Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: CSE removal

  1. #1
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default CSE removal

    Hello, first of all i got infected by CSE and cant remove it. I read a lot of threads online about unchecking proxy server in chrome LAN settings for temporary fix, but that doesnt help. I read about deleting dsq and windows security folders in program data, but i dont even have that folders. I ran all kinds of antivirus/malware scans, but nothing helped. When PC starts, avira is alerting TR/Wdfload.crqun virus located in C/Windows/temp...
    I ran FRST scan and ill upload results.


    Thanks in advance.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-01-2017
    Ran by user (administrator) on USER-PC (20-01-2017 01:28:50)
    Running from C:\Users\user\Desktop
    Loaded Profiles: user (Available Profiles: user)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 8 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    () C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
    (Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
    (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
    () C:\Windows\SysWOW64\srvany.exe
    () C:\Windows\KMService.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
    () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
    () C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    () C:\Windows\Temp\g476D.tmp.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
    (Valve Corporation) D:\stimara\Steam.exe
    (SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
    (Valve Corporation) D:\stimara\bin\cef\cef.win7\steamwebhelper.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    (Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe

    ==================== Registry (Whitelisted) ====================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7203032 2013-10-22] (Realtek Semiconductor)
    HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
    HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-15] (NVIDIA Corporation)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
    HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [917576 2016-12-15] (Avira Operations GmbH & Co. KG)
    HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-11-15] (Avira Operations GmbH & Co. KG)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\Run: [Steam] => D:\stimara\steam.exe [2881824 2017-01-19] (Valve Corporation)
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {04e1c22c-cff7-11e5-a4da-305a3a06d8ac} - E:\setup.exe
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {850f7c7c-4a81-11e6-b459-305a3a06d8ac} - F:\setup.exe
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\...\MountPoints2: {a2affad4-4db9-11e4-8402-806e6f6e6963} - E:\Bin\ASSETUP.exe
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2016-03-25]
    ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe (SteelSeries ApS)
    Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TotalVPN.lnk [2016-06-07]
    ShortcutTarget: TotalVPN.lnk -> C:\Users\user\AppData\Local\TotalVPN\TotalVPN.exe ()

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4
    Tcpip\..\Interfaces\{AA11746C-2B99-4761-AC8F-AF924F511077}: [DhcpNameServer] 8.8.8.8 8.8.4.4

    Internet Explorer:
    ==================
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
    BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
    BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
    Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
    Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
    Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
    Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\w47dog1w.default [2017-01-20]
    FF Extension: (Avira Browser Safety) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\w47dog1w.default\Extensions\abs@avira.com.xpi [2016-02-06]
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-09-05] (Adobe Systems Inc.)
    FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)

    Chrome:
    =======
    CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2017-01-20]
    CHR Extension: (Google Translate) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2016-02-17]
    CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-05]
    CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-05]
    CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-05]
    CHR Extension: (FACEIT HELPER) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjdhcabjnhhifipbnopnfpfidkafanjf [2017-01-15]
    CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-05]
    CHR Extension: (Ban Checker for Steam) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canbadmphamemnmdfngmcabnjmjgaiki [2016-10-13]
    CHR Extension: (Adblock Plus) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-26]
    CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-05]
    CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-05]
    CHR Extension: (Ban Checker For Steam With History) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fidfhokmiihfkmkhgpacakihkehklhka [2016-11-26]
    CHR Extension: (Avira Browser Safety) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-21]
    CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
    CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2017-01-20]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
    CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-05]
    CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
    CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ====================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S4 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [1089592 2016-12-15] (Avira Operations GmbH & Co. KG)
    R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [476736 2016-12-15] (Avira Operations GmbH & Co. KG)
    R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [476736 2016-12-15] (Avira Operations GmbH & Co. KG)
    S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1490296 2016-12-15] (Avira Operations GmbH & Co. KG)
    R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-05-07] ()
    R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350528 2016-11-24] (Avira Operations GmbH & Co. KG)
    S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1369464 2016-01-15] (Disc Soft Ltd)
    R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1165368 2016-06-15] (NVIDIA Corporation)
    R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2014-06-27] (Nero AG)
    R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
    R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed]
    S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation)
    R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
    R2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2014-10-06] () [File not signed]
    R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-06-15] (NVIDIA Corporation)
    R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3634232 2016-06-15] (NVIDIA Corporation)
    R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-15] (NVIDIA Corporation)
    S3 Origin Client Service; D:\orgin\Origin\OriginClientService.exe [2104840 2016-02-21] (Electronic Arts)
    S3 OVPNService; C:\Users\user\AppData\Local\TotalVPN\OVPN.Service.exe [20080 2016-06-28] ()
    R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ======================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
    R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-15] (Avira Operations GmbH & Co. KG)
    R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [148032 2016-12-15] (Avira Operations GmbH & Co. KG)
    R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
    R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-05-11] (Avira Operations GmbH & Co. KG)
    S3 DFX11_1; C:\Windows\System32\drivers\dfx11_1x64.sys [28008 2015-08-31] (Windows (R) Win 7 DDK provider)
    R3 DFX12; C:\Windows\System32\drivers\dfx12x64.sys [29688 2015-11-12] (Windows (R) Win 7 DDK provider)
    R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-02-07] (Disc Soft Ltd)
    R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-02-07] (Disc Soft Ltd)
    S1 FACEIT; C:\Windows\System32\Drivers\FACEIT.sys [3868168 2016-12-10] ()
    S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [54736 2017-01-20] ()
    S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
    R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
    R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
    R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-08-19] (Riverbed Technology, Inc.)
    R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-15] (NVIDIA Corporation)
    R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
    S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [59608 2014-09-02] (Realtek Corporation)
    R3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [40576 2016-03-09] (SteelSeries ApS)
    R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [51400 2016-02-02] (SteelSeries ApS)
    S4 NVHDA; system32\drivers\nvhda64v.sys [X]
    S3 vdrive; system32\DRIVERS\vdrive.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-01-20 01:28 - 2017-01-20 01:29 - 00020285 _____ C:\Users\user\Desktop\FRST.txt
    2017-01-20 01:08 - 2017-01-20 01:08 - 00132663 _____ C:\Users\user\Desktop\bookmarks_1_20_17.html
    2017-01-20 00:55 - 2017-01-20 00:55 - 00004379 _____ C:\Users\user\Desktop\JRT.txt
    2017-01-20 00:51 - 2017-01-20 00:49 - 02419712 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe
    2017-01-20 00:49 - 2017-01-20 01:28 - 00000000 ____D C:\FRST
    2017-01-20 00:26 - 2017-01-20 00:26 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
    2017-01-20 00:25 - 2017-01-20 01:14 - 00000000 ____D C:\Windows\pss
    2017-01-20 00:19 - 2017-01-20 00:19 - 00000728 _____ C:\Windows\system32\.crusader
    2017-01-20 00:11 - 2017-01-20 00:23 - 00000000 ____D C:\ProgramData\HitmanPro
    2017-01-19 23:10 - 2017-01-20 01:24 - 00000000 ____D C:\AdwCleaner
    2017-01-19 22:50 - 2017-01-20 01:29 - 00016702 _____ C:\Windows\System32\Tasks\564b79n60w937
    2017-01-19 22:50 - 2017-01-19 22:50 - 00001431 ___RS C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk
    2017-01-19 22:50 - 2017-01-19 22:50 - 00001427 ___RS C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk
    2017-01-19 22:50 - 2017-01-19 22:50 - 00000000 ___HD C:\ProgramData\564b79n60w937
    2017-01-19 00:34 - 2017-01-19 00:35 - 00000000 ____D C:\ProgramData\Google
    2017-01-19 00:34 - 2017-01-19 00:34 - 00000000 ____D C:\Program Files (x86)\GUMA5B6.tmp
    2017-01-13 15:04 - 2017-01-13 15:04 - 00517625 _____ C:\Users\user\Desktop\dojavaaa.psd
    2017-01-13 14:46 - 2017-01-13 14:53 - 00000000 ____D C:\Users\user\Desktop\photoshop
    2017-01-11 00:55 - 2017-01-11 00:55 - 00000112 _____ C:\Users\user\AppData\Roaming\JP2K CS6 Prefs
    2017-01-09 15:13 - 2017-01-09 15:13 - 00000000 _____ C:\Users\user\Desktop\New Text Document.txt
    2017-01-09 15:03 - 2017-01-09 15:03 - 00003498 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-user-PC-user
    2017-01-09 14:58 - 2017-01-09 14:58 - 00000934 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2015.lnk
    2017-01-09 14:58 - 2017-01-09 14:58 - 00000000 ____D C:\Users\user\Documents\Adobe
    2017-01-09 14:58 - 2017-01-09 14:58 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
    2017-01-09 14:53 - 2017-01-09 14:58 - 00000000 ____D C:\Program Files\Common Files\Adobe
    2017-01-09 14:53 - 2017-01-09 14:58 - 00000000 ____D C:\Program Files\Adobe Photoshop CC 2015
    2017-01-09 14:52 - 2017-01-09 14:52 - 00001530 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
    2017-01-09 14:52 - 2017-01-09 14:52 - 00001518 _____ C:\Users\Public\Desktop\Adobe Application Manager.lnk
    2017-01-09 14:49 - 2017-01-09 14:49 - 00000000 ____D C:\Users\user\AppData\Roaming\Macromedia
    2016-12-29 15:01 - 2016-12-29 15:01 - 00025938 _____ C:\Users\user\Desktop\gpp2dioaaaa.docx
    2016-12-25 00:04 - 2016-12-25 00:04 - 00000000 ____D C:\Program Files (x86)\Square Enix
    2016-12-24 22:52 - 2016-12-25 00:39 - 00000000 ____D C:\Users\user\Documents\Thief
    2016-12-24 16:22 - 2017-01-19 22:51 - 00000000 ____D C:\Users\user\AppData\LocalLow\BitTorrent
    2016-12-24 11:45 - 2016-12-24 11:45 - 00000000 _____ C:\Users\user\Desktop\pitanjagpp2.docx
    2016-12-23 15:31 - 2016-12-23 15:31 - 00000000 ____D C:\Users\user\AppData\Local\2K Games
    2016-12-23 15:08 - 2016-12-23 15:08 - 00000800 _____ C:\Users\Public\Desktop\Mafia II.lnk
    2016-12-23 15:08 - 2016-12-23 15:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2K Games
    2016-12-22 00:16 - 2016-12-22 00:16 - 00000510 _____ C:\Users\Public\Desktop\Fraps.lnk
    2016-12-22 00:16 - 2016-12-22 00:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fraps

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-01-20 01:18 - 2016-09-27 14:58 - 00000000 ____D C:\Users\user\AppData\Local\HTC MediaHub
    2017-01-20 01:18 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2017-01-19 23:57 - 2009-07-14 05:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2017-01-19 23:57 - 2009-07-14 05:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2017-01-19 23:11 - 2016-02-24 01:50 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
    2017-01-19 22:56 - 2016-02-07 20:31 - 00000000 ____D C:\Users\user\AppData\Roaming\BitTorrent
    2017-01-19 02:01 - 2009-07-14 06:13 - 00783114 _____ C:\Windows\system32\PerfStringBackup.INI
    2017-01-19 02:01 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
    2017-01-19 02:00 - 2016-02-04 19:10 - 00000000 ____D C:\Users\user\AppData\Local\Adobe
    2017-01-19 00:35 - 2016-02-05 03:22 - 00000000 ____D C:\Users\user\AppData\Local\Google
    2017-01-19 00:35 - 2016-02-04 19:10 - 00000000 ____D C:\Users\user\AppData\Roaming\Adobe
    2017-01-16 20:28 - 2016-04-09 01:22 - 00101376 ____H C:\Users\user\Desktop\photothumb.db
    2017-01-13 15:40 - 2016-10-07 01:09 - 00000000 ____D C:\Users\user\Desktop\Originals
    2017-01-11 02:04 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
    2017-01-10 14:02 - 2014-10-06 17:13 - 00000000 ____D C:\ProgramData\Adobe
    2017-01-09 20:20 - 2016-06-15 20:21 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
    2017-01-09 20:12 - 2016-07-24 18:58 - 00000000 ____D C:\Users\user\Downloads\PopcornTime
    2017-01-09 15:06 - 2016-03-12 17:44 - 00000000 ____D C:\Users\user\AppData\Local\ElevatedDiagnostics
    2017-01-09 14:55 - 2016-02-04 18:57 - 00000000 ____D C:\ProgramData\Package Cache
    2017-01-05 22:18 - 2016-03-26 15:10 - 00000000 ____D C:\Users\user\Desktop\alo
    2016-12-30 20:04 - 2016-02-14 18:14 - 00000000 ____D C:\Users\user\AppData\Local\Diagnostics
    2016-12-24 16:22 - 2014-10-06 16:40 - 00000000 ____D C:\Users\user\AppData\LocalLow
    2016-12-23 15:31 - 2016-02-05 22:36 - 00000000 ____D C:\Users\user\AppData\Roaming\NVIDIA

    ==================== Files in the root of some directories =======

    2017-01-11 00:55 - 2017-01-11 00:55 - 0000112 _____ () C:\Users\user\AppData\Roaming\JP2K CS6 Prefs
    2014-10-06 16:56 - 2014-10-06 16:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

    Some files in TEMP:
    ====================
    C:\Users\user\AppData\Local\Temp\avgnt.exe


    ==================== Bamital & volsnap ======================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll
    [2010-11-21 04:24] - [2014-10-06 16:39] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

    C:\Windows\SysWOW64\User32.dll
    [2010-11-21 04:24] - [2014-10-06 16:39] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2017-01-13 16:06

    ==================== End of FRST.txt ============================
    Attached Files Attached Files
    Last edited by tashi; 2017-01-20 at 03:20. Reason: Copy pasted log into topic.

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    KMService.exe (RiskWare.Tool.CK)
    C:\Windows\SysWOW64\srvany.exe
    2014-10-06 17:13 - 2014-10-06 17:12 - 00151552 _____ () C:\Windows\KMService.exe
    The above shows the possibilities of pirated/cracked software on your machine. If we try to clean your computer and you should return at a later date asking for help, you will be denied because of forum policy against cracked/pirated software.

    Please be aware some tools that scan for malware will alert to this and possibly remove the above.

    ~~~~~~~~~~~~~~~~~
    Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    C:\Users\user\AppData\Local\Temp\avgnt.exe
    Task: {AD0A6BFA-845D-4521-BED8-13AEF96B7898} - System32\Tasks\564b79n60w937 => Rundll32.exe "C:\ProgramData\564b79n60w937\564b79n60w937.dll",bnwlsop <==== ATTENTION
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
    ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
    C:\Windows\TEMP\g476B.tmp
    AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [922]
    EmptyTemp:
    Hosts:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~~~~~`

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
      In order to use AdwCleaner, you have to agree the Eula:
    • Right-click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
    • Click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ~~~~

    Please download the Malwarebytes Anti-Malware setup file to your Desktop.

    OR from this location Here

    • Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
    • Windows Vista, Windows 7 , 8, 8.1 and 10 : Right click and select "Run as Administrator"

    • On the Dashboard click on Update Now
    • Go to the Setting Tab>>>>>APPLICATIONS and click on Restore Defaults
    • Under SETTINGS>>>>>PROTECTION make sure AUTOMATIC QUARANTINE IS ON
    • Then go to the Dashboard and click on SCAN NOW
    • When the scan is finished click on EXPORT SUMMARY >>>>> COPY TO CLIPBOARD
    • Then come back to this thread and and under REPLY TO THIS TOPIC, right click in the reply and select Paste
    • Then click on POST

    • Exit Malwarebytes

    ~~~~~~~~~~~~~~~
    please post
    Fixlog.txt
    AdwCleaner[C1].txt
    JRT.txt
    Malwarebytes log
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default

    Thanks for your reply.

    I did all of that, but I think my AV blocked some of fixlist actions, should I disable AV and do that again?

    Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
    Ran by user (20-01-2017 16:35:15) Run:1
    Running from C:\Users\user\Desktop
    Loaded Profiles: user (Available Profiles: user)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1618930824-4051046816-776268447-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    C:\Users\user\AppData\Local\Temp\avgnt.exe
    Task: {AD0A6BFA-845D-4521-BED8-13AEF96B7898} - System32\Tasks\564b79n60w937 => Rundll32.exe "C:\ProgramData\564b79n60w937\564b79n60w937.dll",bnwlsop <==== ATTENTION
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet E??l?r?r (64-bit).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet ?x?lorer (No Add-?ns).lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet ??plorer ?rows?r.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
    Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G?ogl? ?hrom?.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
    ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
    C:\Windows\TEMP\g476B.tmp
    AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [922]
    EmptyTemp:
    Hosts:
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    "C:\Windows\Temp\g476D.tmp.exeC:\Windows\TEMP\g476D.tmp.exe" => not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
    HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
    C:\Users\user\AppData\Local\Temp\avgnt.exe => moved successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{AD0A6BFA-845D-4521-BED8-13AEF96B7898} => key removed successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD0A6BFA-845D-4521-BED8-13AEF96B7898} => key removed successfully
    C:\Windows\System32\Tasks\564b79n60w937 => not found.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\564b79n60w937 => key removed successfully
    "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rnet E??l?r?r (64-bit).lnk" => Could not move.
    "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk" => Could not move.
    "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rnet ?x?lorer (No Add-?ns).lnk" => Could not move.
    "C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk" => Could not move.
    "C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet ??plorer ?rows?r.lnk" => Could not move.
    "C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\G?ogl? ?hrom?.lnk" => Could not move.
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e94d031d0e938a8\Google Chrome.lnk => Shortcut argument removed successfully.
    "C:\Windows\TEMP\g476B.tmp" => not found.
    C:\ProgramData\TEMP => ":9A870F8B" ADS removed successfully.
    Could not move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled to move on reboot.

    =========== EmptyTemp: ==========

    BITS transfer queue => 0 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 102358152 B
    Java, Flash, Steam htmlcache => 624630715 B
    Windows/system/drivers => 34950985 B
    Edge => 0 B
    Chrome => 538888861 B
    Firefox => 83724060 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Users => 0 B
    Default => 0 B
    Public => 0 B
    ProgramData => 0 B
    systemprofile => 99842 B
    systemprofile32 => 118170 B
    LocalService => 115860 B
    NetworkService => 66228 B
    user => 1734165342 B

    RecycleBin => 0 B
    EmptyTemp: => 2.9 GB temporary data Removed.

    ================================

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-01-2017 16:37:06)

    "C:\Windows\System32\Drivers\etc\hosts" => Could not move
    Could not restore Hosts.

    ==== End of Fixlog 16:37:06 ====

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 1/20/17
    Scan Time: 4:43 PM
    Logfile: malwarebytes log.txt
    Administrator: Yes

    -Software Information-
    Version: 3.0.5.1299
    Components Version: 1.0.43
    Update Package Version: 1.0.1064
    License: Trial

    -System Information-
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: user-PC\user

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 345676
    Time Elapsed: 3 min, 40 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 24
    PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [1317], [332494],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, No Action By User, [1317], [327206],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, No Action By User, [1317], [327205],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, No Action By User, [1317], [327205],1.0.1064
    PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [1317], [327205],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [1317], [327205],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
    PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\REIMAGE\PC REPAIR, No Action By User, [1317], [327204],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [1317], [327193],1.0.1064
    PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, No Action By User, [1317], [336077],1.0.1064
    PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., No Action By User, [1317], [327203],1.0.1064
    PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\Reimage, No Action By User, [1317], [357494],1.0.1064

    Registry Value: 1
    PUP.Optional.Reimage, HKU\S-1-5-21-1618930824-4051046816-776268447-1000\SOFTWARE\REIMAGE\PC REPAIR|QUITMESSAGE, No Action By User, [1317], [327204],1.0.1064

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 1
    PUP.Optional.SpeedItUp, C:\WINDOWS\REIMAGE.INI, No Action By User, [1421], [329423],1.0.1064

    Physical Sector: 0
    (No malicious items detected)


    (end)

    # AdwCleaner v6.042 - Logfile created 20/01/2017 at 16:50:01
    # Updated on 06/01/2017 by Malwarebytes
    # Database : 2017-01-20.1 [Server]
    # Operating System : Windows 7 Ultimate Service Pack 1 (X64)
    # Username : user - USER-PC
    # Running from : G:\acu2\AdwCleaner.exe
    # Mode: Scan
    # Support : https://www.malwarebytes.com/support



    ***** [ Services ] *****

    No malicious services found.


    ***** [ Folders ] *****

    No malicious folders found.


    ***** [ Files ] *****

    No malicious files found.


    ***** [ DLL ] *****

    No malicious DLLs found.


    ***** [ WMI ] *****

    No malicious keys found.


    ***** [ Shortcuts ] *****

    No infected shortcut found.


    ***** [ Scheduled Tasks ] *****

    No malicious task found.


    ***** [ Registry ] *****

    Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Reimage
    Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
    Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Reimage
    Key Found: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
    Key Found: [x64] HKLM\SOFTWARE\Reimage


    ***** [ Web browsers ] *****

    No malicious Firefox based browser items found.
    No malicious Chromium based browser items found.

    *************************

    C:\AdwCleaner\AdwCleaner[C0].txt - [1736 Bytes] - [19/01/2017 23:20:08]
    C:\AdwCleaner\AdwCleaner[C2].txt - [1272 Bytes] - [20/01/2017 00:43:40]
    C:\AdwCleaner\AdwCleaner[S0].txt - [1327 Bytes] - [19/01/2017 23:11:17]
    C:\AdwCleaner\AdwCleaner[S1].txt - [1672 Bytes] - [19/01/2017 23:19:44]
    C:\AdwCleaner\AdwCleaner[S2].txt - [1397 Bytes] - [20/01/2017 00:43:21]
    C:\AdwCleaner\AdwCleaner[S3].txt - [1504 Bytes] - [20/01/2017 01:24:27]
    C:\AdwCleaner\AdwCleaner[S4].txt - [2099 Bytes] - [20/01/2017 16:50:01]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [2172 Bytes] ##########


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.1.0 (12.05.2016)
    Operating System: Windows 7 Ultimate x64
    Ran by user (Administrator) on pet 20.01.2017 at 16:55:06,94
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 9

    Successfully deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio (Folder)
    Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DWNLKYI (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8W2YCJ8E (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFLPDZJA (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YI7NFL23 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DWNLKYI (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8W2YCJ8E (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFLPDZJA (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YI7NFL23 (Temporary Internet Files Folder)



    Registry: 0





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on pet 20.01.2017 at 16:57:41,28
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  4. #4
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default adwcleaner[c3].txt

    # AdwCleaner v6.042 - Logfile created 20/01/2017 at 16:51:51
    # Updated on 06/01/2017 by Malwarebytes
    # Database : 2017-01-20.1 [Server]
    # Operating System : Windows 7 Ultimate Service Pack 1 (X64)
    # Username : user - USER-PC
    # Running from : G:\acu2\AdwCleaner.exe
    # Mode: Clean
    # Support : https://www.malwarebytes.com/support



    ***** [ Services ] *****



    ***** [ Folders ] *****



    ***** [ Files ] *****



    ***** [ DLL ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled Tasks ] *****



    ***** [ Registry ] *****

    [-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Reimage
    [-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164357232\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
    [-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Reimage
    [-] Key deleted: HKU\S-1-5-21-1618930824-4051046816-776268447-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01202017164407423\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
    [-] Key deleted: [x64] HKLM\SOFTWARE\Reimage


    ***** [ Web browsers ] *****



    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared

    *************************

    C:\AdwCleaner\AdwCleaner[C0].txt - [1736 Bytes] - [19/01/2017 23:20:08]
    C:\AdwCleaner\AdwCleaner[C2].txt - [1272 Bytes] - [20/01/2017 00:43:40]
    C:\AdwCleaner\AdwCleaner[C3].txt - [1630 Bytes] - [20/01/2017 16:51:51]
    C:\AdwCleaner\AdwCleaner[S0].txt - [1327 Bytes] - [19/01/2017 23:11:17]
    C:\AdwCleaner\AdwCleaner[S1].txt - [1672 Bytes] - [19/01/2017 23:19:44]
    C:\AdwCleaner\AdwCleaner[S2].txt - [1397 Bytes] - [20/01/2017 00:43:21]
    C:\AdwCleaner\AdwCleaner[S3].txt - [1504 Bytes] - [20/01/2017 01:24:27]
    C:\AdwCleaner\AdwCleaner[S4].txt - [2255 Bytes] - [20/01/2017 16:50:01]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2068 Bytes] ##########

  5. #5
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    The malware scan log you posted for MalwareBytes, says No Action Taken.
    Can you run that again and allow it to quarantine what is found.

    Then post the log and let me see it please.

    Whats the computer doing now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #6
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default

    There were a lot of files in quarantine already (mostly registry keys), before this new scan, and it showed 0 threats. My PC seems fine, CSE is gone.
    Also, I ran zemana antimalware scan, and it showed my PC is clean, so it should be all good now. Thanks for your time and help.

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 1/21/17
    Scan Time: 12:58 AM
    Logfile: malware231.txt
    Administrator: Yes

    -Software Information-
    Version: 3.0.5.1299
    Components Version: 1.0.43
    Update Package Version: 1.0.1067
    License: Trial

    -System Information-
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: user-PC\user

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 345774
    Time Elapsed: 3 min, 3 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)


    (end)

  7. #7
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    One more thing to do to assure us all is good.



    • Download Emsisoft Emergency Kit and save it to your desktop.
    • Double-click icon then click Install
    • A Window should open highlighting Start Emergency Kit Scanner
    • Right click on the icon and select Run as administrator
    • Click 1. Update now!
    • Once the update is completed select Settings under Scan
    • Uncheck Join the Emsisoft Anti-Malware Network
    • Click Scan at the top
    • Click On scan completion
    • Click Quarantine detected objects, then click OK
    • Click Malware Scan
    • Once completed click View Report
    • Save the file to your Desktop using the default file name
    • Copy and paste the report in your reply

    ===============
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default

    Emsisoft Emergency Kit - Version 12.0
    Last update: 21.1.2017 16:07:32
    User account: user-PC\user
    Computer name: USER-PC
    OS version: Windows 7x64 Service Pack 1

    Scan settings:

    Scan type: Malware Scan
    Objects: Rootkits, Memory, Traces, Files

    Detect PUPs: Off
    Scan archives: Off
    ADS Scan: On
    File extension filter: Off
    Direct disk access: Off

    Scan start: 21.1.2017 16:09:23
    C:\Users\user\Desktop\Fixlog.txt detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]

    Scanned 76132
    Found 1

    Scan end: 21.1.2017 16:13:04
    Scan time: 0:03:41

    C:\Users\user\Desktop\Fixlog.txt Trojan.LNK.StartPage.B (B)

    Quarantined 1


    After that, I ran custom scan with Detect PUPs: On

    Emsisoft Emergency Kit - Version 12.0
    Last update: 21.1.2017 16:07:32
    User account: user-PC\user
    Computer name: USER-PC
    OS version: Windows 7x64 Service Pack 1

    Scan settings:

    Scan type: Custom Scan
    Objects: Rootkits, Memory, Traces, C:\, D:\, G:\

    Detect PUPs: On
    Scan archives: On
    ADS Scan: On
    File extension filter: Off
    Direct disk access: Off

    Scan start: 21.1.2017 16:15:11
    C:\FRST\Logs\Fixlog_20-01-2017 16.37.06.txt detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\ProgramData\Avira\Antivirus\INFECTED\77c4f661.qua -> (Quarantine-8) detected: Trojan.Generic.20350958 (B) [krnl.xmd]
    C:\ProgramData\Avira\Antivirus\INFECTED\6f33fac1.qua -> (Quarantine-8) detected: Trojan.Generic.20350958 (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk detected: Trojan.LNK.StartPage.B (B) [krnl.xmd]
    C:\Users\user\Desktop\kasper\Kaspersky Reset Trial 5.0.0.117.rar -> Kaspersky Reset Trial 5.0.0.117\Kaspersky_Reset_Trial_5.0.0.117.exe detected: Gen:Variant.Application.Zusy.181656 (B) [krnl.xmd]
    C:\Windows\Setup\scripts\faXcooL.exe detected: Gen:Variant.Application.Kazy.420358 (B) [krnl.xmd]
    G:\acu2\Nik Software Color Efex Pro 4002rar (375 MB).rar -> Nik Software Color Efex Pro 4002rar (375 MB).exe detected: Trojan.Agent.CCYK (B) [krnl.xmd]

    Scanned 242131
    Found 12

    Scan end: 21.1.2017 16:51:01
    Scan time: 0:35:50

    C:\Users\user\Desktop\kasper\Kaspersky Reset Trial 5.0.0.117.rar Gen:Variant.Application.Zusy.181656 (B)
    C:\FRST\Logs\Fixlog_20-01-2017 16.37.06.txt Trojan.LNK.StartPage.B (B)
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk Trojan.LNK.StartPage.B (B)
    G:\acu2\Nik Software Color Efex Pro 4002rar (375 MB).rar Trojan.Agent.CCYK (B)
    C:\ProgramData\Avira\Antivirus\INFECTED\77c4f661.qua Trojan.Generic.20350958 (B)
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Gоoglе Сhromе.lnk Trojan.LNK.StartPage.B (B)
    C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Internet Ехplorer Вrowsеr.lnk Trojan.LNK.StartPage.B (B)
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Eхрlоrеr (64-bit).lnk Trojan.LNK.StartPage.B (B)
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Еxрlorer (No Add-оns).lnk Trojan.LNK.StartPage.B (B)
    C:\Windows\Setup\scripts\faXcooL.exe Gen:Variant.Application.Kazy.420358 (B)
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk Trojan.LNK.StartPage.B (B)
    C:\ProgramData\Avira\Antivirus\INFECTED\6f33fac1.qua Trojan.Generic.20350958 (B)

    Quarantined 12

  9. #9
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    How is the computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #10
    Junior Member
    Join Date
    Jan 2017
    Posts
    6

    Default

    It's all good now.
    Thanks for help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •