Help with wife's computer.

[KMizutani]

Hello, 

Recently we upgraded my wife's computer and did a clean install of windows 7 64 bit. After updating Windows, installing Avira Free Anti Virus, and Malwarebytes, I then connected the old hard drive, booted with a live update of Linux Mint, and after a ClamTK scan began to selectively move files, documents, photos, downloads, etc. to the new hard drive. I had thought all was well, and recently turned over the computer to my wife. The first incident was on the administrator account, while down loading games on steam and origin. She was modifying configuration files for the sims 2 as in this link: https://simsvip.com/2014/07/20/the-sims-2-ultimate-collection-increase-resolution-guide/ , and a few minutes later received a popup stating that avira had blocked access to the registry. The log contains there entries: 10/9/2017,21:43:09 [INFO] Avira Free Antivirus has scanned the following file:
  C:\Windows\System32\services.exe
      [INFO] Scan mode: Reading
      [INFO] Scan time: 1 ms
      [INFO] Process ID: 564
10/9/2017,21:43:09 [INFO] Product scanning mode 1 deactivated (APC)
10/9/2017,21:43:09 [INFO] Retry 1 for the file 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'. SHA256 = 6D93EF21DB9BFFACC1241E823F9BB7719B9395D64BBF952874CFF015B7930D92
10/9/2017,21:43:11 [INFO] Retry 2 for the file 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'. SHA256 = 6D93EF21DB9BFFACC1241E823F9BB7719B9395D64BBF952874CFF015B7930D92
10/9/2017,21:43:13 [INFO] Retry 3 for the file 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'. SHA256 = 6D93EF21DB9BFFACC1241E823F9BB7719B9395D64BBF952874CFF015B7930D92
10/9/2017,21:43:15 [INFO] Retry 4 for the file 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'. SHA256 = 6D93EF21DB9BFFACC1241E823F9BB7719B9395D64BBF952874CFF015B7930D92
10/9/2017,21:43:17 [WARNING] The Protection Cloud scan of file 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe' completed with the error code 0x490. SHA256 = 6D93EF21DB9BFFACC1241E823F9BB7719B9395D64BBF952874CFF015B7930D92
10/9/2017,21:43:17 [INFO] Avira Free Antivirus has scanned the following file:
  C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
      [INFO] Scan mode: Reading
      [INFO] Scan time: 8182 ms

and :

10/9/2017,21:43:25 [WARNING] A suspicious attempt to access the registry was blocked!
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit
10/9/2017,21:44:02 [INFO] Avira Free Antivirus has scanned the following file:
  C:\Windows\SysWOW64\rasapi32.dll

 

 I tried to start a scan with malware bytes and had a popup that said: Malwarebyte's was unable to install the Anti-RootKit DDA Driver. This may be due to rootkit activity, we recommend restarting so Malwarebytes can attempt to install the driver.

I restarted, loaded linux mint on the liveusb again, updated clam tk, scanned, submitted files to virus total, and quarantined anything that got more than one positive , including one of the bigger names, usually webroot.

Believing everything was probably fine now I turned her loose on a regular account after setting it up. All seemed fine until surfing the web. We had a website block protection event involving q.dreniq.com on ports 55960-55962. Looking up dreniq on google lead to forum  posts here.

Currently we are running up to date antivir, Malwarebytes, and Process Explorer. All scannable results seem to be OK on the virus total check, and seem to be verified.

 

Are we in trouble? Any help would be appreciated. Included are farbar logs and a m Malwarebytes protection event log.

malwarebytes block log.txt

Addition.txt

FRST.txt

Shortcut.txt

[Aura]

Hi KMizutani,

Do you still need assistance with this issue? Since your thread is old, I'll close it in 3 days if you don't reply before then.

[Aura]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!