PDA

View Full Version : CSE removal



sreda
2017-01-20, 02:58
Hello, first of all i got infected by CSE and cant remove it. I read a lot of threads online about unchecking proxy server in chrome LAN settings for temporary fix, but that doesnt help. I read about deleting dsq and windows security folders in program data, but i dont even have that folders. I ran all kinds of antivirus/malware scans, but nothing helped. When PC starts, avira is alerting TR/Wdfload.crqun virus located in C/Windows/temp...
I ran FRST scan and ill upload results.


Thanks in advance.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-01-2017
Ran by user (administrator) on USER-PC (20-01-2017 01:28:50)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Windows\SysWOW64\srvany.exe
() C:\Windows\KMService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
() C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
() C:\Windows\Temp\g476D.tmp.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Valve Corporation) D:\stimara\Steam.exe
(SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Valve Corporation) D:\stimara\bin\cef\cef.win7\steamwebhelper.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7203032 2013-10-22] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-15] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [917576 2016-12-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-11-15] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\Run: [Steam] => D:\stimara\steam.exe [2881824 2017-01-19] (Valve Corporation)
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {04e1c22c-cff7-11e5-a4da-305a3a06d8ac} - E:\setup.exe
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {850f7c7c-4a81-11e6-b459-305a3a06d8ac} - F:\setup.exe
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {a2affad4-4db9-11e4-8402-806e6f6e6963} - E:\Bin\ASSETUP.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2016-03-25]
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe (SteelSeries ApS)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TotalVPN.lnk [2016-06-07]
ShortcutTarget: TotalVPN.lnk -> C:\Users\user\AppData\Local\TotalVPN\TotalVPN.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{AA11746C-2B99-4761-AC8F-AF924F511077}: [DhcpNameServer] 8.8.8.8 8.8.4.4

Internet Explorer:
==================
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\w47dog1w.default [2017-01-20]
FF Extension: (Avira Browser Safety) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\w47dog1w.default\Extensions\abs@avira.com.xpi [2016-02-06]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-09-05] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)

Chrome:
=======
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2017-01-20]
CHR Extension: (Google Translate) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2016-02-17]
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-05]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-05]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-05]
CHR Extension: (FACEIT HELPER) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjdhcabjnhhifipbnopnfpfidkafanjf [2017-01-15]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-05]
CHR Extension: (Ban Checker for Steam) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canbadmphamemnmdfngmcabnjmjgaiki [2016-10-13]
CHR Extension: (Adblock Plus) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-26]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-05]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-05]
CHR Extension: (Ban Checker For Steam With History) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fidfhokmiihfkmkhgpacakihkehklhka [2016-11-26]
CHR Extension: (Avira Browser Safety) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-21]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2017-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-05]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [1089592 2016-12-15] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [476736 2016-12-15] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [476736 2016-12-15] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1490296 2016-12-15] (Avira Operations GmbH & Co. KG)
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-05-07] ()
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350528 2016-11-24] (Avira Operations GmbH & Co. KG)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1369464 2016-01-15] (Disc Soft Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1165368 2016-06-15] (NVIDIA Corporation)
R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2014-06-27] (Nero AG)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2014-10-06] () [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-06-15] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3634232 2016-06-15] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-15] (NVIDIA Corporation)
S3 Origin Client Service; D:\orgin\Origin\OriginClientService.exe [2104840 2016-02-21] (Electronic Arts)
S3 OVPNService; C:\Users\user\AppData\Local\TotalVPN\OVPN.Service.exe [20080 2016-06-28] ()
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-15] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [148032 2016-12-15] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-05-11] (Avira Operations GmbH & Co. KG)
S3 DFX11_1; C:\Windows\System32\drivers\dfx11_1x64.sys [28008 2015-08-31] (Windows (R) Win 7 DDK provider)
R3 DFX12; C:\Windows\System32\drivers\dfx12x64.sys [29688 2015-11-12] (Windows (R) Win 7 DDK provider)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-02-07] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-02-07] (Disc Soft Ltd)
S1 FACEIT; C:\Windows\System32\Drivers\FACEIT.sys [3868168 2016-12-10] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [54736 2017-01-20] ()
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-08-19] (Riverbed Technology, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-15] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [59608 2014-09-02] (Realtek Corporation)
R3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [40576 2016-03-09] (SteelSeries ApS)
R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [51400 2016-02-02] (SteelSeries ApS)
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S3 vdrive; system32\DRIVERS\vdrive.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-20 01:28 - 2017-01-20 01:29 - 00020285 _____ C:\Users\user\Desktop\FRST.txt
2017-01-20 01:08 - 2017-01-20 01:08 - 00132663 _____ C:\Users\user\Desktop\bookmarks_1_20_17.html
2017-01-20 00:55 - 2017-01-20 00:55 - 00004379 _____ C:\Users\user\Desktop\JRT.txt
2017-01-20 00:51 - 2017-01-20 00:49 - 02419712 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe
2017-01-20 00:49 - 2017-01-20 01:28 - 00000000 ____D C:\FRST
2017-01-20 00:26 - 2017-01-20 00:26 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-01-20 00:25 - 2017-01-20 01:14 - 00000000 ____D C:\Windows\pss
2017-01-20 00:19 - 2017-01-20 00:19 - 00000728 _____ C:\Windows\system32\.crusader
2017-01-20 00:11 - 2017-01-20 00:23 - 00000000 ____D C:\ProgramData\HitmanPro
2017-01-19 23:10 - 2017-01-20 01:24 - 00000000 ____D C:\AdwCleaner
2017-01-19 22:50 - 2017-01-20 01:29 - 00016702 _____ C:\Windows\System32\Tasks\564b79n60w937
2017-01-19 22:50 - 2017-01-19 22:50 - 00001431 ___RS C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk
2017-01-19 22:50 - 2017-01-19 22:50 - 00001427 ___RS C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk
2017-01-19 22:50 - 2017-01-19 22:50 - 00000000 ___HD C:\ProgramData\564b79n60w937
2017-01-19 00:34 - 2017-01-19 00:35 - 00000000 ____D C:\ProgramData\Google
2017-01-19 00:34 - 2017-01-19 00:34 - 00000000 ____D C:\Program Files (x86)\GUMA5B6.tmp
2017-01-13 15:04 - 2017-01-13 15:04 - 00517625 _____ C:\Users\user\Desktop\dojavaaa.psd
2017-01-13 14:46 - 2017-01-13 14:53 - 00000000 ____D C:\Users\user\Desktop\photoshop
2017-01-11 00:55 - 2017-01-11 00:55 - 00000112 _____ C:\Users\user\AppData\Roaming\JP2K CS6 Prefs
2017-01-09 15:13 - 2017-01-09 15:13 - 00000000 _____ C:\Users\user\Desktop\New Text Document.txt
2017-01-09 15:03 - 2017-01-09 15:03 - 00003498 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-user-PC-user
2017-01-09 14:58 - 2017-01-09 14:58 - 00000934 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2015.lnk
2017-01-09 14:58 - 2017-01-09 14:58 - 00000000 ____D C:\Users\user\Documents\Adobe
2017-01-09 14:58 - 2017-01-09 14:58 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2017-01-09 14:53 - 2017-01-09 14:58 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-01-09 14:53 - 2017-01-09 14:58 - 00000000 ____D C:\Program Files\Adobe Photoshop CC 2015
2017-01-09 14:52 - 2017-01-09 14:52 - 00001530 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2017-01-09 14:52 - 2017-01-09 14:52 - 00001518 _____ C:\Users\Public\Desktop\Adobe Application Manager.lnk
2017-01-09 14:49 - 2017-01-09 14:49 - 00000000 ____D C:\Users\user\AppData\Roaming\Macromedia
2016-12-29 15:01 - 2016-12-29 15:01 - 00025938 _____ C:\Users\user\Desktop\gpp2dioaaaa.docx
2016-12-25 00:04 - 2016-12-25 00:04 - 00000000 ____D C:\Program Files (x86)\Square Enix
2016-12-24 22:52 - 2016-12-25 00:39 - 00000000 ____D C:\Users\user\Documents\Thief
2016-12-24 16:22 - 2017-01-19 22:51 - 00000000 ____D C:\Users\user\AppData\LocalLow\BitTorrent
2016-12-24 11:45 - 2016-12-24 11:45 - 00000000 _____ C:\Users\user\Desktop\pitanjagpp2.docx
2016-12-23 15:31 - 2016-12-23 15:31 - 00000000 ____D C:\Users\user\AppData\Local\2K Games
2016-12-23 15:08 - 2016-12-23 15:08 - 00000800 _____ C:\Users\Public\Desktop\Mafia II.lnk
2016-12-23 15:08 - 2016-12-23 15:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2K Games
2016-12-22 00:16 - 2016-12-22 00:16 - 00000510 _____ C:\Users\Public\Desktop\Fraps.lnk
2016-12-22 00:16 - 2016-12-22 00:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fraps

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-20 01:18 - 2016-09-27 14:58 - 00000000 ____D C:\Users\user\AppData\Local\HTC MediaHub
2017-01-20 01:18 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-19 23:57 - 2009-07-14 05:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-19 23:57 - 2009-07-14 05:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-19 23:11 - 2016-02-24 01:50 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2017-01-19 22:56 - 2016-02-07 20:31 - 00000000 ____D C:\Users\user\AppData\Roaming\BitTorrent
2017-01-19 02:01 - 2009-07-14 06:13 - 00783114 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-19 02:01 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2017-01-19 02:00 - 2016-02-04 19:10 - 00000000 ____D C:\Users\user\AppData\Local\Adobe
2017-01-19 00:35 - 2016-02-05 03:22 - 00000000 ____D C:\Users\user\AppData\Local\Google
2017-01-19 00:35 - 2016-02-04 19:10 - 00000000 ____D C:\Users\user\AppData\Roaming\Adobe
2017-01-16 20:28 - 2016-04-09 01:22 - 00101376 ____H C:\Users\user\Desktop\photothumb.db
2017-01-13 15:40 - 2016-10-07 01:09 - 00000000 ____D C:\Users\user\Desktop\Originals
2017-01-11 02:04 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2017-01-10 14:02 - 2014-10-06 17:13 - 00000000 ____D C:\ProgramData\Adobe
2017-01-09 20:20 - 2016-06-15 20:21 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2017-01-09 20:12 - 2016-07-24 18:58 - 00000000 ____D C:\Users\user\Downloads\PopcornTime
2017-01-09 15:06 - 2016-03-12 17:44 - 00000000 ____D C:\Users\user\AppData\Local\ElevatedDiagnostics
2017-01-09 14:55 - 2016-02-04 18:57 - 00000000 ____D C:\ProgramData\Package Cache
2017-01-05 22:18 - 2016-03-26 15:10 - 00000000 ____D C:\Users\user\Desktop\alo
2016-12-30 20:04 - 2016-02-14 18:14 - 00000000 ____D C:\Users\user\AppData\Local\Diagnostics
2016-12-24 16:22 - 2014-10-06 16:40 - 00000000 ____D C:\Users\user\AppData\LocalLow
2016-12-23 15:31 - 2016-02-05 22:36 - 00000000 ____D C:\Users\user\AppData\Roaming\NVIDIA

==================== Files in the root of some directories =======

2017-01-11 00:55 - 2017-01-11 00:55 - 0000112 _____ () C:\Users\user\AppData\Roaming\JP2K CS6 Prefs
2014-10-06 16:56 - 2014-10-06 16:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\user\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2010-11-21 04:24] - [2014-10-06 16:39] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2010-11-21 04:24] - [2014-10-06 16:39] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-01-13 16:06

==================== End of FRST.txt ============================

Juliet
2017-01-20, 16:12
KMService.exe (RiskWare.Tool.CK)
C:\Windows\SysWOW64\srvany.exe
2014-10-06 17:13 - 2014-10-06 17:12 - 00151552 _____ () C:\Windows\KMService.exe
The above shows the possibilities of pirated/cracked software on your machine. If we try to clean your computer and you should return at a later date asking for help, you will be denied because of forum policy against cracked/pirated software.

Please be aware some tools that scan for malware will alert to this and possibly remove the above.

~~~~~~~~~~~~~~~~~
Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:
C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\Users\user\AppData\Local\Temp\avgnt.exe
Task: {AD0A6BFA-845D-4521-BED8-13AEF96B7898} - System32\Tasks\564b79n60w937 => Rundll32.exe "C:\ProgramData\564b79n60w937\564b79n60w937.dll",bnwlsop <==== ATTENTION
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
C:\Windows\TEMP\g476B.tmp
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [922]
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~`

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop.
In order to use AdwCleaner, you have to agree the Eula:
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click http://i.imgur.com/A49sxPr.png Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
Click http://i.imgur.com/MqHawIb.png Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


~~~~

Please download the Malwarebytes Anti-Malware (https://downloads.malwarebytes.org/file/mbam) setup file to your Desktop.

OR from this location Here (https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/)


Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
Windows Vista, Windows 7 , 8, 8.1 and 10 : Right click and select "Run as Administrator"
http://i24.photobucket.com/albums/c30/ken545/MBAM3_zpsw0f8rn9n.jpg

On the Dashboard click on Update Now

Go to the Setting Tab>>>>>APPLICATIONS and click on Restore Defaults

Under SETTINGS>>>>>PROTECTION make sure AUTOMATIC QUARANTINE IS ON

Then go to the Dashboard and click on SCAN NOW

When the scan is finished click on EXPORT SUMMARY >>>>> COPY TO CLIPBOARD

Then come back to this thread and and under REPLY TO THIS TOPIC, right click in the reply and select Paste

Then click on POST


Exit Malwarebytes

~~~~~~~~~~~~~~~
please post
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt
Malwarebytes log

sreda
2017-01-20, 18:01
Thanks for your reply.

I did all of that, but I think my AV blocked some of fixlist actions, should I disable AV and do that again?

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
Ran by user (20-01-2017 16:35:15) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\Users\user\AppData\Local\Temp\avgnt.exe
Task: {AD0A6BFA-845D-4521-BED8-13AEF96B7898} - System32\Tasks\564b79n60w937 => Rundll32.exe "C:\ProgramData\564b79n60w937\564b79n60w937.dll",bnwlsop <==== ATTENTION
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet E??l?r?r (64-bit).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet ?x?lorer (No Add-?ns).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet ??plorer ?rows?r.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G?ogl? ?hrom?.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
C:\Windows\TEMP\g476B.tmp
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [922]
EmptyTemp:
Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe" => not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
C:\Users\user\AppData\Local\Temp\avgnt.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{AD0A6BFA-845D-4521-BED8-13AEF96B7898} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD0A6BFA-845D-4521-BED8-13AEF96B7898} => key removed successfully
C:\Windows\System32\Tasks\564b79n60w937 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\564b79n60w937 => key removed successfully
"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet E??l?r?r (64-bit).lnk" => Could not move.
"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk" => Could not move.
"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet ?x?lorer (No Add-?ns).lnk" => Could not move.
"C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk" => Could not move.
"C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet ??plorer ?rows?r.lnk" => Could not move.
"C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G?ogl? ?hrom?.lnk" => Could not move.
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk => Shortcut argument removed successfully.
"C:\Windows\TEMP\g476B.tmp" => not found.
C:\ProgramData\TEMP => ":9A870F8B" ADS removed successfully.
Could not move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled to move on reboot.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 102358152 B
Java, Flash, Steam htmlcache => 624630715 B
Windows/system/drivers => 34950985 B
Edge => 0 B
Chrome => 538888861 B
Firefox => 83724060 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 99842 B
systemprofile32 => 118170 B
LocalService => 115860 B
NetworkService => 66228 B
user => 1734165342 B

RecycleBin => 0 B
EmptyTemp: => 2.9 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-01-2017 16:37:06)

"C:\Windows\System32\Drivers\etc\hosts" => Could not move
Could not restore Hosts.

==== End of Fixlog 16:37:06 ====

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/20/17
Scan Time: 4:43 PM
Logfile: malwarebytes log.txt
Administrator: Yes

-Software Information-
Version: 3.0.5.1299
Components Version: 1.0.43
Update Package Version: 1.0.1064
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user-PC\user

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 345676
Time Elapsed: 3 min, 40 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 24
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, No Action By User, [1317], [327206],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, No Action By User, [1317], [327205],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, No Action By User, [1317], [327205],1.0.1064
PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [1317], [327205],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [1317], [327205],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\REIMAGE\PC REPAIR, No Action By User, [1317], [327204],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, No Action By User, [1317], [336077],1.0.1064
PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., No Action By User, [1317], [327203],1.0.1064
PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\Reimage, No Action By User, [1317], [357494],1.0.1064

Registry Value: 1
PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\REIMAGE\PC REPAIR|QUITMESSAGE, No Action By User, [1317], [327204],1.0.1064

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.SpeedItUp, C:\WINDOWS\REIMAGE.INI, No Action By User, [1421], [329423],1.0.1064

Physical Sector: 0
(No malicious items detected)


(end)

# AdwCleaner v6.042 - Logfile created 20/01/2017 at 16:50:01
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-20.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : user - USER-PC
# Running from : G:\acu2\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Reimage
Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Reimage
Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found: [x64] HKLM\SOFTWARE\Reimage


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1736 Bytes] - [19/01/2017 23:20:08]
C:\AdwCleaner\AdwCleaner[C2].txt - [1272 Bytes] - [20/01/2017 00:43:40]
C:\AdwCleaner\AdwCleaner[S0].txt - [1327 Bytes] - [19/01/2017 23:11:17]
C:\AdwCleaner\AdwCleaner[S1].txt - [1672 Bytes] - [19/01/2017 23:19:44]
C:\AdwCleaner\AdwCleaner[S2].txt - [1397 Bytes] - [20/01/2017 00:43:21]
C:\AdwCleaner\AdwCleaner[S3].txt - [1504 Bytes] - [20/01/2017 01:24:27]
C:\AdwCleaner\AdwCleaner[S4].txt - [2099 Bytes] - [20/01/2017 16:50:01]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [2172 Bytes] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Ultimate x64
Ran by user (Administrator) on pet 20.01.2017 at 16:55:06,94
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 9

Successfully deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio (Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DWNLKYI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8W2YCJ8E (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFLPDZJA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YI7NFL23 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DWNLKYI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8W2YCJ8E (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFLPDZJA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YI7NFL23 (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on pet 20.01.2017 at 16:57:41,28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

sreda
2017-01-20, 18:08
# AdwCleaner v6.042 - Logfile created 20/01/2017 at 16:51:51
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-20.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : user - USER-PC
# Running from : G:\acu2\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Reimage
[-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Reimage
[-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key deleted: [x64] HKLM\SOFTWARE\Reimage


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1736 Bytes] - [19/01/2017 23:20:08]
C:\AdwCleaner\AdwCleaner[C2].txt - [1272 Bytes] - [20/01/2017 00:43:40]
C:\AdwCleaner\AdwCleaner[C3].txt - [1630 Bytes] - [20/01/2017 16:51:51]
C:\AdwCleaner\AdwCleaner[S0].txt - [1327 Bytes] - [19/01/2017 23:11:17]
C:\AdwCleaner\AdwCleaner[S1].txt - [1672 Bytes] - [19/01/2017 23:19:44]
C:\AdwCleaner\AdwCleaner[S2].txt - [1397 Bytes] - [20/01/2017 00:43:21]
C:\AdwCleaner\AdwCleaner[S3].txt - [1504 Bytes] - [20/01/2017 01:24:27]
C:\AdwCleaner\AdwCleaner[S4].txt - [2255 Bytes] - [20/01/2017 16:50:01]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2068 Bytes] ##########

Juliet
2017-01-21, 01:55
The malware scan log you posted for MalwareBytes, says No Action Taken.
Can you run that again and allow it to quarantine what is found.

Then post the log and let me see it please.

Whats the computer doing now?

sreda
2017-01-21, 02:42
There were a lot of files in quarantine already (mostly registry keys), before this new scan, and it showed 0 threats. My PC seems fine, CSE is gone.
Also, I ran zemana antimalware scan, and it showed my PC is clean, so it should be all good now. Thanks for your time and help.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/21/17
Scan Time: 12:58 AM
Logfile: malware231.txt
Administrator: Yes

-Software Information-
Version: 3.0.5.1299
Components Version: 1.0.43
Update Package Version: 1.0.1067
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user-PC\user

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 345774
Time Elapsed: 3 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Juliet
2017-01-21, 13:52
One more thing to do to assure us all is good.




Download Emsisoft Emergency Kit (http://www.emsisoft.com/en/software/eek/download/) and save it to your desktop.
Double-click icon then click Install
A Window should open highlighting Start Emergency Kit Scanner
Right click on the icon and select Run as administrator
Click 1. Update now!
Once the update is completed select Settings under Scan
Uncheck Join the Emsisoft Anti-Malware Network
Click Scan at the top
Click On scan completion
Click Quarantine detected objects, then click OK
Click Malware Scan
Once completed click View Report
Save the file to your Desktop using the default file name
Copy and paste the report in your reply

===============

sreda
2017-01-21, 17:53
Emsisoft Emergency Kit - Version 12.0
Last update: 21.1.2017 16:07:32
User account: user-PC\user
Computer name: USER-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start: 21.1.2017 16:09:23
C:\Users\user\Desktop\Fixlog.txt detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]

Scanned 76132
Found 1

Scan end: 21.1.2017 16:13:04
Scan time: 0:03:41

C:\Users\user\Desktop\Fixlog.txt Trojan.LNK.StartPage.B (B)

Quarantined 1


After that, I ran custom scan with Detect PUPs: On

Emsisoft Emergency Kit - Version 12.0
Last update: 21.1.2017 16:07:32
User account: user-PC\user
Computer name: USER-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, G:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start: 21.1.2017 16:15:11
C:\FRST\Logs\Fixlog_20-01-2017 16.37.06.txt detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\ProgramData\Avira\Antivirus\INFECTED\77c4f661.qua -> (Quarantine-8) detected: Trojan.Generic.20350958 (B) [krnl.xmd]
C:\ProgramData\Avira\Antivirus\INFECTED\6f33fac1.qua -> (Quarantine-8) detected: Trojan.Generic.20350958 (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
C:\Users\user\Desktop\kasper\Kaspersky Reset Trial 5.0.0.117.rar -> Kaspersky Reset Trial 5.0.0.117\Kaspersky_Reset_Trial_5.0.0.117.exe detected: Gen:Variant.Application.Zusy.181656 (B) [krnl.xmd]
C:\Windows\Setup\scripts\faXcooL.exe detected: Gen:Variant.Application.Kazy.420358 (B) [krnl.xmd]
G:\acu2\Nik Software Color Efex Pro 4002rar (375 MB).rar -> Nik Software Color Efex Pro 4002rar (375 MB).exe detected: Trojan.Agent.CCYK (B) [krnl.xmd]

Scanned 242131
Found 12

Scan end: 21.1.2017 16:51:01
Scan time: 0:35:50

C:\Users\user\Desktop\kasper\Kaspersky Reset Trial 5.0.0.117.rar Gen:Variant.Application.Zusy.181656 (B)
C:\FRST\Logs\Fixlog_20-01-2017 16.37.06.txt Trojan.LNK.StartPage.B (B)
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk Trojan.LNK.StartPage.B (B)
G:\acu2\Nik Software Color Efex Pro 4002rar (375 MB).rar Trojan.Agent.CCYK (B)
C:\ProgramData\Avira\Antivirus\INFECTED\77c4f661.qua Trojan.Generic.20350958 (B)
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk Trojan.LNK.StartPage.B (B)
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk Trojan.LNK.StartPage.B (B)
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk Trojan.LNK.StartPage.B (B)
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk Trojan.LNK.StartPage.B (B)
C:\Windows\Setup\scripts\faXcooL.exe Gen:Variant.Application.Kazy.420358 (B)
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk Trojan.LNK.StartPage.B (B)
C:\ProgramData\Avira\Antivirus\INFECTED\6f33fac1.qua Trojan.Generic.20350958 (B)

Quarantined 12

Juliet
2017-01-22, 13:43
How is the computer now?

sreda
2017-01-22, 19:36
It's all good now.
Thanks for help.

Juliet
2017-01-22, 19:46
Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialized tools we used to disinfect your system.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

****************


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


AdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://i.imgur.com/6YRrgUC.png Malwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://i.imgur.com/jv4nhMJ.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://i.imgur.com/DgW1XL2.png Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://i.imgur.com/j1OLIec.png SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://i.imgur.com/sHjS79L.png Unchecky (http://unchecky.com/) automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
http://i.imgur.com/JEP5iWI.png Web of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

Juliet
2017-01-29, 14:01
Glad we could help. :)

Since this issue appears resolved ... this Topic is closed.