Jump to content

What to delete?


Recommended Posts

Hi Rachel :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Looking at your log, I can tell you that all the detections are PUP/Adware related so I would go forward with the deletion. Once done, follow the instructions below to provide me a set of FRST logs.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;

Link to post
Share on other sites

Thank you for reopening the topic, this is a different computer.

Aura, I hope you are available to help me, still :)

I cleaned the infections AdwCleaner detected and here are the logs.

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-10-2016
Ran by Manuel (administrator) on MANUEL-PC (25-10-2016 17:55:09)
Running from C:\Users\Manuel\Desktop
Loaded Profiles: Manuel (Available Profiles: Manuel)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: Português (Portugal)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\FaceLogon\sensorsrv.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUS) C:\Windows\AsScrPro.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(ASUSTeK) C:\Windows\SysWOW64\ACEngSvr.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3331312 2012-02-24] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322176 2012-02-16] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-25] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] => C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2321072 2012-02-03] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ACMON] => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [102568 2012-02-21] (ASUS)
HKLM-x32\...\Run: [ASUS Screen Saver Protector] => C:\Windows\AsScrPro.exe [3058304 2012-06-20] (ASUS)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-08-19] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [917584 2016-10-11] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1440211953-1604654918-2624697997-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-1440211953-1604654918-2624697997-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-13] (Piriform Ltd)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
Tcpip\..\Interfaces\{EC8EE242-B435-4B4A-8C98-9085BBCC73F9}: [DhcpNameServer] 192.168.1.254 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-1440211953-1604654918-2624697997-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://google.pt/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP06&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP06&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> {39C5ED03-6E66-CFE9-A5A3-2BBD1311022D} URL =
SearchScopes: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2011-06-08] (Advanced Micro Devices)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2011-06-08] (Advanced Micro Devices)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-28] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-28] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\Windows\SysWOW64\btxppanel.dll [2004-09-02] (Broadcom Corporation)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: 6qmwk3c8.default
FF ProfilePath: C:\Users\Manuel\AppData\Roaming\Mozilla\Firefox\Profiles\6qmwk3c8.default [2016-10-25]
FF Homepage: Mozilla\Firefox\Profiles\6qmwk3c8.default -> hxxps://www.google.pt
FF Extension: (Avira Browser Safety) - C:\Users\Manuel\AppData\Roaming\Mozilla\Firefox\Profiles\6qmwk3c8.default\Extensions\abs@avira.com [2016-10-25]
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-28] (Oracle Corporation)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-03-22] (Advanced Micro Devices, Inc.) [File not signed]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1086040 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [475232 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [475232 2016-10-11] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1489240 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [324304 2016-08-19] (Avira Operations GmbH & Co. KG)
S4 btwdins; C:\Program Files (x86)\Software Bluetooth\bin\btwdins.exe [163840 2004-09-02] (Broadcom Corporation) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [177432 2016-10-11] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [145536 2016-10-11] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-07-18] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-07-18] (Avira Operations GmbH & Co. KG)
S0 BTKRNL; C:\Windows\SysWOW64\drivers\btkrnl.sys [1241066 2004-09-02] (Broadcom Corporation) [File not signed]
S2 BTSERIAL; C:\Windows\SysWOW64\drivers\btserial.sys [23271 2004-09-02] (Broadcom Corporation) [File not signed]
S2 BTSLBCSP; C:\Windows\SysWOW64\drivers\btslbcsp.sys [222876 2004-09-02] (Broadcom Corporation) [File not signed]
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-02-10] ()
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-25 17:55 - 2016-10-25 17:55 - 00013631 _____ C:\Users\Manuel\Desktop\FRST.txt
2016-10-25 17:55 - 2016-10-25 17:55 - 00000000 ____D C:\FRST
2016-10-25 17:53 - 2016-10-25 17:53 - 02407424 _____ (Farbar) C:\Users\Manuel\Desktop\FRST64.exe
2016-10-21 14:55 - 2016-10-25 17:47 - 00000000 ____D C:\AdwCleaner
2016-10-21 14:50 - 2016-10-21 14:50 - 03910208 _____ C:\Users\Manuel\Desktop\AdwCleaner.exe
2016-10-11 11:28 - 2016-10-11 11:26 - 00031720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2016-10-06 22:04 - 2016-10-06 22:04 - 00001929 _____ C:\Users\Manuel\Desktop\‎Outubro‎ de ‎2016 - Atalho.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-25 17:51 - 2009-07-14 05:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-25 17:51 - 2009-07-14 05:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-25 17:42 - 2012-10-20 15:12 - 00000380 _____ C:\Users\Manuel\AppData\Roaming\sp_data.sys
2016-10-25 17:41 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-25 17:38 - 2012-10-20 15:12 - 00000000 ____D C:\Users\Manuel
2016-10-25 17:32 - 2012-10-20 15:13 - 00089912 _____ C:\Users\Manuel\AppData\Local\GDIPFONTCACHEV1.DAT
2016-10-25 17:30 - 2009-07-14 05:45 - 00357792 _____ C:\Windows\system32\FNTCACHE.DAT
2016-10-25 17:23 - 2009-07-14 04:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-10-25 17:21 - 2016-02-10 15:15 - 00000000 ____D C:\Users\Manuel\AppData\Roaming\Wise Uninstaller
2016-10-22 16:20 - 2016-01-20 16:02 - 00000000 ____D C:\Users\Manuel\Desktop\Nova pasta
2016-10-22 11:21 - 2016-08-26 16:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-10-21 15:10 - 2016-09-24 12:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-10-20 18:11 - 2014-04-28 23:37 - 00000000 ____D C:\Program Files (x86)\Java
2016-10-20 18:10 - 2014-04-28 23:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-10-20 14:54 - 2011-02-19 05:45 - 01629936 _____ C:\Windows\system32\prfh0816.dat
2016-10-20 14:54 - 2011-02-19 05:45 - 01014234 _____ C:\Windows\system32\prfc0816.dat
2016-10-20 14:54 - 2009-07-14 06:13 - 00006486 _____ C:\Windows\system32\PerfStringBackup.INI
2016-10-11 11:29 - 2016-08-15 22:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-10-11 11:26 - 2016-08-15 22:49 - 00177432 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-10-11 11:26 - 2016-08-15 22:49 - 00145536 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-10-07 13:33 - 2013-02-20 22:33 - 00000000 ____D C:\Users\Manuel\AppData\Local\ElevatedDiagnostics
2016-10-01 17:22 - 2015-12-10 19:32 - 00000000 ____D C:\Users\Manuel\Desktop\205
2016-09-30 22:00 - 2015-12-04 16:21 - 00000000 ____D C:\Users\Manuel\Desktop\gravidez
2016-09-29 16:31 - 2014-12-25 23:16 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-09-26 17:58 - 2016-09-23 10:54 - 00000000 ____D C:\Users\Manuel\Desktop\hg
2016-09-26 15:57 - 2016-09-06 14:29 - 00001132 _____ C:\Users\Public\Desktop\Avira Connect.lnk
2016-09-26 15:57 - 2016-09-02 21:07 - 00000344 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Meus locais Bluetooth.lnk
2016-09-26 15:57 - 2016-08-21 17:50 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-09-26 15:57 - 2016-08-21 17:50 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-09-26 15:57 - 2016-08-20 17:46 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-26 15:57 - 2016-08-20 11:16 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-09-26 15:57 - 2016-08-17 18:33 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk
2016-09-26 15:57 - 2016-08-11 09:39 - 00000862 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-09-26 15:57 - 2016-02-10 15:15 - 00001288 _____ C:\Users\Public\Desktop\Wise Program Uninstaller.lnk
2016-09-26 15:57 - 2014-06-25 19:48 - 00001991 _____ C:\Users\Public\Desktop\HP Photo Creations.lnk
2016-09-26 15:57 - 2014-06-25 19:47 - 00002166 _____ C:\Users\Public\Desktop\HP Deskjet 1510 series.lnk
2016-09-26 15:57 - 2012-10-25 12:11 - 00001152 _____ C:\Users\Public\Desktop\OpenOffice.org 3.2.lnk
2016-09-26 15:57 - 2012-06-20 09:50 - 00000080 _____ C:\Users\Public\Desktop\eManual.Lnk
2016-09-26 15:57 - 2012-02-24 03:42 - 00001234 _____ C:\Users\Public\Desktop\ASUS WebStorage.lnk
2016-09-26 15:57 - 2012-02-24 03:37 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
2016-09-26 15:57 - 2012-02-24 03:37 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
2016-09-26 15:57 - 2012-02-24 03:36 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
2016-09-26 15:57 - 2012-02-24 03:28 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-09-26 15:57 - 2009-07-29 06:08 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-09-26 15:57 - 2009-07-29 06:08 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-09-26 15:57 - 2009-07-14 05:57 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-09-26 15:57 - 2009-07-14 05:57 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-09-26 15:57 - 2009-07-14 05:57 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-09-26 15:57 - 2009-07-14 05:57 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-09-26 15:57 - 2009-07-14 05:54 - 00000080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-09-26 15:56 - 2016-09-02 21:07 - 00000344 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Meus locais Bluetooth.lnk
2016-09-26 15:56 - 2016-08-20 11:16 - 00001385 _____ C:\Users\Manuel\Desktop\Spybot-S&D Start Center.lnk
2016-09-26 15:56 - 2016-01-11 22:29 - 00000983 _____ C:\Users\Manuel\Desktop\Handbrake.lnk
2016-09-26 15:56 - 2012-10-20 15:16 - 00001411 _____ C:\Users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-09-26 15:56 - 2012-02-24 03:34 - 00002476 _____ C:\Users\Manuel\Desktop\Windows Live Messenger.lnk
2016-09-26 15:56 - 2009-07-14 06:01 - 00001218 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-09-26 15:56 - 2009-07-14 05:49 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-09-26 15:22 - 2016-08-20 17:48 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-26 15:17 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-09-26 13:58 - 2015-12-07 18:06 - 00000000 ____D C:\Windows\pss

==================== Files in the root of some directories =======

2016-08-20 18:12 - 2016-08-20 18:31 - 0000005 _____ () C:\Users\Manuel\AppData\Roaming\mbam.context.scan
2012-10-20 15:12 - 2016-10-25 17:42 - 0000380 _____ () C:\Users\Manuel\AppData\Roaming\sp_data.sys
2012-11-04 17:53 - 2012-11-04 17:53 - 0033134 _____ () C:\Users\Manuel\AppData\Roaming\UserTile.png
2016-02-10 15:15 - 2016-02-11 22:17 - 0018359 _____ () C:\Users\Manuel\AppData\Roaming\wpulog.txt
2015-10-29 19:49 - 2015-10-29 19:49 - 0003584 _____ () C:\Users\Manuel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-25 19:45 - 2014-06-25 19:45 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-02-24 03:42 - 2010-10-06 18:45 - 0131984 _____ () C:\ProgramData\FullRemove.exe
2012-06-20 09:57 - 2012-06-20 09:59 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2012-06-20 09:54 - 2012-06-20 09:56 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2012-06-20 09:53 - 2012-06-20 09:54 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

Some files in TEMP:
====================
C:\Users\Manuel\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-10-06 21:04

==================== End of FRST.txt ============================

 

Addition:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by Manuel (25-10-2016 17:56:58)
Running from C:\Users\Manuel\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-10-20 14:12:23)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrador (S-1-5-21-1440211953-1604654918-2624697997-500 - Administrator - Disabled)
Convidado (S-1-5-21-1440211953-1604654918-2624697997-501 - Limited - Disabled)
Manuel (S-1-5-21-1440211953-1604654918-2624697997-1001 - Administrator - Enabled) => C:\Users\Manuel

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{4572399F-5B78-3C50-7281-4AB6248FC1F0}) (Version: 3.0.859.0 - Advanced Micro Devices, Inc.)
ASUS AI Recovery (HKLM-x32\...\{D39F0676-163E-4595-A917-E28F99BBD4D2}) (Version: 1.0.24 - ASUS)
ASUS FaceLogon (HKLM-x32\...\{64452561-169F-4A36-A2FF-B5E118EC65F5}) (Version: 1.0.0014 - ASUS)
ASUS FancyStart (HKLM-x32\...\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}) (Version: 1.1.1 - ASUSTeK Computer Inc.)
ASUS LifeFrame3 (HKLM-x32\...\{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}) (Version: 3.1.1 - ASUS)
ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.1.7 - ASUS)
ASUS Power4Gear Hybrid (HKLM\...\{9B6239BF-4E85-4590-8D72-51E30DB1A9AA}) (Version: 1.2.1 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 1.02.0041 - ASUS)
ASUS Virtual Camera (HKLM-x32\...\{EC8BD21F-0CA0-4BBF-97D9-4A52B30041A1}) (Version: 1.0.25 - ASUS)
ASUS WebStorage (HKLM-x32\...\ASUS WebStorage) (Version: 3.0.143.296 - ASUS Cloud Corporation)
ASUS_Screensaver (HKLM-x32\...\ASUS_Screensaver) (Version:  - )
AsusVibe2.0 (HKLM-x32\...\Asus Vibe2.0) (Version: 2.0.9.157 - ASUSTEK)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0016 - ASUS)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.22.54 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{82dc2ab6-088f-4e0a-8e27-bb829481d3bc}) (Version: 1.2.70.16079 - Avira Operations GmbH & Co. KG)
Avira Launcher (x32 Version: 1.2.70.16079 - Avira Operations GmbH & Co. KG) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.20 - Piriform)
Controlo ActiveX do Windows Live Mesh para Ligações Remotas (HKLM-x32\...\{E54EEB5D-41ED-40FE-B4A8-8565DB81469B}) (Version: 15.4.5722.2 - Microsoft Corporation)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HandBrake 0.10.2 (HKLM-x32\...\HandBrake) (Version: 0.10.2 - )
HP Deskjet 1510 series Ajuda (HKLM-x32\...\{6DFDA448-D4A1-49DB-9217-1501D24861F5}) (Version: 30.0.0 - Hewlett Packard)
HP Deskjet 1510 series Software básico do dispositivo (HKLM\...\{2250409D-D831-466D-9E76-77278CD2A256}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware versão 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (Português) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2070) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 49.0.2 (x86 pt-PT) (HKLM-x32\...\Mozilla Firefox 49.0.2 (x86 pt-PT)) (Version: 49.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 49.0.2.6136 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4 Parser (HKLM-x32\...\{01501EBA-EC35-4F9F-8889-3BE346E5DA13}) (Version: 1.0.0 - Microsoft Game Studios)
OpenOffice.org 3.2 (HKLM-x32\...\{BB9F1FB8-D595-433A-A94E-7FE821B10640}) (Version: 3.2.9502 - OpenOffice.org)
Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{7D916FA5-DAE9-4A25-B089-655C70EAF607}) (Version: 9.2 - Qualcomm Atheros)
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Software Bluetooth (HKLM-x32\...\{90535871-81B9-4D99-8A13-A7EE97F2D7FE}) (Version: 3.0.1.911 - 0)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen (HKLM-x32\...\{C32CE55C-12BA-4951-8797-0967FDEF556F}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.41.0 - ASUS)
WinRAR 5.00 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Wireless Console 3 (HKLM-x32\...\{19EA33FB-B34E-40EA-8B8A-61743AEB795A}) (Version: 3.0.27 - ASUS)
Wise Program Uninstaller 1.91 (HKLM-x32\...\Wise Program Uninstaller_is1) (Version: 1.91 - WiseCleaner.com, Inc.)
Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {25FB1925-8547-4DE8-818D-F7617B6B5CAA} - System32\Tasks\ASUS P4G => C:\Program Files\ASUS\P4G\BatteryLife.exe [2012-02-16] (ASUS)
Task: {527F778C-0CD0-45E1-AF82-AAB7AED7BA02} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-16] (Adobe Systems Incorporated)
Task: {56DD8890-8497-4F4A-A0DB-E76CF61C8FA5} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {58796B40-1D48-44FD-8612-1962DF8F0B31} - System32\Tasks\ATKOSD2 => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [2012-02-16] (ASUSTek Computer Inc.)
Task: {63D69BA3-A37B-43C3-A697-B8FBDCD9EF8A} - System32\Tasks\{A8DC7B8C-304C-4967-9BFB-02D20A8C4FA6} => pcalua.exe -a C:\Users\Manuel\AppData\Roaming\awesomehp\UninstallManager.exe
Task: {66D04F9A-6DF1-47EB-8ED2-A86017C1333D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {824AC28B-E18D-4507-B0CC-4CFCA296DC9B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-07-13] (Piriform Ltd)
Task: {93C691FA-2C36-4A49-AA5C-42B127627E2A} - System32\Tasks\ASUS SmartLogon Console Sensor => C:\Program Files (x86)\ASUS\FaceLogon\sensorsrv.exe [2012-02-17] (ASUSTek Computer Inc.)
Task: {93D14909-51BB-4DDB-8F63-B90738CC4642} - System32\Tasks\HP AR Program Upload - 10c4abb36d98494c9f71d550b17a9a0440cb5e0bfa9947c19b3da98e5570facd => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [2013-08-13] (TODO: <Company name>)
Task: {BF402230-439A-4896-A299-B1B785B05FA8} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {F4CDC433-E30A-4133-8813-48CF3D2E0EC7} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-07-15 00:11 - 2010-07-15 00:11 - 00031360 _____ () C:\Program Files\ASUS\P4G\DevMng.dll
2012-03-22 06:30 - 2012-03-22 06:30 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2016-08-20 11:16 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-08-20 11:16 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-08-20 11:16 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-08-20 11:16 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-08-20 11:16 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-01-31 17:25 - 2012-01-31 17:25 - 01163264 _____ () C:\Program Files (x86)\ASUS\Wireless Console 3\acAuth.dll
2012-02-21 22:49 - 2012-02-21 22:49 - 00009216 _____ () C:\Program Files (x86)\ASUS\Splendid\GLCDdll.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1440211953-1604654918-2624697997-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Manuel\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: btwdins => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AsusVibeLauncher.lnk => C:\Windows\pss\AsusVibeLauncher.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BTTray.lnk => C:\Windows\pss\BTTray.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FancyStart daemon.lnk => C:\Windows\pss\FancyStart daemon.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Manuel^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Monitorar alertas de tinta - HP Deskjet 1510 series.lnk => C:\Windows\pss\Monitorar alertas de tinta - HP Deskjet 1510 series.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Manuel^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk => C:\Windows\pss\OpenOffice.org 3.2.lnk.Startup
MSCONFIG\startupreg: ASUSWebStorage => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S
MSCONFIG\startupreg: AVG-Secure-Search-Update_0913b => C:\Users\Manuel\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid e7e2b50419a647d0a98cc1f60e387aa2-c4d112e867d8eb4e933dfa4d47c884d7fd4d35e2 --CMPID 0913b
MSCONFIG\startupreg: avgnt => "C:\Program Files (x86)\Avira\Antivirus\avgnt.exe" /min
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: CLMLServer => "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: SpybotPostWindows10UpgradeReInstall => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [CoreNet-DHCP-Out] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-DHCPV6-Out] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-Teredo-Out] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-IPHTTPS-Out] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-GP-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-DNS-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [CoreNet-GP-LSASS-Out-TCP] => (Block) %SystemRoot%\system32\lsass.exe
FirewallRules: [NETDIS-LLMNR-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [NETDIS-LLMNR-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [MSDTC-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\msdtc.exe
FirewallRules: [MSDTC-Out-TCP] => (Block) %SystemRoot%\system32\msdtc.exe
FirewallRules: [RemoteAssistance-Out-TCP] => (Block) %SystemRoot%\system32\msra.exe
FirewallRules: [RemoteAssistance-PnrpSvc-UDP-OUT] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-RAServer-Out-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\raserver.exe
FirewallRules: [RemoteAssistance-Out-TCP-Active] => (Block) %SystemRoot%\system32\msra.exe
FirewallRules: [RemoteAssistance-SSDPSrv-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-SSDPSrv-Out-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-PnrpSvc-UDP-OUT-Active] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [{56048913-2EE4-4FB6-9B10-B11FD9535645}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{A56F99CF-933B-4F79-9B77-D54139039647}] => (Allow) LPort=2869
FirewallRules: [{7200A232-CB9A-4548-89E0-CF072E6C2E3E}] => (Allow) LPort=1900
FirewallRules: [{B47DCE39-BD05-4FD0-BC5F-8FCE7C3FBB7F}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{BE0EC94A-88B6-4356-B121-F67FE5BE0F40}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{2B8E289C-BD9C-42EF-901C-41763433C95F}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{7BA37503-75DE-47CC-993D-192E69BB6520}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{2655B01A-CD64-4B2F-A2B0-929201468718}] => (Allow) C:\Program Files\HP\HP Deskjet 1510 series\Bin\USBSetup.exe
FirewallRules: [{9B2C0D0A-0843-4C25-A16C-B61A7583E4E1}] => (Allow) C:\Program Files\HP\HP Deskjet 1510 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{94C7A978-F916-4951-B635-EBE2BC70CBD4}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{CFC08281-C63B-47EA-ACE6-517AF72F38E1}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{36FCE198-53FD-4BEE-A102-6E532A29DCA6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2FE75AA3-DB66-42EF-825C-C19DB31EE0E3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C4F47420-A857-4C87-ABEE-124C03064BDE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D2D20B05-441E-4F7F-B9C6-9126F11655DB}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

01-10-2016 00:02:40 Ponto de Verificação Agendado
08-10-2016 13:41:06 Ponto de Verificação Agendado
20-10-2016 18:07:25 Removed Java 8 Update 66
20-10-2016 18:09:54 Removed Java 8 Update 66
20-10-2016 18:11:16 Removed Estudo de aprimoramento de produto para HP Deskjet 1510 series

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Adaptador de Túnel Teredo da Microsoft
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/20/2016 02:54:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: O descarregamento das cadeias do contador de desempenho do serviço WmiApRpl (WmiApRpl) falhou. A primeira DWORD na secção Data contém o código de erro.

Error: (10/20/2016 02:54:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: As cadeias de desempenho no valor de registo de desempenho estão danificadas para o fornecedor de contadores de extensão do processo Performance. O valor de BaseIndex do registo de desempenho é a primeira DWORD na secção Data, o valor de LastCounter é a segunda DWORD na secção Data e o valor LastHelp é a terceira DWORD na secção Data.

Error: (10/20/2016 02:54:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: As cadeias de desempenho no valor de registo de desempenho estão danificadas para o fornecedor de contadores de extensão do processo Performance. O valor de BaseIndex do registo de desempenho é a primeira DWORD na secção Data, o valor de LastCounter é a segunda DWORD na secção Data e o valor LastHelp é a terceira DWORD na secção Data.

Error: (10/15/2016 11:57:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome da aplicação com falha: Explorer.EXE, versão: 6.1.7601.17567, carimbo de data/hora: 0x4d672ee4
Nome do módulo com falha: mscorwks.dll, versão: 2.0.50727.5485, carimbo de data/hora: 0x53a11d6c
Código de excepção: 0xc0000005
Desvio de falha: 0x00000000001934c8
ID do processo com falha: 0x%9
Data/hora de início da aplicação com falha: 0xExplorer.EXE0
Caminho da aplicação com falha: Explorer.EXE1
Caminho do módulo com falha: Explorer.EXE2
ID do Relatório: Explorer.EXE3

Error: (10/15/2016 11:57:33 AM) (Source: .NET Runtime) (EventID: 1023) (User: )
Description: .NET Runtime version 2.0.50727.5485 - Erro Fatal do Motor de Execução (000007FEF547600A) (80131506)

Error: (10/08/2016 04:07:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: O descarregamento das cadeias do contador de desempenho do serviço WmiApRpl (WmiApRpl) falhou. A primeira DWORD na secção Data contém o código de erro.

Error: (10/08/2016 04:07:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: As cadeias de desempenho no valor de registo de desempenho estão danificadas para o fornecedor de contadores de extensão do processo Performance. O valor de BaseIndex do registo de desempenho é a primeira DWORD na secção Data, o valor de LastCounter é a segunda DWORD na secção Data e o valor LastHelp é a terceira DWORD na secção Data.

Error: (10/08/2016 04:07:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: As cadeias de desempenho no valor de registo de desempenho estão danificadas para o fornecedor de contadores de extensão do processo Performance. O valor de BaseIndex do registo de desempenho é a primeira DWORD na secção Data, o valor de LastCounter é a segunda DWORD na secção Data e o valor LastHelp é a terceira DWORD na secção Data.

Error: (10/08/2016 09:48:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome da aplicação com falha: Explorer.EXE, versão: 6.1.7601.17567, carimbo de data/hora: 0x4d672ee4
Nome do módulo com falha: mscorwks.dll, versão: 2.0.50727.5485, carimbo de data/hora: 0x53a11d6c
Código de excepção: 0xc0000005
Desvio de falha: 0x00000000001934c8
ID do processo com falha: 0x%9
Data/hora de início da aplicação com falha: 0xExplorer.EXE0
Caminho da aplicação com falha: Explorer.EXE1
Caminho do módulo com falha: Explorer.EXE2
ID do Relatório: Explorer.EXE3

Error: (10/08/2016 09:48:56 AM) (Source: .NET Runtime) (EventID: 1023) (User: )
Description: .NET Runtime version 2.0.50727.5485 - Erro Fatal do Motor de Execução (000007FEF3D9600A) (80131506)


System errors:
=============
Error: (10/25/2016 05:42:21 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falhou o carregamento dos seguintes controladores de início de arranque ou de início do sistema:
BTKRNL

Error: (10/25/2016 05:41:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: O serviço Bluetooth Port Client Driver falhou o arranque devido ao seguinte erro:
O carregamento deste controlador foi bloqueado

Error: (10/25/2016 05:41:37 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: O carregamento de \??\C:\Windows\SysWow64\drivers\btslbcsp.sys foi bloqueado devido a incompatibilidade com este sistema. Contacte o fabricante de software para obter uma versão compatível do controlador.

Error: (10/25/2016 05:41:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: O serviço Bluetooth Serial Driver falhou o arranque devido ao seguinte erro:
O carregamento deste controlador foi bloqueado

Error: (10/25/2016 05:41:37 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: O carregamento de \??\C:\Windows\SysWow64\drivers\btserial.sys foi bloqueado devido a incompatibilidade com este sistema. Contacte o fabricante de software para obter uma versão compatível do controlador.

Error: (10/25/2016 05:41:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: O serviço SpyHunter 4 Service falhou o arranque devido ao seguinte erro:
O sistema não conseguiu localizar o ficheiro especificado.

Error: (10/25/2016 05:40:42 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: O Módulo de Extensibilidade WLAN parou inesperadamente.

Caminho do Módulo: C:\Program Files (x86)\Qualcomm Atheros WiFi Driver Installation\AthIhvWlanExt.dll

Error: (10/25/2016 05:40:42 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: O Módulo de Extensibilidade WLAN parou inesperadamente.

Caminho do Módulo: C:\Program Files (x86)\Qualcomm Atheros WiFi Driver Installation\AthIhvWlanExt.dll

Error: (10/25/2016 05:40:40 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: O Módulo de Extensibilidade WLAN parou inesperadamente.

Caminho do Módulo: C:\Program Files (x86)\Qualcomm Atheros WiFi Driver Installation\AthIhvWlanExt.dll

Error: (10/25/2016 05:38:22 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: O gestor de controlo de serviços tentou efectuar uma acção correctiva (Reiniciar o serviço) após a terminação inesperada do serviço Windows Search, mas esta acção falhou com o seguinte erro:
Já existe uma instância do serviço em execução.


CodeIntegrity:
===================================
  Date: 2016-02-10 15:32:03.136
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:03.120
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:03.105
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:02.699
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:02.683
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:02.637
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:00.328
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:00.281
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:00.219
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2016-02-10 15:32:00.172
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_a384c5aabe759ea5\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.


==================== Memory info ===========================

Processor: AMD E-450 APU with Radeon(tm) HD Graphics
Percentage of memory in use: 40%
Total physical RAM: 3691.7 MB
Available physical RAM: 2214.27 MB
Total Virtual: 7381.61 MB
Available Virtual: 5393.89 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:128.18 GB) (Free:56.57 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:144.91 GB) (Free:109.39 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 125FC5E1)
Partition 1: (Not Active) - (Size=25 GB) - (Type=1C)
Partition 2: (Active) - (Size=128.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=144.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

If you need something translated, tell me. I unnistalled AVG sometime ago and I see I still have a lot of stuff from them, even after the AdwCleaner clean up!

Link to post
Share on other sites

We'll take care of the AVG remnants :)

Are there any malware-related issues on that computer, or you just wanted to make sure it was clean after running AdwCleaner?

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Your next reply(ies) should include:

  • Answer to my question about your issues;
  • Copy/pasted content of FRST's fixlog.txt;

fixlist.txt

Link to post
Share on other sites

I just wanted to make sure it is clean, because the internet was so slow.

But now I've got a serious problem: after I did what you said and restarted the computer, the keyboard and mouse won't work! I tried starting it in safe mode, which I can use the keyboard to do, but after that, the keyboard and mouse won't work either. What do I do? I see a prompt window, but can't read it because it disappears very quickly.

 

Link to post
Share on other sites

Yes, run this fix below this time (I removed the entry that deletes your keyboard filter driver). My bad about that.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

fixlist.txt

Link to post
Share on other sites

Here it is:

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by Manuel (26-10-2016 01:31:19) Run:2
Running from C:\Users\Manuel\Desktop
Loaded Profiles: Manuel (Available Profiles: Manuel)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

Toolbar: HKU\S-1-5-21-1440211953-1604654918-2624697997-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [X]
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-02-10] ()
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]

Task: {F4CDC433-E30A-4133-8813-48CF3D2E0EC7} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

MSCONFIG\startupreg: AVG-Secure-Search-Update_0913b => C:\Users\Manuel\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid e7e2b50419a647d0a98cc1f60e387aa2-c4d112e867d8eb4e933dfa4d47c884d7fd4d35e2 --CMPID 0913b

FirewallRules: [{2B8E289C-BD9C-42EF-901C-41763433C95F}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{7BA37503-75DE-47CC-993D-192E69BB6520}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{94C7A978-F916-4951-B635-EBE2BC70CBD4}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{CFC08281-C63B-47EA-ACE6-517AF72F38E1}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe

C:\Program Files\Enigma Software Group
C:\ProgramData\AVG January 2013 Campaign
C:\ProgramData\FullRemove.exe
C:\Users\Manuel\AppData\Roaming\sp_data.sys
C:\Users\Manuel\AppData\Roaming\UserTile.png
C:\Users\Manuel\AppData\Roaming\wpulog.txt
C:\Windows\System32\DRIVERS\EsgScanner.sys

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
HKU\S-1-5-21-1440211953-1604654918-2624697997-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
SpyHunter 4 Service => service removed successfully
EsgScanner => service removed successfully
IntcAzAudAddService => service removed successfully
RSUSBSTOR => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F4CDC433-E30A-4133-8813-48CF3D2E0EC7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4CDC433-E30A-4133-8813-48CF3D2E0EC7}" => key removed successfully
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE" => key removed successfully
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => moved successfully
"HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG-Secure-Search-Update_0913b" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2B8E289C-BD9C-42EF-901C-41763433C95F} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7BA37503-75DE-47CC-993D-192E69BB6520} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{94C7A978-F916-4951-B635-EBE2BC70CBD4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CFC08281-C63B-47EA-ACE6-517AF72F38E1} => value removed successfully
"C:\Program Files\Enigma Software Group" => not found.
C:\ProgramData\AVG January 2013 Campaign => moved successfully
C:\ProgramData\FullRemove.exe => moved successfully
C:\Users\Manuel\AppData\Roaming\sp_data.sys => moved successfully
"C:\Users\Manuel\AppData\Roaming\UserTile.png" => not found.
"C:\Users\Manuel\AppData\Roaming\wpulog.txt" => not found.
C:\Windows\System32\DRIVERS\EsgScanner.sys => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 4194304 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6518190 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 16868 B
Edge => 0 B
Chrome => 0 B
Firefox => 5992033 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 8494331 B
LocalService => 0 B
NetworkService => 0 B
Manuel => 346184 B

RecycleBin => 0 B
EmptyTemp: => 24.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 01:32:12 ====

Link to post
Share on other sites

Alright :)

In that case, we'll run run DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;

Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and dqVs5wj.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

Antivirus

Antimalware

Firewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.

  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;

Anti-Exploit/Anti-Ransomware

Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. 

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);

As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:


As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :


gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on Malwarebytes Forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

Link to post
Share on other sites

DelFix log:

# DelFix v1.013 - Logfile created 26/10/2016 at 17:03:24
# Updated 17/04/2016 by Xplode
# Username : Manuel - MANUEL-PC
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Manuel\Desktop\AdwCleaner.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #261 [Ponto de Verificação Agendado | 10/08/2016 12:41:06]
Deleted : RP #262 [Removed Java 8 Update 66 | 10/20/2016 17:07:25]
Deleted : RP #263 [Removed Java 8 Update 66 | 10/20/2016 17:09:54]
Deleted : RP #264 [Removed Estudo de aprimoramento de produto para HP Deskjet 1510 series | 10/20/2016 17:11:16]
Deleted : RP #267 [Restore Point Created by FRST | 10/25/2016 22:35:22]
Deleted : RP #269 [Restore Point Created by FRST | 10/26/2016 00:31:22]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

No, I don't have any more questions.

Thank you :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.