\Local\Temp\nsgFFA4.tmp\System.dll on my PC. I could follow the path until C:\Users\Martinez Séverine\AppData\Local\Temp\, but there was no folder \nsgFFA4.tmp. I made a search on C:\ for nsgFFA4.tmp, with no result. I'm sorry, I don't know what happened there.

:step4:  I ran a FRST fix as per your instructions and restarted the program as requested by FRST.

Here is the script of the log file called "fixlog.txt":

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by Martinez Séverine (02-08-2017 22:47:09) Run:1
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Loaded Profiles: Martinez Séverine & Margot (Available Profiles: Martinez Séverine & Margot & Nicolas)
Boot Mode: Normal
==============================================

fixlist content:
*****************

CreateRestorePoint:
CloseProcesses:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll => No File
2017-07-07 17:05 - 2014-07-04 20:49 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
Task: C:\Windows\Tasks\DriverToolkit Autorun.job => D:\HP Scanjet 4370\DriverToolkit\DriverToolkit.exe
FirewallRules: [TCP Query User{AC7D4296-DA90-4D6B-8AFD-AAC90C64F297}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{A231AC9C-C1F4-4566-A417-15C039A57A14}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Allow) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [TCP Query User{60D576CF-B141-47B8-BA91-F608CE489B1A}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
FirewallRules: [UDP Query User{15E79FBD-2DCB-4FDC-8F8C-6F8E68D17A18}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe] => (Block) C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe
C:\users\martinez séverine\appdata\roaming\cacaoweb

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} => key removed successfully
HKLM\Software\Classes\CLSID\{9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} => key removed successfully
C:\ProgramData\Spybot - Search & Destroy => moved successfully
C:\Windows\Tasks\DriverToolkit Autorun.job => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{AC7D4296-DA90-4D6B-8AFD-AAC90C64F297}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A231AC9C-C1F4-4566-A417-15C039A57A14}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{60D576CF-B141-47B8-BA91-F608CE489B1A}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{15E79FBD-2DCB-4FDC-8F8C-6F8E68D17A18}C:\users\martinez séverine\appdata\roaming\cacaoweb\cacaoweb.exe => value removed successfully
"C:\users\martinez séverine\appdata\roaming\cacaoweb" => not found.


The system needed a reboot.

==== End of Fixlog 22:47:34 ====

 

 

 

Thank you so much, Phil!

Have a nice day,

Séverine


Edited by 5Donkeys, 03 August 2017 - 09:59 AM.


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 04 August 2017 - 11:28 AM

Séverine:

Thank you for copying and pasting your FRST "fixlog.txt" results. They look good.

Thank you also for permission to address you by your first name! :)

Thank you also for uninstalling qBittorrent. You have just greatly improved your computer security profile! :thumbup2:

All I found of "Driver Toolkit" was that task. It is not an installed program, so probably, I am guessing, it was installed on your computer at one point in time, and then uninstalled, leaving that orphaned task behind that I deleted for you.


 

As I'm not sure since when I'm infected, will I need to change all my passwords when you give me the "all clear"?


Don't be too concerned, ... so far. I have not seen any evidence in the FRST logs of a backdoor trojan that would steal passwords; however, we are going to thoroughly scan your computer for all forms of malware using standard anti-malware programs. I will let you know immediately if I see any programs in the scan results that could potentially steal passwords and user account names, etc. So for now, you can relax a little.

As for that "System.dll" file, it might be a temporary file being generated in randomly-named folders. It might also be a hidden file, and if you haven't turned on "Show Hidden Files" in Windows Explorer, then you would not see it. Let's take a look and see if we can find it.

.

:step1: lease download SystemLook from one of the links below and save it to your Desktop.
For 64-bit versions of Windows: SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
System.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please copy and paste the contents of this log into your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

.

:step2: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step3: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great weekend, Séverine.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 05 August 2017 - 03:31 PM

Hi Phil,

Hope you're doing fine!

Thanks for your detailed reply, it's really easy to follow the steps :)

Thanks for deleting the orphaned Driver Toolkit task.

Regarding the mentioned System.dll file, I had Show hidden files turned on from Control Panel > Folder Options > View.

Now to your instructions and results :) :
:step1:  I downloaded to my Desktop the program SystemLook by following the link you provided. I copied the text and clicked on Look. Here is the content of the Notepad Log:


SystemLook 30.07.11 by jpshortstuff
Log created at 16:04 on 05/08/2017 by Martinez Séverine
Administrator - Elevation successful

========== filefind ==========

Searching for "System.dll"
C:\Program Files\Microsoft Silverlight\5.1.50907.0\system.dll    --a---- 239248 bytes    [21:02 03/05/2017]    [21:02 03/05/2017] 392219E04281C2B3FAFD7D7CA4C6F242
C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\system.dll    --a---- 239248 bytes    [20:34 03/05/2017]    [20:34 03/05/2017] 39CB585ED5C43C74F7C2169B53EB2DE9
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll    --a---- 3203072 bytes    [13:20 12/05/2017]    [13:14 30/03/2017] 8C781E3B0EA57E7CDB7DD5FAC0AD873F
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll    --a---- 3526272 bytes    [15:19 19/06/2017]    [21:53 21/04/2017] D2405BD573A9BF3447A612B75D5AC871
C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.dll    --a---- 3203072 bytes    [13:20 12/05/2017]    [13:14 30/03/2017] 8C781E3B0EA57E7CDB7DD5FAC0AD873F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll    --a---- 3526272 bytes    [15:19 19/06/2017]    [21:53 21/04/2017] D2405BD573A9BF3447A612B75D5AC871
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.dll    --a---- 3203072 bytes    [13:20 12/05/2017]    [13:15 30/03/2017] 8C781E3B0EA57E7CDB7DD5FAC0AD873F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll    --a---- 3526272 bytes    [15:19 19/06/2017]    [21:53 21/04/2017] D2405BD573A9BF3447A612B75D5AC871
C:\Windows\WinSxS\amd64_netfx-system_b03f5f7f11d50a3a_6.3.9600.16384_none_05e079fe0537bfaf\System.dll    --a---- 11931 bytes    [13:23 12/08/2014]    [13:02 03/11/2014] 11402245423A20F6C620786E49D34338
C:\Windows\WinSxS\amd64_netfx-system_b03f5f7f11d50a3a_6.3.9600.17237_none_05db363e053c8ab5\System.dll    --a---- 20679 bytes    [18:57 18/10/2014]    [01:42 07/07/2017] FACB055A13358A27C0FA11D469EA7593
C:\Windows\WinSxS\amd64_netfx-system_b03f5f7f11d50a3a_6.3.9600.20719_none_ef0b5ee41ee5ef6c\System.dll    --a---- 2509 bytes    [18:57 18/10/2014]    [13:02 03/11/2014] 184486F14B1FA506EA6FBF91F8F03BF8
C:\Windows\WinSxS\amd64_netfx-system_b03f5f7f11d50a3a_6.3.9600.20997_none_ef138e7c1ede8784\System.dll    --a---- 3203072 bytes    [13:20 12/05/2017]    [13:15 30/03/2017] 8C781E3B0EA57E7CDB7DD5FAC0AD873F
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.16404_none_e9ffa004e0b8d635\System.dll    --a---- 102499 bytes    [10:13 18/03/2014]    [13:02 03/11/2014] F9AE2B40108C4F830CC7FB5161349607
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.17187_none_ea07604ee0b1ea04\System.dll    --a---- 37738 bytes    [19:45 18/12/2015]    [12:24 28/12/2015] A6A57D8AD692693C6E4ABC5B619E384A
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.17253_none_ea04ba6ce0b437cc\System.dll    --a---- 393354 bytes    [18:57 18/10/2014]    [01:47 29/01/2016] 06296D7CDA76436DBD5FD76BFBE6957C
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.18035_none_ea028e76e0b634e5\System.dll    --a---- 143177 bytes    [23:59 21/01/2016]    [01:47 29/01/2016] BE8E906A3FC8E4B22459AE5FCD053981
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.18555_none_ea048e56e0b46928\System.dll    --a---- 39796 bytes    [22:45 21/01/2016]    [12:02 03/01/2017] B7BE5A7274841689CEE85F4E266120E2
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.20681_none_d33a3fc8fa58b461\System.dll    --a---- 36843 bytes    [19:45 18/12/2015]    [12:24 28/12/2015] 1FF8B1D00D9590FD1BE0E8914B89236C
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.20728_none_d3339e70fa5ed00f\System.dll    --a---- 27466 bytes    [18:57 18/10/2014]    [13:02 03/11/2014] EE1665608CA9C98A91F1D0A655FF6C08
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.21180_none_d33a592afa589652\System.dll    --a---- 143177 bytes    [23:59 21/01/2016]    [01:48 29/01/2016] BE8E906A3FC8E4B22459AE5FCD053981
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.21755_none_d336e58cfa5bcc58\System.dll    --a---- 12 bytes    [22:45 21/01/2016]    [01:48 29/01/2016] 4C7EF779BB8F3A64323737D24560313B
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.21787_none_d339b8dafa594b9f\System.dll    --a---- 36189 bytes    [14:41 28/12/2016]    [18:50 23/05/2017] 830B12C784063DD4FA887995CD1C1A93
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9600.21799_none_d33a8b94fa589838\System.dll    --a---- 192184 bytes    [13:21 12/05/2017]    [01:47 07/07/2017] 3A64E3FD47B0B015DB5674D857182DA2
C:\Windows\WinSxS\amd64_netfx4-system_b03f5f7f11d50a3a_4.0.9648.17035_none_f07c2418d7d8099a\System.dll    --a---- 3526272 bytes    [15:19 19/06/2017]    [21:53 21/04/2017] D2405BD573A9BF3447A612B75D5AC871
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.16404_none_a0325b0202100cac\System.dll    --a---- 102499 bytes    [10:13 18/03/2014]    [13:03 03/11/2014] F9AE2B40108C4F830CC7FB5161349607
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.17187_none_a03a1b4c0209207b\System.dll    --a---- 37738 bytes    [19:45 18/12/2015]    [12:31 28/12/2015] A6A57D8AD692693C6E4ABC5B619E384A
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.17253_none_a037756a020b6e43\System.dll    --a---- 393354 bytes    [18:57 18/10/2014]    [01:57 29/01/2016] 06296D7CDA76436DBD5FD76BFBE6957C
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.18035_none_a0354974020d6b5c\System.dll    --a---- 143177 bytes    [00:00 22/01/2016]    [01:57 29/01/2016] BE8E906A3FC8E4B22459AE5FCD053981
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.18555_none_a0374954020b9f9f\System.dll    --a---- 39796 bytes    [22:45 21/01/2016]    [12:06 03/01/2017] B7BE5A7274841689CEE85F4E266120E2
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.20681_none_896cfac61bafead8\System.dll    --a---- 36843 bytes    [19:45 18/12/2015]    [12:31 28/12/2015] 1FF8B1D00D9590FD1BE0E8914B89236C
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.20728_none_8966596e1bb60686\System.dll    --a---- 27466 bytes    [18:57 18/10/2014]    [13:03 03/11/2014] EE1665608CA9C98A91F1D0A655FF6C08
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.21180_none_896d14281bafccc9\System.dll    --a---- 143177 bytes    [00:00 22/01/2016]    [01:57 29/01/2016] BE8E906A3FC8E4B22459AE5FCD053981
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.21755_none_8969a08a1bb302cf\System.dll    --a---- 12 bytes    [22:45 21/01/2016]    [01:57 29/01/2016] 4C7EF779BB8F3A64323737D24560313B
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.21787_none_896c73d81bb08216\System.dll    --a---- 36189 bytes    [14:41 28/12/2016]    [18:51 23/05/2017] 830B12C784063DD4FA887995CD1C1A93
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9600.21799_none_896d46921bafceaf\System.dll    --a---- 192184 bytes    [13:21 12/05/2017]    [01:52 07/07/2017] 3A64E3FD47B0B015DB5674D857182DA2
C:\Windows\WinSxS\msil_system_b77a5c561934e089_4.0.9648.17035_none_a6aedf15f92f4011\System.dll    --a---- 3526272 bytes    [15:19 19/06/2017]    [21:53 21/04/2017] D2405BD573A9BF3447A612B75D5AC871
C:\Windows\WinSxS\msil_system_b77a5c561934e089_6.3.9600.16384_none_f59d04b8200393da\System.dll    --a---- 11931 bytes    [13:23 12/08/2014]    [13:03 03/11/2014] 11402245423A20F6C620786E49D34338
C:\Windows\WinSxS\msil_system_b77a5c561934e089_6.3.9600.17237_none_f597c0f820085ee0\System.dll    --a---- 20679 bytes    [18:57 18/10/2014]    [01:52 07/07/2017] FACB055A13358A27C0FA11D469EA7593
C:\Windows\WinSxS\msil_system_b77a5c561934e089_6.3.9600.20719_none_dec7e99e39b1c397\System.dll    --a---- 2509 bytes    [18:57 18/10/2014]    [13:03 03/11/2014] 184486F14B1FA506EA6FBF91F8F03BF8
C:\Windows\WinSxS\msil_system_b77a5c561934e089_6.3.9600.20997_none_ded0193639aa5baf\System.dll    --a---- 3203072 bytes    [13:20 12/05/2017]    [13:14 30/03/2017] 8C781E3B0EA57E7CDB7DD5FAC0AD873F

-= EOF =-



:step2:  I installed esetsmartinstaller_enu.exe. As I'm using Firefox, I also wanted to install the ESET Smart Installer tool. I couldn't find it anywhere and here is why... Following the link you provided, I found this update from ESET: "The latest version of ESET Online Scanner is the new generation of our well-known ESET Online Scanner. It is no longer dependent on Active X, which allows it to be completely browser independent." Your Note 1 became obsolete :)

I disabled my antivirus Avira (right click on the icon > Manage Antivirus > Free Antivirus > Disable PC Protection & Internet Protection). The umbrella icon was closed.

My Windows Firewall / Spyware & unwanted program software protection / Virus protection were turned off all three from Control Panel > Action Center

I also wanted to disable Windows Defender and got the message: "This app has been turned off and isn't monitoring your computer. If you're using another app to check for malicious or unwanted software, use Security and Maintenance to check that app's status." - which was done from the Action Center.

I started ESET Online Scanner which took nearly 3 hours to scan all the drives. Many threats have been detected, here is the content of the ESET.txt file:

C:\Program Files (x86)\Common Files\DVDVideoSoft\TB\ConduitInstaller.exe    a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    cleaned by deleting
D:\$RECYCLE.BIN\S-1-5-21-4196555498-3720175132-1304911588-1001\$RBD6I5E.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    cleaned by deleting
D:\BITTORENT\BitTorrent.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting
D:\CC Cleaner\ccsetup532.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
D:\CdBurnerXP\cdbxp_setup_4.5.4.5143.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting
D:\DAEMON TOOLS\daemon4301-lite.exe    a variant of Win32/Adware.Toolbar.Shopper.AE application    cleaned by deleting
D:\FOXIT READER pdf\FoxitReader531.0606_enu_Setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting
D:\FREE STUDIO\FreeStudio_5.9.0.1212.exe    a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    cleaned by deleting
D:\HOME DESIGNER\ashampoo_home_designer_1.0.0_7591.exe    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    cleaned by deleting
D:\PrintToPdf\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    cleaned by deleting
D:\RECYCLER\S-1-5-21-469203747-926528283-3175040077-1006\Dh1\Repair-tool.exe    a variant of Win32/RegCure.A potentially unwanted application    cleaned by deleting
D:\SCRATCH\Scratch-446_CB-DL-Manager.exe    a variant of Win32/DownloadGuide.D potentially unwanted application    cleaned by deleting
D:\VLC MEDIA PLAYER\vlc-media-player.exe    Win32/SoftonicDownloader.E potentially unwanted application    cleaned by deleting
F:\Programme\best-markit Corp\best-markit158.dll    a variant of Win32/AdWare.AddLyrics.BA application    cleaned by deleting
F:\Programme\best-markit Corp\best-markit158.exe    a variant of Win32/AdWare.AddLyrics.AK application    cleaned by deleting
F:\Programme\best-markit Corp\bestu.exe    a variant of Win32/AdWare.AddLyrics.AJ application    cleaned by deleting
F:\Programme\Gemeinsame Dateien\DVDVideoSoft\TB\ConduitInstaller.exe    a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    cleaned by deleting


Avira PC & Internet protection and Windows Firewall were enabled after the above scan.

:step3:  I downloaded mb3-setup-1878.1878-3.1.2.1733-10139.exe following your link and selecting "Download Now @BleepingComputer"
After intalling, I performed the scan following the setting instructions you gave me and - believe it or not - there was not a single threat found! *Yeah!*
Here is the scan report:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/5/17
Scan Time: 9:57 PM
Log File: Malwarebytes.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.139
Update Package Version: 1.0.2517
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Martinez-PC\Martinez S\u00c3\u00a9verine

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 420746
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 11 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)


Does this mean my PC is safe again? If yes, should I use Deefogger to enable the CD emulation again?
Shall the programs SystemLook, ESET Online Scanner and Malwarebytes remain on my PC or should these be uninstalled?

Thanks for your support & patience - and have a wonderful evening, Phil :)

Kind regards,

Séverine


Edited by 5Donkeys, 05 August 2017 - 03:33 PM.


#7 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 06 August 2017 - 02:27 AM

Hello again,

 

when logging in this morning, I got following message:

 

Failed to connect to a Windows service.
Windows couldn't connect to the System Event Notification Service service. This problem prevents standard users from signing in.
As an administrative user, you can review the system event log for details about why the service didn't respond.

 

Does this have something to do with all the above?

I didn't change anything yet, I just logged in to my kid's respective accounts to check their accesses.

It took very long (30-40 secs) to enter both. The account of my daughter seems ok (it just took forever to load the icons on the desktop), but my son's account has now a black background and his documents & shortcuts on the desktop disappeared.

 

Thanks in advance, Phil :)

 

Have a great Sunday!

 

Séverine



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 06 August 2017 - 11:25 AM

Séverine:

Thank you for your posts and for the ESET and Malwarebytes logs. Thank you for pointing out that "Note 1:" in the ESET instructions is no longer necessary. I have amended my instructions for future users. I really appreciate you pointing that out, since I don't use those applications myself on a regular basis.

SystemLook did not find that "System.dll" file, so that explains why you couldn't find it; however, that file continues to concern me. We will deal with it again later on in this post.

As for the anti-malware tools that I have asked you to run, and will ask you to run, we will remove all of them in one simple step when I am satisfied that your computer is clean. Until then, I would ask that you follow my instructions and refrain from making any changes to your computer, except for routine Windows updates, security product updates, etc.

As for the login issues with your children's accounts, I did not see any malware removed in the logs that would account for that. Malware removal can cause unpredictable and unintended issues. That said, I would like to continue to deal with removing the malware first, before looking further into that issue, because malware might be responsible. One trick that often works is a "cold boot" to resolve all sorts of very strange issues.

.

:step1: Warm booting does not completely clear the computer and reset everything. See this article from Microsoft. You can also "google" warm boots versus cold boots and you will find lots of information there. It is amazing to me how many really weird problems are resolved by a cold boot. It is my first diagnostic step. If you launch the "Windows Repair (All In One)" tool by Tweaking Computer, you will see a cold boot is one of their preliminary diagnostic steps. That tool is available for download here at BC, but please do not run it, unless I instruct you to do so.

With laptops, it also necessary not just to unplug them, but also to remove the battery to ensure that the motherboard loses power, causing components to reset to their default state. Pressing and hold the "Power" button down, when all power sources have been unplugged from the computer/laptop, just hastens, and ensures, that the capacitors on the motherboard, and other boards, such as GPU, drive controllers, etc., also lose any residual power and are reset back to default states. The only thing that doesn't lose power is the BIOS CMOS, because it has its own battery, and removing that is not usually desirable, since the BIOS loses any custom configuration information, as well as the date and time.

Please let me know if the cold boot had any effect on the account access issue. ESET is a very aggressive scanner and it is possible that the computer needs a cold boot to completely recover from the effects of the scan and the malware deletions. I always like to start simple and then move further into the complex, and then finally into the esoteric! :)


OK, let's run a couple of more standard anti-malware scans and see what turns up.

.

:step2: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.


If you are unsure about one or more of the detected programs, then please copy and paste the scan log, with your questions, and I will provide you with advice about those files.
The Scan logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Do not follow the remaining instructions until directed to do so by me. If you have no questions about any of the detections, then please proceed to the "Clean" steps below.

  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

:step3: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

:step4: Please run a new FRST scan for me. I want to check again for that "System.dll" or any other odd file that might be present. Some malware can spawn randomly named and randomly located files, so I want to check for those. Please copy and paste the scan logs (FRST.txt and Addition.txt) into your next reply, or replies. Sometimes, when the logs are large, you have to split them and post them separately.

.

Sorry for all of the "homework" on a weekend :(, but you can respond tomorrow or Tuesday. Thank you, Séverine, and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#9 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 06 August 2017 - 03:30 PM

Hi Phil,

until now, I did not change/uninstall anything else than what I wrote before. I was just so happy that the last scan run didn't show up any threats :)

 

:step1: The link to the article from Microsoft you provided does not exist anymore. I still found information on Google about warm boot versus cold boot. Unfortunately, the cold boot had no effect on the account access issue... Let's see if it really disappears when we are all done - before we move to the complex resp. esoteric :)

 

:step2: Here is the content of AdwCleaner[C0].txt:

# AdwCleaner 7.0.1.0 - Logfile created on Sun Aug 06 19:57:10 2017
# Updated on 2017/05/08 by Malwarebytes
# Running on Windows 8.1 (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Users\Martinez Séverine\AppData\Local\DriverToolkit
Deleted: C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Deleted: C:\Program Files\Enigma Software Group
Deleted: C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
Deleted: C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{BD0C1912-66C3-49CC-8B12-7B347BF6C846}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{128507E0-C56F-43C0-BCF1-8193B35FE4C4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{40217CB8-4463-4030-B324-AC6A8075FEC8}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{63C40CBE-DE43-4B56-BCEB-E14B825CF245}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{AFA0E6A1-28D7-4F2C-87A7-7266367B4655}
Deleted: [Key] - HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Software\DriverToolkit
Deleted: [Key] - HKCU\Software\DriverToolkit
Deleted: [Key] - HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Software\cacaoweb
Deleted: [Key] - HKCU\Software\cacaoweb
Deleted: [Value] - HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|cacaoweb
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Deleted: [Key] - HKLM\SOFTWARE\EnigmaSoftwareGroup
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}


***** [ Firefox (and derivatives) ] *****

Plugin deleted: Avira SafeSearch Plus - Avira


***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2714 B] - [2017/8/6 19:51:14]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########
 

 

:step3: Here is the content of JRT.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 8.1 x64
Ran by Martinez S‚verine (Administrator) on 06/08/2017 at 22:08:44,12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 17

Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\924KX0TN (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8GSR6R6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BI1AAGFK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F4USU6WV (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GH1DMSO3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ICJKOS89 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8NGIOD3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Martinez S‚verine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TNHN1FCC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\924KX0TN (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8GSR6R6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BI1AAGFK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F4USU6WV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GH1DMSO3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ICJKOS89 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8NGIOD3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TNHN1FCC (Temporary Internet Files Folder)

Deleted the following from C:\Users\Martinez S‚verine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\prefs.js
user_pref(extensions.safesearchplus2@avira.com.AUC_GUID, 03a1ace1-842b-40a8-a243-050fc5b403d9);
user_pref(extensions.safesearchplus2@avira.com.MP_DISTINCT_ID, a7e931d6d688c8fe3b7fa13ad04ff46da33625b1);
user_pref(extensions.safesearchplus2@avira.com.abTestParameters, {});
user_pref(extensions.safesearchplus2@avira.com.initialSettingsApplied, true);
user_pref(extensions.safesearchplus2@avira.com.install, 1501591297662);
user_pref(extensions.safesearchplus2@avira.com.migration_1_2_1, true);
user_pref(extensions.safesearchplus2@avira.com.overrideNewTab, true);
user_pref(extensions.safesearchplus2@avira.com.prev_default_engine_name, \Google\);
user_pref(extensions.safesearchplus2@avira.com.sdk.baseURI, resource://safesearchplus2-at-avira-dot-com/);
user_pref(extensions.safesearchplus2@avira.com.sdk.domain, safesearchplus2-at-avira-dot-com);
user_pref(extensions.safesearchplus2@avira.com.sdk.load.reason, startup);
user_pref(extensions.safesearchplus2@avira.com.sdk.rootURI, file:///C:/Users/Martinez%20S%C3%A9verine/AppData/Roaming/Mozilla/Firefox/Profiles/auauo9nc.default/extensions/s
user_pref(extensions.safesearchplus2@avira.com.sdk.version, 1.5.3.465);
user_pref(extensions.safesearchplus2@avira.com.search_offer_disabled, true);



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06/08/2017 at 22:09:47,53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


:step4: Here is the content of today's FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-08-2017
Ran by Martinez Séverine (administrator) on MARTINEZ-PC (06-08-2017 22:15:46)
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Loaded Profiles: Martinez Séverine (Available Profiles: Martinez Séverine & Margot & Nicolas)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avcenter.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7203032 2013-10-22] (RealtekSemiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-11-01] (AdvancedMicroDevices,Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (AdobeSystemsIncorporated)
HKLM-x32\...\Run: [WSHelperSetup.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1691136 2012-05-31] (Wondershare)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [97512 2017-06-13] (AviraOperationsGmbH&Co.KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [918008 2017-07-04] (AviraOperationsGmbH&Co.KG)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Run: [Gadwin PrintScreen] => D:\GADWIN Printscreen\PrintScreen\PrintScreen.exe [495616 2008-12-09] (GadwinSystems,Inc)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\system32\StikyNot.exe [479744 2014-10-29] (MicrosoftCorporation)
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [589312 2014-10-29] (MicrosoftCorporation)
HKU\S-1-5-18\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21437568 2014-05-08] (SkypeTechnologiesS.A.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 194.154.192.101 194.154.192.102
Tcpip\..\Interfaces\{4615ED4D-CC28-4CEF-B3F0-4E12AE193CF9}: [DhcpNameServer] 192.168.224.1
Tcpip\..\Interfaces\{A27EA5B4-3E64-4402-80BA-CD79954585D6}: [DhcpNameServer] 194.154.192.101 194.154.192.102

Internet Explorer:
==================
HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duckduckgo.com/
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-10-13] (OracleCorporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-13] (OracleCorporation)

FireFox:
========
FF ProfilePath: C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default [2017-08-06]
FF NewTab: Mozilla\Firefox\Profiles\auauo9nc.default -> hxxps://duckduckgo.com/
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\auauo9nc.default -> DuckDuckGo
FF Homepage: Mozilla\Firefox\Profiles\auauo9nc.default -> hxxps://duckduckgo.com/#
FF Extension: (Avira Browser Safety) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\abs@avira.com [2017-08-01]
FF Extension: (Avira Browser Safety) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\abs@avira.com.xpi [2017-07-19]
FF Extension: (German Dictionary) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\de-DE@dictionaries.addons.mozilla.org [2015-12-12] [not signed]
FF Extension: (Dictionnaire français) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\fr-dicollecte@dictionaries.addons.mozilla.org [2017-01-23]
FF Extension: (Français Language Pack) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\langpack-fr@firefox.mozilla.org.xpi [2017-05-03]
FF Extension: (Avira Password Manager) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\passwordmanager@avira.com [2017-08-01]
FF Extension: (New Tab Homepage) - C:\Users\Martinez Séverine\AppData\Roaming\Mozilla\Firefox\Profiles\auauo9nc.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2015-10-09]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)
FF Plugin-x32: @canon.com/EPPEX -> D:\CANON Easy Photo Print\NPEZFFPI.DLL [2013-04-19] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-13] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-11-01] (AdvancedMicroDevices,Inc.) [File not signed]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1128432 2017-07-04] (AviraOperationsGmbH&Co.KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [490968 2017-07-04] (AviraOperationsGmbH&Co.KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [490968 2017-07-04] (AviraOperationsGmbH&Co.KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1524216 2017-07-04] (AviraOperationsGmbH&Co.KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [377976 2017-06-13] (AviraOperationsGmbH&Co.KG)
R2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [322616 2017-07-13] (AviraOperationsGmbH&Co.KG)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [752224 2017-01-16] (DEVGURUCo.,LTD.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (MicrosoftCorporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (MicrosoftCorporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-19] (AdvancedMicroDevices)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2013-09-24] (AdvancedMicroDevices)
R0 avdevprot; C:\Windows\System32\DRIVERS\avdevprot.sys [60920 2017-07-04] (AviraOperationsGmbH&Co.KG)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [167504 2017-07-04] (AviraOperationsGmbH&Co.KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [164824 2017-07-04] (AviraOperationsGmbH&Co.KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [44488 2017-07-04] (AviraOperationsGmbH&Co.KG)
R2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [88488 2017-07-04] (AviraOperationsGmbH&Co.KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [38048 2017-07-04] (AviraOperationsGmbH&Co.KG)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (SamsungElectronicsCo.,Ltd.)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77376 2017-08-06] ()
R3 GEARAspiWDM; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [33240 2012-08-21] (GEARSoftwareInc.)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188352 2017-08-06] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [101784 2017-08-06] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-08-06] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [253856 2017-08-06] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [93600 2017-08-06] (Malwarebytes)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACETechnologies,Inc.)
R3 phantomtap; C:\Windows\system32\DRIVERS\phantomtap.sys [35664 2017-07-13] (TheOpenVPNProject)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (SamsungElectronicsCo.,Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-07-28] (Apple,Inc.) [File not signed]
S0 viaide; C:\Windows\System32\drivers\viaide.sys [19808 2013-08-22] (VIATechnologies,Inc.)
S0 vsmraid; C:\Windows\System32\drivers\vsmraid.sys [168800 2013-08-22] (VIATechnologiesInc.,Ltd)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (MicrosoftCorporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (MicrosoftCorporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (MicrosoftCorporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-06 22:09 - 2017-08-06 22:09 - 000004712 _____ C:\Users\Martinez Séverine\Desktop\JRT.txt
2017-08-06 22:07 - 2017-08-06 22:07 - 001790024 _____ (Malwarebytes) C:\Users\Martinez Séverine\Desktop\JRT.exe
2017-08-06 21:49 - 2017-08-06 21:57 - 000000000 ____D C:\AdwCleaner
2017-08-06 21:49 - 2017-08-06 21:49 - 008185288 _____ (Malwarebytes) C:\Users\Martinez Séverine\Desktop\AdwCleaner.exe
2017-08-05 22:15 - 2017-08-05 22:15 - 000001223 _____ C:\Users\Martinez Séverine\Desktop\Malwarebytes.txt
2017-08-05 21:52 - 2017-08-06 21:58 - 000253856 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-08-05 21:52 - 2017-08-06 21:58 - 000101784 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-08-05 21:52 - 2017-08-06 21:58 - 000093600 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-08-05 21:52 - 2017-08-06 21:58 - 000045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-08-05 21:52 - 2017-08-06 09:33 - 000188352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-08-05 21:52 - 2017-08-06 09:33 - 000077376 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-08-05 21:52 - 2017-08-05 21:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-08-05 21:52 - 2017-08-05 21:52 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-08-05 21:52 - 2017-08-05 21:52 - 000000000 ____D C:\Program Files\Malwarebytes
2017-08-05 21:48 - 2017-08-05 21:51 - 064025992 _____ (Malwarebytes ) C:\Users\Martinez Séverine\Desktop\mb3-setup-1878.1878-3.1.2.1733-10139.exe
2017-08-05 21:41 - 2017-08-05 21:41 - 000004534 _____ C:\Users\Martinez Séverine\Desktop\ESET.txt
2017-08-05 16:08 - 2017-08-05 16:08 - 002870984 _____ (ESET) C:\Users\Martinez Séverine\Desktop\esetsmartinstaller_enu.exe
2017-08-05 16:04 - 2017-08-05 16:05 - 000015204 _____ C:\Users\Martinez Séverine\Desktop\SystemLook.txt
2017-08-05 15:55 - 2017-08-05 15:55 - 000165376 _____ C:\Users\Martinez Séverine\Desktop\SystemLook_x64.exe
2017-08-02 22:39 - 2017-08-02 22:39 - 000000000 _____ C:\Users\Martinez Séverine\defogger_reenable
2017-08-02 22:38 - 2017-08-02 22:38 - 000050477 _____ C:\Users\Martinez Séverine\Desktop\Defogger.exe
2017-08-02 00:28 - 2017-08-06 22:15 - 000000000 ____D C:\FRST
2017-08-01 23:36 - 2017-08-01 23:36 - 000000836 _____ C:\Users\Public\Desktop\paint.net.lnk
2017-08-01 23:36 - 2017-08-01 23:36 - 000000836 _____ C:\ProgramData\Desktop\paint.net.lnk
2017-08-01 15:56 - 2017-08-06 21:58 - 000140302 _____ C:\Windows\ntbtlog.txt
2017-08-01 14:34 - 2017-08-01 14:34 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\AviraSpeedup
2017-08-01 14:33 - 2017-08-01 14:33 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\CEF
2017-08-01 14:29 - 2017-08-01 14:29 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\Avira_Operations_Gmbh_&_C
2017-08-01 14:28 - 2017-08-01 14:28 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2017-08-01 14:28 - 2017-07-04 13:28 - 000167504 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000164824 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000088488 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000060920 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avdevprot.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000044488 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2017-08-01 14:28 - 2017-07-04 13:28 - 000038048 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2017-08-01 14:17 - 2017-08-01 14:17 - 000000000 ____D C:\Windows\System32\Tasks\Avira
2017-08-01 14:17 - 2017-08-01 14:17 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Local\Avira
2017-08-01 14:16 - 2017-08-01 14:16 - 000001056 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk
2017-08-01 14:16 - 2017-08-01 14:16 - 000001056 _____ C:\ProgramData\Desktop\Avira Phantom VPN.lnk
2017-08-01 14:12 - 2017-08-01 18:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-08-01 14:12 - 2017-08-01 14:12 - 000001224 _____ C:\Users\Public\Desktop\Avira Connect.lnk
2017-08-01 14:12 - 2017-08-01 14:12 - 000001224 _____ C:\ProgramData\Desktop\Avira Connect.lnk
2017-07-28 18:15 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170728-181504.backup
2017-07-28 18:10 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170728-181044.backup
2017-07-27 18:37 - 2017-07-27 21:26 - 000000000 ____D C:\Program Files (x86)\MSECache
2017-07-27 18:12 - 2017-07-28 18:07 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2017-07-27 18:12 - 2017-07-27 18:12 - 000000382 _____ C:\Windows\ODBC.INI
2017-07-13 13:32 - 2017-07-13 13:32 - 000035664 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\phantomtap.sys
2017-07-12 15:30 - 2017-06-29 08:27 - 025734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 15:30 - 2017-06-29 08:02 - 000576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 15:30 - 2017-06-29 07:50 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 15:30 - 2017-06-29 07:44 - 005975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 15:30 - 2017-06-29 07:23 - 020270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 15:30 - 2017-06-29 07:23 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 15:30 - 2017-06-29 07:17 - 001033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-07-12 15:30 - 2017-06-29 07:13 - 000663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 15:30 - 2017-06-29 07:09 - 000806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 15:30 - 2017-06-29 06:58 - 015253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 15:30 - 2017-06-29 06:53 - 003240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 15:30 - 2017-06-29 06:52 - 004549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 15:30 - 2017-06-29 06:51 - 000880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-07-12 15:30 - 2017-06-29 06:47 - 000693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 15:30 - 2017-06-29 06:43 - 013663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 15:30 - 2017-06-29 06:41 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 15:30 - 2017-06-29 06:29 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 15:30 - 2017-06-29 06:28 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 15:30 - 2017-06-29 06:24 - 001314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 15:30 - 2017-06-29 06:23 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 15:30 - 2017-06-27 16:29 - 007796736 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-07-12 15:30 - 2017-06-27 16:29 - 007077376 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2017-07-12 15:30 - 2017-06-27 16:26 - 005274112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2017-07-12 15:30 - 2017-06-27 16:26 - 005268992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-07-12 15:30 - 2017-06-22 16:22 - 004169216 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 15:30 - 2017-06-17 18:45 - 003631616 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-07-12 15:30 - 2017-06-17 18:34 - 002749952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-07-12 15:30 - 2017-06-17 18:11 - 002551808 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-07-12 15:30 - 2017-06-17 18:05 - 001920000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-07-12 15:30 - 2017-06-16 00:02 - 000990040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 15:30 - 2017-06-15 15:45 - 007440728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 001674520 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-07-12 15:30 - 2017-06-15 15:45 - 001534064 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 001499920 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-07-12 15:30 - 2017-06-15 15:45 - 001370320 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2017-07-12 15:30 - 2017-06-15 15:45 - 000086360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pdc.sys
2017-07-12 15:30 - 2017-06-12 02:06 - 000376672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\clfs.sys
2017-07-12 15:30 - 2017-06-12 00:21 - 000590848 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 15:30 - 2017-06-11 23:43 - 000371200 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 15:30 - 2017-06-11 23:25 - 000478720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 15:30 - 2017-06-11 23:15 - 001436672 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 15:30 - 2017-06-11 23:08 - 000358912 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 15:30 - 2017-06-11 23:07 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 15:30 - 2017-06-11 23:00 - 000962560 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 15:30 - 2017-06-11 22:58 - 000334336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 15:30 - 2017-06-11 22:40 - 001323008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 15:30 - 2017-06-11 22:35 - 000325120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 15:30 - 2017-06-11 22:31 - 000781312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 15:30 - 2017-06-11 17:15 - 002013528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 15:30 - 2017-06-06 22:52 - 003120640 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 15:30 - 2017-06-06 22:42 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\autoconv.exe
2017-07-12 15:30 - 2017-06-06 22:38 - 000039424 _____ (Microsoft Corporation) C:\Windows\system32\cnvfat.dll
2017-07-12 15:30 - 2017-06-06 22:36 - 000168448 _____ (Microsoft Corporation) C:\Windows\system32\uudf.dll
2017-07-12 15:30 - 2017-06-06 22:36 - 000020992 _____ (Microsoft Corporation) C:\Windows\system32\convert.exe
2017-07-12 15:30 - 2017-06-06 22:35 - 000517120 _____ (Microsoft Corporation) C:\Windows\system32\uReFS.dll
2017-07-12 15:30 - 2017-06-06 21:13 - 000177664 _____ (Microsoft Corporation) C:\Windows\system32\ulib.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000557568 _____ (Microsoft Corporation) C:\Windows\system32\untfs.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000220672 _____ (Microsoft Corporation) C:\Windows\system32\ifsutil.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000131072 _____ (Microsoft Corporation) C:\Windows\system32\ufat.dll
2017-07-12 15:30 - 2017-06-06 21:11 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\uexfat.dll
2017-07-12 15:30 - 2017-06-06 21:08 - 002712576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 15:30 - 2017-06-06 21:03 - 000837632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\autoconv.exe
2017-07-12 15:30 - 2017-06-06 20:59 - 000034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cnvfat.dll
2017-07-12 15:30 - 2017-06-06 20:57 - 000141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uudf.dll
2017-07-12 15:30 - 2017-06-06 20:56 - 000375296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uReFS.dll
2017-07-12 15:30 - 2017-06-06 20:03 - 000143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ulib.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000513536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\untfs.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000197120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ifsutil.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000106496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ufat.dll
2017-07-12 15:30 - 2017-06-06 20:02 - 000074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uexfat.dll
2017-07-12 15:30 - 2017-06-03 18:27 - 002346496 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-07-12 15:30 - 2017-06-03 18:03 - 001549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-07-12 15:30 - 2017-05-31 23:20 - 000470360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 15:30 - 2017-05-16 00:09 - 000057688 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\stornvme.sys
2017-07-12 15:30 - 2017-05-15 22:03 - 000379744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-07-12 15:30 - 2017-05-09 16:37 - 000658432 _____ (Microsoft Corporation) C:\Windows\system32\WSDApi.dll
2017-07-12 15:30 - 2017-05-09 16:35 - 000555520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSDApi.dll
2017-07-12 15:30 - 2017-05-09 16:29 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wsdchngr.dll
2017-07-12 15:30 - 2017-05-09 16:29 - 000014848 _____ (Microsoft Corporation) C:\Windows\system32\snmptrap.exe
2017-07-12 15:30 - 2017-05-09 16:28 - 000193024 _____ (Microsoft Corporation) C:\Windows\system32\DAFWSD.dll
2017-07-12 15:30 - 2017-05-09 16:28 - 000030208 _____ (Microsoft Corporation) C:\Windows\system32\wsdchngr.dll
2017-07-12 15:30 - 2017-05-09 16:12 - 000448576 _____ C:\Windows\system32\ApnDatabase.xml
2017-07-12 15:30 - 2017-05-06 18:45 - 001114624 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2017-07-12 15:30 - 2017-05-06 18:41 - 000056832 _____ (Microsoft Corporation) C:\Windows\system32\rdsdwmdr.dll
2017-07-12 15:30 - 2017-05-02 22:09 - 000686592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-07-12 15:30 - 2017-05-02 22:08 - 000415744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-07-12 15:30 - 2017-05-02 22:08 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-07-12 15:30 - 2017-05-02 20:41 - 000044032 _____ (Microsoft Corporation) C:\Windows\system32\sscore.dll
2017-07-12 15:30 - 2017-05-02 20:31 - 000329216 _____ (Microsoft Corporation) C:\Windows\system32\srvsvc.dll
2017-07-12 15:30 - 2017-05-02 20:31 - 000207360 _____ (Microsoft Corporation) C:\Windows\system32\smbwmiv2.dll
2017-07-12 15:30 - 2017-05-02 19:35 - 000031744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sscore.dll
2017-07-12 15:30 - 2017-04-30 18:48 - 000080078 _____ C:\Windows\system32\normidna.nls
2017-07-12 15:30 - 2017-04-28 03:13 - 001292288 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2017-07-12 15:30 - 2017-04-28 03:11 - 001060352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2017-07-12 15:19 - 2017-05-04 01:11 - 000103600 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-07-12 15:19 - 2017-05-03 15:43 - 001555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 001206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-07-12 15:19 - 2017-05-03 15:43 - 000127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-06 22:12 - 2014-07-02 09:33 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\ClassicShell
2017-08-06 22:10 - 2016-11-21 17:16 - 000000000 ____D C:\Users\Martinez Séverine\AppData\LocalLow\Mozilla
2017-08-06 22:02 - 2014-03-18 12:03 - 000865068 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-06 22:02 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\Inf
2017-08-06 21:57 - 2013-08-22 16:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-06 21:48 - 2014-07-02 05:31 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4196555498-3720175132-1304911588-1001
2017-08-06 21:43 - 2014-07-02 05:26 - 000000000 ____D C:\Users\Martinez Séverine
2017-08-06 09:21 - 2014-07-04 22:26 - 000000000 ____D C:\Users\Margot\AppData\Roaming\ClassicShell
2017-08-05 16:18 - 2014-09-13 22:54 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\Avira
2017-08-03 16:48 - 2013-08-22 15:25 - 000524288 ___SH C:\Windows\system32\config\BBI
2017-08-02 07:23 - 2017-01-18 18:21 - 000000000 ____D C:\Users\Nicolas\AppData\Roaming\ClassicShell
2017-08-02 07:18 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\AppReadiness
2017-08-01 23:36 - 2014-07-06 22:24 - 000000836 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2017-08-01 18:49 - 2014-07-03 15:53 - 000000000 ____D C:\Desktop background pictures
2017-08-01 18:34 - 2014-09-13 22:43 - 000000000 ____D C:\ProgramData\Avira
2017-08-01 18:33 - 2014-09-13 22:43 - 000000000 ____D C:\Program Files (x86)\Avira
2017-08-01 17:00 - 2013-08-22 16:44 - 000471968 _____ C:\Windows\system32\FNTCACHE.DAT
2017-08-01 16:05 - 2017-05-05 23:17 - 000000000 ____D C:\Users\Martinez Séverine\Desktop\Drucken
2017-08-01 14:36 - 2015-01-26 20:18 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-08-01 14:36 - 2014-07-02 15:11 - 000000000 ____D C:\Windows\Panther
2017-08-01 14:12 - 2014-07-02 05:35 - 000000000 ____D C:\ProgramData\Package Cache
2017-08-01 14:04 - 2014-10-07 14:53 - 000000000 ____D C:\Users\Margot\AppData\Roaming\Avira
2017-07-28 18:07 - 2017-01-18 18:17 - 000000000 ____D C:\Users\Nicolas
2017-07-28 18:07 - 2014-07-04 22:14 - 000000000 ____D C:\Users\Margot
2017-07-27 18:30 - 2014-07-02 14:57 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-27 18:10 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\System
2017-07-27 16:10 - 2013-08-22 17:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-07-26 18:43 - 2017-06-14 16:08 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\qBittorrent
2017-07-22 15:00 - 2013-08-22 17:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-07-19 19:28 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\rescache
2017-07-12 18:19 - 2014-12-12 00:34 - 000000000 ____D C:\Windows\system32\appraiser
2017-07-12 15:40 - 2014-07-02 14:57 - 000000000 ____D C:\Windows\system32\MRT
2017-07-12 15:38 - 2013-08-22 17:20 - 000000000 ____D C:\Windows\CbsTemp
2017-07-12 15:31 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\system32\Macromed
2017-07-12 15:30 - 2013-08-22 17:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-07-11 14:31 - 2016-11-21 21:40 - 000000000 ____D C:\Users\Margot\AppData\LocalLow\Mozilla
2017-07-11 14:20 - 2014-07-04 22:19 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4196555498-3720175132-1304911588-1003

==================== Files in the root of some directories =======

2014-07-02 05:40 - 2014-07-02 05:40 - 000000000 ____H () C:\ProgramData\DP45977C.lfl
2017-06-25 12:56 - 2017-06-25 13:00 - 000000367 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
2014-10-07 14:48 - 2014-10-07 14:48 - 000000000 ____D () C:\Users\Margot\AppData\Local\Temp\avgnt.exe
2017-08-01 23:30 - 2017-08-01 23:30 - 007235264 _____ () C:\Users\Martinez Séverine\AppData\Local\Temp\paint.net.4.0.17.install.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-08-03 21:35

==================== End of FRST.txt ============================
 

 

 


... and here is the content of the Addition.txt:


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-08-2017
Ran by Martinez Séverine (06-08-2017 22:16:16)
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Windows 8.1 (Update) (X64) (2014-07-02 03:26:32)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4196555498-3720175132-1304911588-500 - Administrator - Disabled)
Guest (S-1-5-21-4196555498-3720175132-1304911588-501 - Limited - Disabled)
Margot (S-1-5-21-4196555498-3720175132-1304911588-1003 - Administrator - Enabled) => C:\Users\Margot
Martinez Séverine (S-1-5-21-4196555498-3720175132-1304911588-1001 - Administrator - Enabled) => C:\Users\Martinez Séverine
Nicolas (S-1-5-21-4196555498-3720175132-1304911588-1004 - Administrator - Enabled) => C:\Users\Nicolas

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Disabled - Up to date) {B3F630BD-538D-1B4A-14FA-14B63235278F}
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Avira Antivirus (Disabled - Up to date) {0897D159-75B7-14C4-2E4A-2FC449B26D32}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.110 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
AMD Catalyst Install Manager (HKLM\...\{82DEBC0B-5BAD-5918-2EDB-7C78BE01BA59}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.28.28 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{661C79C2-D156-419C-81CA-D1A2523B0841}) (Version: 1.2.91.10326 - Avira Operations GmbH & Co. KG) Hidden
Avira Connect (HKLM-x32\...\{dd9049b8-31d1-40bd-8c8c-97a7b087a78f}) (Version: 1.2.91.10326 - Avira Operations GmbH & Co. KG)
Avira Phantom VPN (HKLM-x32\...\Avira Phantom VPN) (Version: 2.9.1.24376 - Avira Operations GmbH & Co. KG)
BufferChm (HKLM-x32\...\{FA0FF682-CC70-4C57-93CD-E276F3E7537E}) (Version: 140.0.298.000 - Hewlett-Packard) Hidden
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: 4.1.6 - Canon Inc.)
Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - Acro Software Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (HKLM-x32\...\{D0DFDFA8-1C04-407B-9CB2-A25AB20DD54D}) (Version: 140.0.0.0 - Hewlett-Packard) Hidden
DocProc (HKLM-x32\...\{9B362566-EC1B-4700-BB9C-EC661BDE2175}) (Version: 140.0.185.000 - Hewlett-Packard) Hidden
Dropbox (HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\Dropbox) (Version: 2.8.4 - Dropbox, Inc.)
Gadwin PrintScreen (HKLM-x32\...\Gadwin PrintScreen) (Version: 4.4 - Gadwin Systems, Inc.)
HP Update (HKLM-x32\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
hpg5590 (HKLM-x32\...\{10B58EAF-76E3-4382-95B2-4B6C6CB5B49E}) (Version: 140.000.000.000 - Nom de votre société) Hidden
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 54.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 54.0.1.6388 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MuseScore 1.3 (HKLM-x32\...\MuseScore) (Version: 1.3.0 - Werner Schweer and Others)
paint.net (HKLM\...\{02D89175-E08F-401B-BA30-8B7512B57724}) (Version: 4.0.17 - dotPDN LLC)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7071 - Realtek Semiconductor Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.63.0 - Samsung Electronics Co., Ltd.)
Scan (HKLM-x32\...\{B860FDB8-EC49-47D2-8E9C-3B6C1F437134}) (Version: 14.0.1.0 - Hewlett-Packard) Hidden
Scratch 2 Offline Editor (HKLM-x32\...\{05CBF5E1-BE0B-D8C0-5175-D62BC1F8A21D}) (Version: 255 - Massachusetts Institute of Technology) Hidden
Scratch 2 Offline Editor (HKLM-x32\...\edu.media.mit.Scratch2Editor) (Version: 454 - Massachusetts Institute of Technology)
Skype™ 6.16 (HKLM-x32\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.16.105 - Skype Technologies S.A.)
Smart Switch (HKLM-x32\...\{74FA5314-85C8-4E2A-907D-D9ECCCB770A7}) (Version: 4.1.17022.20 - Samsung Electronics Co., Ltd.) Hidden
Smart Switch (HKLM-x32\...\InstallShield_{74FA5314-85C8-4E2A-907D-D9ECCCB770A7}) (Version: 4.1.17022.20 - Samsung Electronics Co., Ltd.)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.29480 - TeamViewer)
Text-To-Speech-Runtime (HKLM-x32\...\{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}) (Version: 1.0.0.0 - Magix Development GmbH)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebReg (HKLM-x32\...\{8EE94FD8-5F52-4463-A340-185D16328158}) (Version: 140.0.297.017 - Hewlett-Packard) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
WinRAR 5.31 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Zahlenbuch 1 (HKLM-x32\...\Zahlenbuch 1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox,Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileCoAuthLib64.dll (MicrosoftCorporation)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox,Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox,Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox,Inc.)
CustomCLSID: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox,Inc.)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers: [EnhancedStorageShell] -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} => C:\Windows\System32\EhStorShell.dll [2014-10-29] (MicrosoftCorporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => C:\Windows\system32\syncui.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers1: [Open With] -> {09799AFB-AD67-11d1-ABCD-00C04FC30936} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers1: [Open With EncryptionMenu] -> {A470F8CF-A1E8-4f65-8335-227475AA5C46} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers1: [Sharing] -> {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} => C:\Windows\system32\ntshrui.dll [2016-08-25] (MicrosoftCorporation)
ContextMenuHandlers1: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-07-04] (AviraOperationsGmbH&Co.KG)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext64.dll [2016-02-04] (AlexanderRoshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext.dll [2016-02-04] (AlexanderRoshal)
ContextMenuHandlers1-x32: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} => C:\Windows\System32\WorkfoldersShell.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers2: [EnhancedStorageShell] -> {2854F705-3548-414C-A113-93E27C808C85} => C:\Windows\System32\EhStorShell.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers2: [Sharing] -> {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} => C:\Windows\system32\ntshrui.dll [2016-08-25] (MicrosoftCorporation)
ContextMenuHandlers3: [CopyAsPathMenu] -> {f3d06e7c-1e45-4a26-847e-f9fcdee59be0} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers3: [SendTo] -> {7BA4C740-9E81-11CF-99D3-00AA004AE837} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers4: [EncryptionMenu] -> {A470F8CF-A1E8-4f65-8335-227475AA5C46} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers4: [Sharing] -> {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} => C:\Windows\system32\ntshrui.dll [2016-08-25] (MicrosoftCorporation)
ContextMenuHandlers4: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} => C:\Windows\System32\WorkfoldersShell.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2013-11-01] (AdvancedMicroDevices,Inc.)
ContextMenuHandlers5: [New] -> {D969A300-E7FF-11d0-A93B-00A0C90F2719} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers5: [Sharing] -> {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} => C:\Windows\system32\ntshrui.dll [2016-08-25] (MicrosoftCorporation)
ContextMenuHandlers5: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} => C:\Windows\System32\WorkfoldersShell.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => C:\Windows\system32\syncui.dll [2014-10-29] (MicrosoftCorporation)
ContextMenuHandlers6: [Library Location] -> {3dad6c5d-2167-4cae-9914-f99e41c12cfa} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers6: [PintoStartScreen] -> {470C0EBD-5D73-4d58-9CED-E91E22E23282} => C:\Windows\system32\shell32.dll [2017-05-12] (MicrosoftCorporation)
ContextMenuHandlers6: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-07-04] (AviraOperationsGmbH&Co.KG)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2014-04-20] (IvoSoft)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext64.dll [2016-02-04] (AlexanderRoshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\WINRAR\rarext.dll [2016-02-04] (AlexanderRoshal)
ContextMenuHandlers1_S-1-5-21-4196555498-3720175132-1304911588-1001: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ContextMenuHandlers1_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ContextMenuHandlers4_S-1-5-21-4196555498-3720175132-1304911588-1001: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ContextMenuHandlers4_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)
ContextMenuHandlers5_S-1-5-21-4196555498-3720175132-1304911588-1001: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll [2017-04-12] (MicrosoftCorporation)
ContextMenuHandlers5_S-1-5-21-4196555498-3720175132-1304911588-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2014-06-20] (Dropbox,Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {006E650B-C0F4-4DA5-ADB8-C4BD9A2F842B} - System32\Tasks\Microsoft\Windows\Shell\FamilySafetyMonitor => C:\Windows\System32\wpcmon.exe [2014-10-29] (MicrosoftCorporation)
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - System32\Tasks\Microsoft\Windows\Application Experience\AitAgent => C:\Windows\system32\aitagent.exe [2014-10-29] (MicrosoftCorporation)
Task: {2BC666B2-C77B-492D-A698-30536C6C4D42} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator => C:\Windows\System32\wsqmcons.exe [2014-10-29] (MicrosoftCorporation)
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe [2013-08-22] (MicrosoftCorporation)
Task: {3B6D8A73-F20B-4C93-B8FB-56A154F172D2} - System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone => C:\Windows\system32\tzsync.exe [2015-07-14] (MicrosoftCorporation)
Task: {3E272BA6-C8A9-4A1A-9572-C6B6E12D3D8E} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => C:\Windows\system32\compattel\DiagTrackRunner.exe [2015-11-17] (MicrosoftCorporation)
Task: {474C611A-1233-4D11-BADA-8D7EDB8F4052} - System32\Tasks\OneDrive Standalone Update Task v2 => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe [2017-04-12] (MicrosoftCorporation)
Task: {6D21C8E9-C77F-4EE7-9252-2D30C930528A} - System32\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag => C:\Windows\system32\defrag.exe [2014-10-29] (MicrosoftCorp.)
Task: {73D1388C-336E-40EC-B0B4-62CB862AF2BE} - System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers => C:\Windows\System32\drvinst.exe [2014-10-29] (MicrosoftCorporation)
Task: {7A1CA63A-3611-4E61-AAFA-1B56F8746F3A} - System32\Tasks\Microsoft\Windows\AppID\PolicyConverter => C:\Windows\system32\appidpolicyconverter.exe [2014-10-29] (MicrosoftCorporation)
Task: {7DD666D5-AC93-428A-B051-BD4F13C8356D} - System32\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask => C:\Windows\system32\RAServer.exe [2014-10-29] (MicrosoftCorporation)
Task: {813B346C-59D8-4BD9-BAB2-D651E89C7567} - System32\Tasks\CreateChoiceProcessTask => C:\Windows\BrowserChoice\browserchoice.exe [2013-08-22] (MicrosoftCorporation)
Task: {84400372-B6DB-4852-B387-6CE186EAE25B} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\Windows\System32\MbaeParserTask.exe [2014-10-29] (MicrosoftCorporation)
Task: {8B58F959-C028-4D91-A68F-809BFF6D43D3} - System32\Tasks\User_Feed_Synchronization-{6AE934BC-DEF5-4E11-B6F2-53D09F05C3C9} => C:\Windows\system32\msfeedssync.exe [2014-10-31] (MicrosoftCorporation)
Task: {A216000C-66D3-4E66-8A6E-D98AB5762D3C} - System32\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask => C:\Windows\system32\BthUdTask.exe [2014-10-29] (MicrosoftCorporation)
Task: {A44A1624-C719-4A46-8833-AA65471469C9} - System32\Tasks\Microsoft\Windows\SystemRestore\SR => C:\Windows\system32\srtasks.exe [2014-10-29] (MicrosoftCorporation)
Task: {AAA89DAF-1B4F-447D-AF21-7F0559AC9962} - System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary => C:\Program Files\Windows Media Player\wmpnscfg.exe [2014-10-29] (MicrosoftCorporation)
Task: {AED4C6A3-FD9F-474A-8964-ED5394CC258C} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Uploader => C:\Windows\system32\WSqmCons.exe [2014-10-29] (MicrosoftCorporation)
Task: {BC537794-54F5-4702-8CEB-06F584ECD24A} - System32\Tasks\Microsoft\Windows\SpacePort\SpaceAgentTask => C:\Windows\system32\SpaceAgent.exe [2014-10-29] (MicrosoftCorporation)
Task: {BC841E27-F833-4A38-9B56-38EDA5ADC311} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2017-07-27] (MicrosoftCorporation)
Task: {C2599556-050C-48B7-98E3-CD224A313FE3} - System32\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck => C:\Windows\system32\appidcertstorecheck.exe [2014-10-29] (MicrosoftCorporation)
Task: {C6FC1C81-D503-4FB5-831E-47A92D532742} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-4196555498-3720175132-1304911588-1001 => C:\Users\Martinez Séverine\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2017-04-12] (MicrosoftCorporation)
Task: {CBD3EF37-0E38-431A-A6E8-607C56893A63} - System32\Tasks\Microsoft\Windows\MUI\LPRemove => C:\Windows\system32\lpremove.exe [2014-10-29] (MicrosoftCorporation)
Task: {D08F1AB1-8F5E-4779-937E-7A750E734C77} - System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup => C:\Windows\system32\cleanmgr.exe [2014-10-29] (MicrosoftCorporation)
Task: {D6F4A061-CEFB-4F38-81EC-6E80ECDD3011} - System32\Tasks\Microsoft\Windows\Location\Notifications => C:\Windows\System32\LocationNotifications.exe [2014-10-29] (MicrosoftCorporation)
Task: {E075AC73-7FC0-4ACD-9F28-DD590C391C1C} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting => C:\Windows\system32\wermgr.exe [2014-10-29] (MicrosoftCorporation)
Task: {EB9EEB66-5420-435D-B48D-51FD3AD470E7} - System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver => C:\Windows\system32\DFDWiz.exe [2014-10-29] (MicrosoftCorporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2015-06-15 22:08 - 2013-10-23 15:24 - 000087600 _____ () C:\Windows\System32\cpwmon64.dll
2017-08-05 21:52 - 2017-08-06 09:33 - 002260432 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.

IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2013-08-22 15:25 - 000000824 ____N C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4196555498-3720175132-1304911588-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Martinez Séverine\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 194.154.192.101 - 194.154.192.102
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKLM\...\StartupApproved\Run32: => "HP Software Update"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{C27AB382-FA7C-40B6-99B0-F937AAF4A625}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{5369A80C-383D-4896-9673-7DAD321B2536}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{EDAAFE55-EC5A-4E41-9B14-7DE243CB723B}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{CFA0BFE2-B87B-4BC2-B2CC-B994E8257137}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{91959BEA-31D7-4DB3-BB98-F06AFF0D4506}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [TCP Query User{7BE00473-951F-4A8D-BF06-DD65B7879D9C}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{3807AB16-8A67-45C8-A309-D80364157B93}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{20CC5836-A03E-4CAF-BFFA-3AD7E7658513}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{D2895C0E-DEEA-41A0-B813-FF00798F5937}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{E0306EFC-59F5-47F6-8359-1FF35CA13FAB}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{8A44A126-323F-44F5-9337-792350F2716E}] => (Allow) LPort=2869
FirewallRules: [{38FBC4D5-75D6-4E8C-B836-88ABEFF66640}] => (Allow) LPort=1900
FirewallRules: [{845ACCEF-95E9-4ECB-9F74-0B29421B4A35}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3FB5CB4E-96B9-4243-8712-5B1D52265E8F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{398CF602-3895-4C2E-90F0-F204C152AC98}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{A15B9686-9CAA-4436-B095-B4EA7D2199AA}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{8025B988-3192-4D7A-9575-CB3C901E187E}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{4525ED1E-87BF-4F66-9687-8859E2E8D4C5}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{D3148C65-6208-4989-B0E8-56D3E9718DD7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D539F3F4-10B2-4B12-8075-536FFD215EB3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{F22165F9-64A1-4F79-A76C-B9CB6DDEF604}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [UDP Query User{E729EE87-7030-45EB-A584-21FBAEF75A01}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [{98148015-9000-41C3-9C35-4BF906F56043}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{5FB4F86E-A59C-45D2-86D2-DE32C9C85586}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{D936B8BA-A945-4043-A7A2-C68B800CC84B}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS348B\HPDiagnosticCoreUI.exe
FirewallRules: [{4CFC9AD5-9993-47A4-9F25-7C14D6593CEA}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS348B\HPDiagnosticCoreUI.exe
FirewallRules: [{89D60B3C-638A-4782-AD42-2419FA6DE4B1}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS352F\HPDiagnosticCoreUI.exe
FirewallRules: [{B1050C5C-4A51-44BB-AEAB-72FA4DBB43A9}] => (Allow) C:\Users\Martinez Séverine\AppData\Local\Temp\7zS352F\HPDiagnosticCoreUI.exe
FirewallRules: [{63F6FEE5-E1A7-4551-A78B-8A56F4D3F317}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{1CF62F40-50C0-4544-A406-A9918F598FEF}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{EB231610-939F-4603-9A39-48431285DBE2}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{7030F71B-843E-4B21-B649-E2E0C6E59A55}] => (Allow) C:\Program Files (x86)\HP\hp software update\hpwucli.exe
StandardProfile\AuthorizedApplications: [D:\FOTOBUCH\fotobuch.de\Designer 2.0\Designer.exe] => Designer.exe

==================== Restore Points =========================

27-07-2017 18:11:37 Installé Microsoft Office Standard Edition 2003
01-08-2017 14:36:41 Avira System Speedup Optimization
02-08-2017 22:47:16 Restore Point Created by FRST
06-08-2017 22:08:44 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/06/2017 10:17:20 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1260) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/06/2017 10:17:20 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1260) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/06/2017 10:17:10 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1260) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/06/2017 10:17:10 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1260) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/06/2017 10:16:40 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1260) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/06/2017 10:16:40 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1260) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/06/2017 10:16:30 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1260) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/06/2017 10:16:30 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1260) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/06/2017 10:16:20 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (1260) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.

Error: (08/06/2017 10:16:20 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1260) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Management Instrumentation service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Themes service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Shell Hardware Detection service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The System Event Notification Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Task Scheduler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Profile Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (08/06/2017 09:57:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The IP Helper service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.


CodeIntegrity:
===================================
  Date: 2015-06-15 15:48:46.132
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\PDFCRE~1\PDFCRE~1\PDFSpool.exe) attempted to load \Device\HarddiskVolume1\PDF CREATOR\PDFCreator\PDFCreator.exe that did not meet the Microsoft signing level requirements.

  Date: 2015-06-15 15:48:24.400
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\PDFCRE~1\PDFCRE~1\PDFSpool.exe) attempted to load \Device\HarddiskVolume1\PDF CREATOR\PDFCreator\PDFCreator.exe that did not meet the Microsoft signing level requirements.

  Date: 2014-08-24 20:45:08.603
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:45:08.431
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:38.151
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:38.026
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.792
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.667
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.339
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2014-08-24 20:44:37.214
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: AMD A4-6300 APU with Radeon™ HD Graphics
Percentage of memory in use: 46%
Total physical RAM: 3268.81 MB
Available physical RAM: 1744.85 MB
Total Virtual: 3908.81 MB
Available Virtual: 1812.05 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.45 GB) (Free:55.89 GB) NTFS
Drive d: (PROGRAMME) (Fixed) (Total:116.44 GB) (Free:113.11 GB) NTFS
Drive f: (HDD) (Fixed) (Total:29.99 GB) (Free:10.77 GB) NTFS
Drive g: (PHOTOS (800GByte)) (Fixed) (Total:815.07 GB) (Free:432.49 GB) NTFS
Drive h: (DATA) (Fixed) (Total:194.88 GB) (Free:144.68 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 24D034DD)
Partition 1: (Not Active) - (Size=116.4 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=815.1 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: DFBD69BF)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.4 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: ACE22E9E)
Partition 1: (Not Active) - (Size=8 GB) - (Type=1C)
Partition 2: (Active) - (Size=30 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=194.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
 

 

 

 

After the FRST scan, I turned the Windows firewall on again and noticed that Malewarebytes took the place of Avira in the Control Panel\System and Security\Action Center. I turned Avira PC & Internet protection on again, but I'm not sure if I should have Malwarebytes AND Avira running together. Maybe you could give me some additional advice on whether keep the one, the other or both? Thanks :)

Don't be sorry for the weekend homework! I am really so thankful that there are people like you willing to help solving PC problems (of dummies like me  :smash:  ) and replying with patience during their free time! This is truely awesome :thumbup2: !

 

Have a good night,

 

Séverine


Edited by 5Donkeys, 06 August 2017 - 03:41 PM.


#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 07 August 2017 - 01:22 PM

Séverine:

 

Thank you for the logs.  For some reason, I did not receive an email notification that you had replied. :scratchhead:

 

I have to go out now, but I will analyze your newest FRST logs tomorrow morning and get back to you.  Sorry about that! :(

 

Thank you for your understanding and patience.  Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#11 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 07 August 2017 - 04:29 PM

Hi Phil,

 

no problem!

 

I just wanted to tell you also that I had this login problem & message tonight with my account (Failed to connect to a Windows service.
Windows couldn't connect to the System Event Notification Service service. This problem prevents standard users from signing in.
As an administrative user, you can review the system event log for details about why the service didn't respond.)

I restarted the PC and could log in as usual.

 

By curiosity, I opened the Event Viewer from Start > Search and saw that in the Windows Logs > System, there is this Kernel General source acting on my PC. Here is the detail of one of these logs as text:

 

Log Name:      System
Source:        Microsoft-Windows-Kernel-General
Date:          07/08/2017 18:44:26
Event ID:      16
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Martinez-PC
Description:
The access history in hive \??\Volume{a30d5d31-0196-11e4-8250-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{724E53D6-67A2-4E21-8FC1-6B9C11CBE88C} was cleared updating 0 keys and creating 0 modified pages.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
    <EventID>16</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-08-07T16:44:26.814855200Z" />
    <EventRecordID>42556</EventRecordID>
    <Correlation />
    <Execution ProcessID="4912" ThreadID="3980" />
    <Channel>System</Channel>
    <Computer>Martinez-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="HiveNameLength">171</Data>
    <Data Name="HiveName">\??\Volume{a30d5d31-0196-11e4-8250-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{724E53D6-67A2-4E21-8FC1-6B9C11CBE88C}</Data>
    <Data Name="KeysUpdated">0</Data>
    <Data Name="DirtyPages">0</Data>
  </EventData>
</Event>

 

 

I did not make any change in any settings, just looking :)

 

In the Application tab of that same view, there is a huge list of errors (every 10-30 seconds) with ESENT as source.

 

Here is the content of one of the latest logs:

 

 

Log Name:      Application
Source:        ESENT
Date:          07/08/2017 23:24:10
Event ID:      455
Task Category: Logging/Recovery
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Martinez-PC
Description:
svchost (1268) SRUJet: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Windows\system32\SRU\SRU.log.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ESENT" />
    <EventID Qualifiers="0">455</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-08-07T21:24:10.000000000Z" />
    <EventRecordID>2458713</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Martinez-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>svchost</Data>
    <Data>1268</Data>
    <Data>SRUJet: </Data>
    <Data>C:\Windows\system32\SRU\SRU.log</Data>
    <Data>-1032 (0xfffffbf8)</Data>
  </EventData>
</Event>

 

 

Hope this helps to solve the problem...

 

Have a beautiful evening, Phil!

 

Kind regards,

 

Séverine



#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 08 August 2017 - 08:09 AM

Séverine:

Thank you for the update and also for your patience while I analyzed your newest FRST logs.

Thank you also for pointing out the "dead link" in my cold boot explanation. I have amended that for a live link.

The "System.dll" file has disappeared from your latest FRST logs.

.

:step1: Please run a FRST fix for me. I see a couple of files that I want to check on, and I will remove the remnants that were left behind when you uninstalled Bittorrent.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

 

Start::
CreateRestorePoint:
CloseProcesses:
File: C:\Windows\system32\defrag.exe
2017-07-26 18:43 - 2017-06-14 16:08 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\qBittorrent
FirewallRules: [{8025B988-3192-4D7A-9575-CB3C901E187E}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{4525ED1E-87BF-4F66-9687-8859E2E8D4C5}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{98148015-9000-41C3-9C35-4BF906F56043}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{5FB4F86E-A59C-45D2-86D2-DE32C9C85586}] => (Allow) D:\qBittorrent\qbittorrent.exe
File: D:\emule\emule.exe
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy" to copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

:step2: Please run an System File Checker (SFC) scan to assess the integrity of the Windows file system.

  • Click on the "Start" button.
  • In the "search" box at the bottom, type cmd.
  • Look for Cmd.exe to appear at the top of the menu.
  • Right-click on cmd.exe and choose Run As Administrator.
  • Type sfc /scannow. Ensure that there is a space between "sfc" and "/scannow"
  • The scan will start and may take from 20 minutes to an hour to run.
  • Please report the results from the System File Checker in your next post. Does it report "No Resource Integrity Violations Found", "Errors Repaired", or "Unable to Repair", or words to that effect?
  • If System File Checker reports that some errors were corrected, and some errors were not corrected, please re-run the System File Checker again, as it does happen that it can not fix all of the errors detected in a single run.
  • If it again reports that some errors were corrected, and some errors were not corrected, please run it a third time.

If SFC reports uncorrectable errors, please immediately navigate to the folder: C:\Windows\Logs\CBS, locate the file "CBS.log", and copy, not move it, to your Desktop. That file is "volatile", so we need to ensure that it is not overwritten with new results.

.

:step3: We need to check your hard disk for errors.

To determine if your C: drive is an SSD or conventional hard drive for Windows 8/8.1. or 10, please press the Windows logo key and search for "optimize" in the Windows Start menu. Select: Defragment and optimize your drives. See this link for more information.
For Windows 7 and earlier, please the Windows logo key + R together, then type control and press the <Enter> key. Click on "System and Security" and then click on "Device Manager". Next, click on "Disk Drives" to open up a list of disk drives on your computer. If it is an SSD drive, it should say so in the description; but if you are not sure, "Google" the model number of the drive that you want to run chkdsk on.

It is important not to run chkdsk /r on an SSD as it will lead to excessive wear and shorten the life of an SSD. For SSD drives, use the chkdsk /f command.

  • Please open an Elevated Command Prompt. To do this:
    • Press the Windows "Start" button.
    • Type "cmd.exe" into the "Search" box.
    • At the top of the list that generates, you should see "cmd.exe".
    • Right click "cmd.exe" and select "Run as Administrator".
  • Type the following command exactly: chkdsk /r unless you have an SSD hard drive, in which case, type chkdsk /f.
  • Please note that there is a space between "chkdsk" and "/r" or "/f".
  • You will get a message that the volume is locked and do you want to reboot.
  • Click on "Yes" to permit the computer to reboot.
  • When the computer reboots, do not press any keys. Let the chkdsk run, which will take several hours.
  • The computer will reboot automatically when the "chkdsk" has finished.

Please follow the instructions here to find the results of the "chkdsk" scan.

Please copy and paste those results into your next reply.

You should run this command when you will not need your computer. The chkdsk scan can take five to ten hours, or more, depending on whether the hard drive is SSD or conventional, and the size and amount of data on the drive, and whether CHKDSK has to attempt repairs.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#13 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 10 August 2017 - 12:55 AM

Hi Phil,

Hope you're doing fine! Thanks for checking my latest answers :)

 

:step1: Done. Here is the content of the Fixlog.txt file:

Fix result of Farbar Recovery Scan Tool (x64) Version: 09-08-2017
Ran by Martinez Séverine (09-08-2017 21:01:06) Run:3
Running from D:\Farbar Recovery Scan Tool BleepingComputer
Loaded Profiles: Martinez Séverine (Available Profiles: Martinez Séverine & Margot & Nicolas)
Boot Mode: Normal
==============================================

fixlist content:
*****************

CreateRestorePoint:
CloseProcesses:
File: C:\Windows\system32\defrag.exe
2017-07-26 18:43 - 2017-06-14 16:08 - 000000000 ____D C:\Users\Martinez Séverine\AppData\Roaming\qBittorrent
FirewallRules: [{8025B988-3192-4D7A-9575-CB3C901E187E}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{4525ED1E-87BF-4F66-9687-8859E2E8D4C5}] => (Allow) C:\Users\Martinez Séverine\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{98148015-9000-41C3-9C35-4BF906F56043}] => (Allow) D:\qBittorrent\qbittorrent.exe
FirewallRules: [{5FB4F86E-A59C-45D2-86D2-DE32C9C85586}] => (Allow) D:\qBittorrent\qbittorrent.exe
File: D:\emule\emule.exe

*****************

Restore point was successfully created.
Processes closed successfully.

========================= File: C:\Windows\system32\defrag.exe ========================

File is digitally signed
MD5: 537BFBA3084BAE2892C0FCAA08A12C0B
Creation and modification date: 2015-03-14 13:52 - 2014-10-29 03:18
Size: 000184832
Attributes: ----A
Company Name: Microsoft Corp.
Internal Name: Defrag.EXE
Original Name: Defrag.EXE
Product: Windows Drive Optimizer
Description: Disk Defragmenter Module
File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
Product Version: 6.3.9600.17415
Copyright: © 2013 Microsoft Corp.
VirusTotal: https://www.virustotal.com/file/e12f5a5804519a4c8f4eda5b27b3477d89aa4b80e5d9bfa359c1d6794d947965/analysis/1500837427/

====== End of File: ======

"C:\Users\Martinez Séverine\AppData\Roaming\qBittorrent" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8025B988-3192-4D7A-9575-CB3C901E187E} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4525ED1E-87BF-4F66-9687-8859E2E8D4C5} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{98148015-9000-41C3-9C35-4BF906F56043} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5FB4F86E-A59C-45D2-86D2-DE32C9C85586} => value not found.

========================= File: D:\emule\emule.exe ========================

"D:\emule\emule.exe" => not found.
====== End of File: ======



The system needed a reboot.

==== End of Fixlog 21:01:27 ====



:step2: Result of the System File Checker (SFC) scan was "Windows Resource Protection did not find any integrity violations." which sounds good to me.


:step3: My C:\ is a SSD. When running the find next in Application of the Event viewer, the system could not find the log for Chkdsk, but returned the log for Wininit instead. Here is the log of Wininit:

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          10/08/2017 02:10:33
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Martinez-PC
Description:


Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  286208 file records processed.                                                        File verification completed.
  9932 large file records processed.                                     0 bad file records processed.                                     
Stage 2: Examining file name linkage ...
  381024 index entries processed.                                                       Index verification completed.
  0 unindexed files scanned.                                          0 unindexed files recovered.                                      
Stage 3: Examining security descriptors ...
Cleaning up 646 unused index entries from index $SII of file 0x9.
Cleaning up 646 unused index entries from index $SDH of file 0x9.
Cleaning up 646 unused security descriptors.
Security descriptor verification completed.
  47409 data files processed.                                           CHKDSK is verifying Usn Journal...
  37956384 USN bytes processed.                                                           Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 116859903 KB total disk space.
  60764232 KB in 210937 files.
    172624 KB in 47410 indexes.
         0 KB in bad sectors.
    400063 KB in use by the system.
     65536 KB occupied by the log file.
  55522984 KB available on disk.

      4096 bytes in each allocation unit.
  29214975 total allocation units on disk.
  13880746 allocation units available on disk.

Internal Info:
00 5e 04 00 37 f1 03 00 e8 c7 07 00 00 00 00 00  .^..7...........
a0 11 00 00 59 00 00 00 00 00 00 00 00 00 00 00  ....Y...........

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-08-10T00:10:33.000000000Z" />
    <EventRecordID>2469996</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Martinez-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  286208 file records processed.                                                        File verification completed.
  9932 large file records processed.                                     0 bad file records processed.                                     
Stage 2: Examining file name linkage ...
  381024 index entries processed.                                                       Index verification completed.
  0 unindexed files scanned.                                          0 unindexed files recovered.                                      
Stage 3: Examining security descriptors ...
Cleaning up 646 unused index entries from index $SII of file 0x9.
Cleaning up 646 unused index entries from index $SDH of file 0x9.
Cleaning up 646 unused security descriptors.
Security descriptor verification completed.
  47409 data files processed.                                           CHKDSK is verifying Usn Journal...
  37956384 USN bytes processed.                                                           Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 116859903 KB total disk space.
  60764232 KB in 210937 files.
    172624 KB in 47410 indexes.
         0 KB in bad sectors.
    400063 KB in use by the system.
     65536 KB occupied by the log file.
  55522984 KB available on disk.

      4096 bytes in each allocation unit.
  29214975 total allocation units on disk.
  13880746 allocation units available on disk.

Internal Info:
00 5e 04 00 37 f1 03 00 e8 c7 07 00 00 00 00 00  .^..7...........
a0 11 00 00 59 00 00 00 00 00 00 00 00 00 00 00  ....Y...........

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>




I used "OPTION TWO" to create CHKDSKResults.txt which is here below. This might be something to point out for your future supports regarding Checkdisk :) I believe it's the same as above...




TimeCreated : 10/08/2017 02:10:33
Message     :
              
              Checking file system on C:
              The type of the file system is NTFS.
              
              
              A disk check has been scheduled.
              Windows will now check the disk.                         
              
              Stage 1: Examining basic file system structure ...
                286208 file records processed.                                                        
              File verification completed.
                9932 large file records processed.                                   
                0 bad file records processed.                                     
              
              Stage 2: Examining file name linkage ...
                381024 index entries processed.                                                       
              Index verification completed.
                0 unindexed files scanned.                                        
                0 unindexed files recovered.                                      
              
              Stage 3: Examining security descriptors ...
              Cleaning up 646 unused index entries from index $SII of file 0x9.
              Cleaning up 646 unused index entries from index $SDH of file 0x9.
              Cleaning up 646 unused security descriptors.
              Security descriptor verification completed.
                47409 data files processed.                                           
              CHKDSK is verifying Usn Journal...
                37956384 USN bytes processed.                                                           
              Usn Journal verification completed.
              
              Windows has scanned the file system and found no problems.
              No further action is required.
              
               116859903 KB total disk space.
                60764232 KB in 210937 files.
                  172624 KB in 47410 indexes.
                       0 KB in bad sectors.
                  400063 KB in use by the system.
                   65536 KB occupied by the log file.
                55522984 KB available on disk.
              
                    4096 bytes in each allocation unit.
                29214975 total allocation units on disk.
                13880746 allocation units available on disk.
              
              Internal Info:
              00 5e 04 00 37 f1 03 00 e8 c7 07 00 00 00 00 00  .^..7...........
              a0 11 00 00 59 00 00 00 00 00 00 00 00 00 00 00  ....Y...........
              
              Windows has finished checking your disk.
              Please wait while your computer restarts.
              


Thank you Phil!

Have a great day :)


 



#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:09 AM

Posted 10 August 2017 - 12:08 PM

Séverine:

 

Thank you for your logs.  Both your SFC and chkdsk logs were normal.

 

How is your computer working now?

 

I am not seeing any malware remaining.  If there are still issues with your computer or your childrens' accounts, please let me know and provide me with as much detail as possible about any error messages that you receive.  I will try to find a solution for you.  It might be necessary, if there are account corruption issues, to refer you to the Windows 8/8.1 Forum here if I can't find a solution, but let's see what I can do to help you first.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#15 5Donkeys

5Donkeys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 AM

Posted 11 August 2017 - 09:33 AM

Hi Phil,

 

thank you for checking my last post!

 

Here is what I can tell you about how my PC is working now:

 

:step1:  The Msft_Kernel_avusbflt_01011.Wdf file is still in the folder C:\Windows\System32\drivers, with 0KB. Can I just hit delete?

 

:step2:  When I start my PC and log into my account, I still get the following message (as described in post #11):

Failed to connect to a Windows service.
Windows couldn't connect to the System Event Notification Service service. This problem prevents standard users from signing in.
As an administrative user, you can review the system event log for details about why the service didn't respond.

 

When I do a Restart, I can access my account as usual.

 

I could access my daughter's account without problem.

 

When accessing my son's account, the PC took a few seconds to bring me to a completely black screen with the white mouse - and nothing worked anymore. I had to shut down the PC by holding the push button. After restarting the PC, I accessed his account without any problem.

 

 

Thanks for your help!

 

Have a great day,

 

Séverine


Edited by 5Donkeys, 11 August 2017 - 09:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users