Adlice forum
		General Category => Malware removal help => Topic started by: Lobas on October 31, 2017, 12:05:02 AM
		
			
			- 
				Hello,
 
 we are having an unknown infection on 7 of 8 computers in our company.
 
 I couldn't find much using various AV Programs and Tools.
 
 Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.
 
 At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)
 
 G DATA found 6 PSW-Tools and 3 OCS-Tools
 ESET found 3 PSW-Tools
 RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)
 
 The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.
 
 Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.
 
 At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.
 
 In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.
 
 
 I hope someone here is able to help me with my problem!
 
 PC Names:
 
 - PCSRV (Main PC)
 - PC01 (Secondary PC)
 - PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
 - PC05 (Tertiary PC)
 - STUMPF-HP (Notebook)
 - NETBOOK (Notebook)
 - TVW-TC-1671 (Auxiliary PC)
 
 - STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
 - SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)
 
 Greetings Lobas
- 
				Hi Lobas,
 
 Could you please attach G-DATA, ESET and RogueKiller reports of the first computer with your next reply ?
 Please also attach some of the crypted files (at least one .crypt and one with a "normal" extension type file).
 
 Do you know the following files ?
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
 ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
 ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
 Regards.
- 
				Hi,
 am I right with that you only want logs with catches or isn't that the point?
 
 Yes if I find one I will, but it feels like them already getting fewer for no known reason.
 
 Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.
- 
				Hi Lobas,
 
 am I right with that you only want logs with catches or isn't that the point? Yes, you are perfectly right.
 
 Yes if I find one I will, but it feels like them already getting fewer for no known reason. Without an encrypted file, it will be difficult to accurately determine the type of the infection.
 Was a ransom demand present with the encrypted files ?
 
 Yes this files are batches I wrote myself to log on the computer[...] Thanks for the confirmation.
 
 Regards.
- 
				No, until now no demand was seen.
 
 Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.
 
 EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.
- 
				Hi Lobas,
 
 Neither ClamAV nor EST did detect a ransomware.
 At this point, I think that your files has been corrupted by something non-malware related, so there is little I can do to help you.
 
 Regards.
 
- 
				Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.
 
 For this I can give you more concrete facts.
 
 I will try to deliver as much as possible of useful information.
- 
				First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)
 
 Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.
 
 Please just stand by.
 
 Thanks.
 
 'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'
- 
				Ok, let's start with PCSRV. It's disinfection is the most urgent.
 
 Like said, please correct me if I'm thinking wrong, complete what I try to concern about and help me if I'm just asking questions against the background of limited knowledge! I would be very pleased if you could manage it to support me trying to get to the problem starting somewhere.  :)
 
 Processes:
 
 Is it right to do nothing at this point or should the following process maybe be kicked? Or are there potential signs of bad processes I completely not recognized?
  - () C:\Windows\System32\igfxTray.exe 
 
 
 Registry:
 
 I'm somewhat irritated of the following objects. Should they be deleted?
 
 - HKLM\...\Run: [bg-info] => [X]
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
 
 
 
 At next, these objects should(!) all be legit, but why are they getting into that list? Also they would be not uncommon places for infection (Startup/Bootsectors, Shortcuts & .bat, .vbs & .exe files).
 Should I still trust them, like I did until, (prophylactic) remove or just stay watching them?
 
 
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
 ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hevos.lnk [2017-08-08]
 ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
 ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
 ShortcutTarget: NetScaler Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
 Startup: C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2017-08-18]
 ShortcutTarget: An OneNote senden.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
 
 
 
 Internet:
 
 
 1st: Why the hell is the hosts file not in it's normal folder? How can something like that happen? A problem I never heard of before, but IMO, that looks alarming.
 
 2nd: This object should be removed immediately, is that correct? I'm remembering stuff like DHCPNameServers as very dangerous.
 
 Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1 
 3rd: Browsers:
 
 The following stuff hanging in IE, FF & Chrome.
 It wouldn't be a mistake to wipe out this junk, would it?
 
 Internet Explorer:
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 - BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
 - BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-08] (Oracle Corporation)
 - BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-08] (Oracle Corporation)
 - Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 
 Mozilla Firefox:
 - FF DefaultProfile: 1u3d5r8x.default
 - FF ProfilePath: C:\Users\praxis\AppData\Roaming\Mozilla\Firefox\Profiles\1u3d5r8x.default [2017-10-26]
 - FF Plugin: @Citrix.com/npagee64,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @Citrix.com/npagee,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
 - FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-01] (Adobe Systems Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
 
 Google Chrome:
 - CHR Profile: C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default [2017-10-26]
 - CHR Extension: (Präsentationen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-16]
 - CHR Extension: (Docs) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
 - CHR Extension: (Google Drive) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-02]
 - CHR Extension: (YouTube) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-02]
 - CHR Extension: (Tabellen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-16]
 - CHR Extension: (Google Docs Offline) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-02]
 - CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
 - CHR Extension: (Google Mail) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-02]
 - CHR Extension: (Chrome Media Router) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-10]
 
 
 For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this. 
- 
				Hi Lobas,
 
 I'm still following your thread, but I'm not here all the time.
 Here are the answers to your questions :
 
 Process :
 igfxTray.exe : This process is used to provide you quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets
 
 Registry :
 The registry values under the DisallowRun key forbid the launch of PowerShell, Background Intelligent Transfer Administration Service (BITS) and Microsoft HTML Application. These keys are usually set by the antiransomware module of some antivirus.
 
 Startup :
 Theses items are launched on system startup. You can trust them.
 
 Internet :
 1) FRST didn't found the hosts file on standard location but another section of the log show no issue.
 2) No. It's your Internet gateway.
 
 3rd: Browsers :
 These are your browsers extensions, which are all legit.
 
 Once again, there is nothing more I can do without a sample of an encrypted file.
 Regards.
- 
				Hi,
 
 ok..
 
 In the case of the process I thought I have read anywhere, if no company's name stands in front, that would be a warning signal.
 
 EDIT: Would it be possible, that this process got hijacked?
 
 As with the registry there is then nothing to do, too. The Startup items are mostly trusted, but I was wondering about their appearance on the list.
 
 EDIT: Ok, something better to leave alone. I'm trusting all of them, but from some of these items (below) I know how easy and how open they get infected.
 
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
 ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
 ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
 ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
 
 
 In case of the hosts file I will just believe that from you, the NameServer, dumb mistake..
 
 EDIT: You mean the host file entries? Yes, I cannot remember seeing them in the log of PCSRV. Nevertheless I didn't get why the hosts file is somewhere it doesn't belong?
 Oh, ok then better not removing. :D
 
 Yes, diverse browser extensions, but I took now a deeper look and things like Java or the Office plugins, yes makes sense, but is the rest not at least useless? Or take a nearer look of the first two elements in IE, hxxp?!
 
 EDIT: Maybe I can deliver something like that, don't know if you can make use of it.
 
 
 Ok so far:
 
 As with drivers there is only this one suspicious:
 
 S0 wjtvys; kein ImagePath 
 As with the 'Created' and 'Modified' Files/Folders 1st: Does it make sense to unhide the hidden system files?
 And, is it right that an object should be checked if there's no company name and no attribute letter, especially when it's in the Windows folder?
 That would match only for a few:
 
 C:\Windows\DOCFEST.INI
 C:\Users\Public\Desktop\ESET Sicheres Online-Banking und Bezahlen.lnk
 C:\Users\praxis\Desktop\smadav.1log.txt
 C:\Users\praxis\Downloads\Lisa (1).pdf
 C:\Users\praxis\Downloads\Lisa.pdf
 C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
 C:\Windows\system32\administration.bat
 C:\Windows\system32\Fehlerquellen beheben.bat
 C:\Windows\system32\close.bat
 C:\Windows\system32\auxiliary.bat
 C:\Windows\SysWOW64\uninst.exe
 
 
 And them:
 
 C:\Windows\ZAM.krnl.trace
 C:\Windows\ZAM_Guard.krnl.trace
 C:\Windows\system32\perfh007.dat
 C:\Windows\system32\perfc007.dat
 C:\Windows\system32\PerfStringBackup.INI
 C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk
 C:\Windows\system32\Drivers\TrueSight.sys
 C:\Windows\system32\FNTCACHE.DAT
 C:\Windows\SysWOW64\PerfStringBackup.INI
 C:\Users\Public\Desktop\x.servicecenter.lnk
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x.comfort Word-Assistent.lnk
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\comfort.lnk
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\medatixx Fernservice.lnk
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
 C:\Users\Public\Desktop\Google Chrome.lnk
 
 
 Or, if we substract user modified ones, this is what remains:
 
 C:\Windows\DOCFEST.INI
 C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
 C:\Windows\SysWOW64\uninst.exe
 C:\Windows\ZAM.krnl.trace
 C:\Windows\ZAM_Guard.krnl.trace
 C:\Windows\system32\perfh007.dat
 C:\Windows\system32\perfc007.dat
 C:\Windows\system32\PerfStringBackup.INI
 C:\Windows\system32\Drivers\TrueSight.sys
 C:\Windows\system32\FNTCACHE.DAT
 C:\Windows\SysWOW64\PerfStringBackup.INI
 
 
 Then the section with Root Directory, which meaning does it have, when something is listed there?
 
 2017-08-02 20:26 - 2017-08-02 20:26 - 000000779 _____ () C:\Users\praxis\AppData\Roaming\gdscan.log
 2017-08-02 19:25 - 2017-08-02 19:25 - 000361646 _____ () C:\ProgramData\ds_update.log
 2017-08-02 19:21 - 2017-08-02 19:21 - 000000132 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
 2017-03-15 09:01 - 2017-03-15 09:01 - 000010272 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_85D1FE7C-C5B0-451C-9C29-234CAEA6DEBA.swidtag
 2017-03-15 09:02 - 2017-03-15 09:02 - 000010268 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_DFCF6231-755B-44A8-87E4-A38B5FAFB29F.swidtag
 
 
 I know the listed TEMP folder content does not have to be malware, but isn't it safer to delete this or do I have any advantage of it?
 
 2017-10-23 17:43 - 2017-09-13 17:31 - 001732864 _____ (Microsoft Corporation) C:\Users\praxis\AppData\Local\Temp\dllnt_dump.dll
 2017-08-08 11:20 - 2017-08-08 11:20 - 000271872 ____N (Kohsuke Kawaguchi) C:\Users\praxis\AppData\Local\Temp\native-helpler-4037951261073866670-com4j-x86.dll
 
 
 And, at last, I didn't got it really what it have with the Bamital & Volsnap section on it..
 
 ==================== Bamital & volsnap ======================
 
 (Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)
 
 C:\Windows\system32\winlogon.exe => Datei ist digital signiert
 C:\Windows\system32\wininit.exe => Datei ist digital signiert
 C:\Windows\SysWOW64\wininit.exe => Datei ist digital signiert
 C:\Windows\explorer.exe => Datei ist digital signiert
 C:\Windows\SysWOW64\explorer.exe => Datei ist digital signiert
 C:\Windows\system32\svchost.exe => Datei ist digital signiert
 C:\Windows\SysWOW64\svchost.exe => Datei ist digital signiert
 C:\Windows\system32\services.exe => Datei ist digital signiert
 C:\Windows\system32\User32.dll => Datei ist digital signiert
 C:\Windows\SysWOW64\User32.dll => Datei ist digital signiert
 C:\Windows\system32\userinit.exe => Datei ist digital signiert
 C:\Windows\SysWOW64\userinit.exe => Datei ist digital signiert
 C:\Windows\system32\rpcss.dll => Datei ist digital signiert
 C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
 C:\Windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
 C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert
 
 
 I'm not really leaning wide out of the window saying that 'volsnap.sys' is kind of suspicious?
 Also, the two 'dnsapi.dll' detections, I think I've seen them in an example log of Farbar in this section.
 Or did all of them not passed verification?
 
 Gets more and more complicated, but I still got more possibilities, the problem finally has to be somewhere.
- 
				Hi Lobas,
 
 In the case of the process I thought I have read anywhere, if no company's name stands in front, that would be a warning signal. If the process do not have a company's name, it's indeed a warning. But this process is legit.
 
 Yes, diverse browser extensions, but I took now a deeper look and things like Java or the Office plugins, yes makes sense, but is the rest not at least useless? Or take a nearer look of the first two elements in IE, hxxp?! When installing such programs, they register browsers extensions, but they are indeed not really useful. Every http links in FRST reports is changed to hxxp for security reasons.
 
 As with drivers there is only this one suspicious: This is an old service where the actual executable file is missing, so nothing dangerous.
 You can delete it with the following command from the command line :
 sc config wjtvys start= disabled && sc delete wjtvys
 As with the 'Created' and 'Modified' Files/Folders[...] Using default config, FRST display the file created and modified during the last 30 days, on specific locations, with predefinied whitelist. Every files and folders listed on your report are legit.
 
 I know the listed TEMP folder content does not have to be malware, but isn't it safer to delete this or do I have any advantage of it? No, they are legit files. This won't change anything.
 
 I'm not really leaning wide out of the window saying that 'volsnap.sys' is kind of suspicious?
 Also, the two 'dnsapi.dll' detections, I think I've seen them in an example log of Farbar in this section.
 Or did all of them not passed verification?
 Files volsnap.sys and dnsapi.dll are part of the operating system. Since they are signed, they are legit.
 
 Regards.
- 
				Hi,
 
 sorry for my long absence. I had 4 Holidays at work now.
 
 
 So am I right with the following compilation of things to do at PCSRV because of the Farbar Scan?
 
 
 - Registry:
 
 HKLM\...\Run: [bg-info] => [X] 
 (Delete) (?)
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1 
 When I remember right, this key can be set from malware, just like also from AV-Programs, but you thought this is ok, right? Or is this just required to make the following three keys work? (I mean the ones, you said they're set by anti-ransomware modules (I'm not asking again about their legitimity, my question is just about the one I put in above!))
 
 
 - Internet Explorer:
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 
 Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?
 
 
 - Mozilla Firefox:
 
 FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 
 These are also PUM's, which aren't needed, right?
 
 
 - Drivers:
 
 S0 wjtvys; kein ImagePath 
 (Delete, because broken, so no more advantage, ok?)
 
 
 
 - Created & Modified:
 
 2017-10-11 09:23 - 2017-09-13 17:27 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 16:46 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 16:46 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 16:46 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
 2017-10-11 09:23 - 2017-09-13 16:46 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
 2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
 2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
 2017-10-25 19:44 - 2017-08-02 17:30 - 000000000 __SHD C:\Users\praxis\IntelGraphicsProfiles
 2017-10-25 19:40 - 2009-07-14 07:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
 2017-10-25 18:05 - 2017-08-02 22:26 - 000000000 __SHD C:\[Smad-Cage]
 
 Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?
 
 *Sorry if I'm asking so much questions, or a few more than one time, but with the following I wanna be completely sure*
 
 2017-10-26 14:08 - 2017-10-26 14:08 - 000000030 _____ C:\Windows\DOCFEST.INI
 2017-09-30 15:50 - 2017-07-03 16:10 - 000549281 _____ C:\Windows\SysWOW64\uninst.exe
 2017-10-26 13:53 - 2017-08-03 02:59 - 000809226 _____ C:\Windows\system32\perfh007.dat
 2017-10-26 13:53 - 2017-08-03 02:59 - 000185506 _____ C:\Windows\system32\perfc007.dat
 2017-10-26 13:53 - 2009-07-14 07:13 - 001896188 _____ C:\Windows\system32\PerfStringBackup.INI
 2017-10-23 17:46 - 2017-08-02 19:29 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
 2017-10-12 03:21 - 2009-07-14 06:45 - 000412120 _____ C:\Windows\system32\FNTCACHE.DAT
 2017-10-12 03:02 - 2017-08-02 17:18 - 001869532 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
 
 I really, really don't have to worry about them, you're telling me? (I won't put them on fixlist, or fix somehow else, if you can say that there is not the smallest probability, of them being somehow suspicious!)
 
 - "Root Directorys", "TEMP folder" & "Bamital & Volsnap" sections:
 
 As with the sections aforementioned, I still didn't get completely the reasons, but if your last word is, there is no need of doing anything, I will ignore it!
 
 
 - Installed Programs:
 
 
 Berater (HKLM-x32\...\{72EB4F78-28CA-4813-BDCF-8062EFDEF34A}) (Version: 17.3.71 - I-Motion GmbH) Hidden
 Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
 Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 1.6.5073.107 - Waves Audio Ltd.) Hidden
 Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
 Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
 Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
 Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0407-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden
 SQL Server 2012 Common Files (HKLM\...\{202AAF1F-69AA-442A-B59F-6B54B1AD07C6}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Common Files (HKLM\...\{53CDFF43-1CE7-444B-AEBE-A5FB7B82511D}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Database Engine Services (HKLM\...\{18B2A97C-92C3-4AC7-BE72-F823E0BC895B}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Database Engine Services (HKLM\...\{26F35006-0545-4F78-90D8-C2FDF0028692}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Database Engine Shared (HKLM\...\{54FF8FAB-DE27-4187-82F1-EBAE6AEE869A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Database Engine Shared (HKLM\...\{D4DF6EA6-4B7A-42B4-9C56-D8BC7D087F7A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Management Studio (HKLM\...\{A7037EB2-F953-4B12-B843-195F4D988DA1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 SQL Server 2012 Management Studio (HKLM\...\{F9FDAEBA-9BFE-4FDD-BDEB-482A3F5316C8}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 Sql Server Customer Experience Improvement Program (HKLM\...\{BED1EA3D-592D-4305-9D1F-20F03726EFC1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
 
 As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this) Please correct, if I'm on the wrong path with that thinking.
 
 
 - Custom CLSID:
 
 ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Keine Datei 
 Removing, because broken, so no more advantage out of it. Right?
 
 
 - Scheduled Tasks:
 
 Task: {477C4964-5D79-416B-A20C-A2C8DF520A00} - System32\Tasks\{71F1B1EC-F67F-4DF0-A6D4-F7ACDA42E115} => C:\Windows\system32\pcalua.exe -a C:\Users\praxis\Downloads\jxpiinstall.exe -d C:\Users\praxis\Downloads
 Task: {5D93A44C-B6FE-4A29-B04E-9BD2E0771ECC} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
 Task: {84801545-B73C-48CC-B5CD-B004A3B369D7} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
 Task: {8D86F910-78AD-4DEE-95D1-1903E0AE4966} - System32\Tasks\{3FEC2A17-5EBD-46F2-8729-92CDCBB03DAD} => C:\Windows\system32\pcalua.exe -a "C:\Users\praxis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M30V4LAH\JavaSetup8u144.exe" -d C:\Users\praxis\Desktop
 
 Just asking if they're really ok, because they have no company affiliation listed. Won't do anything to them if you tell me they're nevertheless legit.
 
 
 - Shortcuts & WMI:
 
 Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat () 
 Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.
 I know I've written them myself and you already asked because of this point, but one point I haven't mentioned before, >>on this PC are more than one copies of (primarily) identical Batch files and associated Shortcuts.<< So why just this exemplar is listed here? At the moment I would clearly remove it, especially because it's no big thing to regain it from an (supposedly) clean copy of the same. Or is it maybe so that Farbar marks it as suspicious because it is in the Windows\System32 folder, where it normally doesn't belong to? Against this possibility speaks that there are more such copies in System32, so I don't wanna offend you or doubt your knowledge, but without a plausible explanation how this got falsely into that list, I still have to believe there is something wrong.
 
 
 - Loaded Modules:
 
 2017-07-06 10:27 - 2017-07-06 10:27 - 000515920 _____ () C:\Program Files (x86)\BackupAssist v10\NTFSTraverser.dll
 2017-08-02 17:24 - 2015-09-23 10:25 - 000393320 _____ () C:\Windows\system32\igfxTray.exe
 2017-08-02 19:05 - 2017-06-28 00:24 - 001434976 _____ () C:\doc2\prog\wprog\DOCWIN.dll
 2017-08-02 19:05 - 2017-06-28 00:26 - 000099168 _____ () C:\doc2\prog\wprog\x.AltovaXML.dll
 2017-08-02 19:05 - 2017-06-28 00:26 - 000108896 _____ () C:\doc2\prog\wprog\x.Altova.dll
 2017-08-02 19:05 - 2017-06-27 22:50 - 005769216 _____ () C:\DOC2\PROG\WPROG\QtGui4.dll
 2017-08-02 19:05 - 2017-06-27 22:49 - 001477632 _____ () C:\DOC2\PROG\WPROG\QtCore4.dll
 2017-08-02 19:05 - 2017-06-28 00:27 - 000085344 _____ () C:\DOC2\PROG\WPROG\xPatientMessages.dll
 
 Farbar tutorial says the listed ones here haven't passed Whitelisting. Should I be alarmed over this? All of them look trustworthy at first, but is Hijacking conceiveable here?
 
 
 - Internet Explorer Restricted Sites:
 
 The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?
 
 
 - Other Areas:
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg 
 This one looks legit to me, right?     (Won't do anything)
 
 DNS Servers: 192.168.2.1 
 Does not look like a hijacked DNS Server to me, or?     (Won't do anything) (checked with whois.domaintools.com, for example)
 
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0) 
 This shows that UAC is not completely turned off, right? But it has to be turned off completely so business programs work properly. No matter how this change appeared, I'm going to correct that.
 
 Windows Firewall is because of the same reason as with UAC disabled. This is how it should be.     (Won't do anything)
 
 The Firewall rules mostly look ok to me, but could you please try to explain me the reason (and what they do) of the following?
 
 FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
 FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
 
 *I got over the maximum length, so I'm going to break up the post.*
- 
				*I got over the maximum length, so I'm going to break up the post.*
 
 
 As with Recovery Points there isn't a problem, at least my opinion, or is there one?
 
 
 - Application Errors:
 
 There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?
 
 Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
 Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
 Ausnahmecode: 0xc0000005
 Fehleroffset: 0x0002e927
 ID des fehlerhaften Prozesses: 0x2070
 Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
 Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
 Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
 Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6
 
 
 Also there are 9 "Application Error (Source SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother? And if yes, which one?
 
 Just one example, instead of all:
 
 Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 
 - System Errors
 
 About System Errors, there is nothing I could do, or? One example: (out of 10)
 
 Error: (10/26/2017 04:36:00 PM) (Source: Disk) (EventID: 7) (User: )
 Description: Fehlerhafter Block bei Gerät \Device\Harddisk1\DR1.
 
 - CodeIntegrity
 
 But here: Is there anything useful I could do about the CodeIntegrity Errors? Here one example out of 6:
 
 Date: 2017-08-03 03:15:36.863
 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume4\BackupAssist\Dasi\2017-05-31\C\Users\Praxis\AppData\Local\Mozilla\Firefox\Profiles\om96767o.default\cache2\entries\83D634E4804E1BCDDB9EA2FD836667365E09C75F" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
 
 
 My last question to this topic: If there are drives, marked with the word "Fixed", this is already done, right? So there is no more someone had to do?
 
 
 
 *I got over the maximum length, so I'm going to break up the post.*
 
 Questions about how to deal with and interpret RK PE Viewer results, I will put into an own post reply, just below.
 
 Again, I'm sorry because I make so much circumstances and I hope you will help me with my problems still in the future, but also I would like to thank you at this point for all the help you gave until now!
 
 
 Greetings so far
 
 
 Lobas
- 
				Hi Lobas,
 
 HKLM\...\Run: [bg-info] => [X]          (Delete) (?) This is an old entry, pointing to a deleted file. You can remove it if you want.
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
 [...]Or is this just required to make the following three keys work?[...]
 That's it.
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?
 They are not PUM's. Microsoft.com and msn.com are legit sites.
 
 FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 These are also PUM's, which aren't needed, right?
 This addon updates all Google software, it's not a PUP.
 
 S0 wjtvys; kein ImagePath          (Delete, because broken, so no more advantage, ok?) See my last answer.
 
 - Created & Modified:[...]
 Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?
 These are legit files. You can unhide them, but it's not recommanded.
 
 [...]I really, really don't have to worry about them, you telling me? These are also legit files.
 
 - Installed Programs:[...]
 As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)
 These are hidden by design.
 
 ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Keine Datei
 Removing, because broken, so no more advantage out of it. Right?
 Yes, you can remove it.
 
 - Scheduled Tasks:[...]
 Just asking if they're really ok, because they have no company affiliation listed.[...]
 They are all legit.
 
 Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()
 Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]
 FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.
 
 - Loaded Modules:[...]
 [...]All of them look trustworthy at first, but is Hijacking conceiveable here?
 They are trustworthy.
 
 - Internet Explorer Restricted Sites:[...]
 The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?
 These sites are malicious so the are indeed restricted for a special reason.
 
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
 This one looks legit to me, right?     (Won't do anything)
 Right.
 
 DNS Servers: 192.168.2.1
 Does not look like a hijacked DNS Server to me, or?     (Won't do anything)
 It's your Internet gateway.
 
 FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
 FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
 These allow incoming traffic on TCP ports for Microsoft Software Protection Platform Service
 
 As with Recovery Points there isn't a problem, at least my opinion, or is there one? No, there is not.
 
 There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?
 Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?
 No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.
 
 About System Errors, there is nothing I could do,
 Description: Fehlerhafter Block bei Gerät \Device\Harddisk1\DR1.
 Nothing to worry about, this is not your main drive.
 
 - CodeIntegrity[...] It's a warning about some drivers not being signed, nothing suspicious.
 
 If there are drives, marked with the word "Fixed", this is already done, right? So there is no more someone had to do? This means that they are not removal drives.
 
 Questions about how to deal and interpret with RK PE Viewer results] This is not being used in disinfection and require good PE knownledge.
 
 Regards.
- 
				Hi, just got ready with the last modifications of my post, when I saw you already replied!
 
 Thank you so far, at first I'm going to organize all this information and make a plan for me what to do next.
 
 If there are questions or I will proceed with the PE Viewer results I will write again.
 
 Thanks & Greetings
- 
				Hi Lobas,
 
 You are welcome.
 Adlice PE Viewer is not used in malware removal process, don't bother with it.
 
 Regards.
- 
				*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*
 
 Hi,
 
 I'm going to extend this post, but at the moment my only issue is:
 
 Yesterday I made my first attempts with Fixlists for PCSRV.
 
 The successes were mixed.
 
 I will attach my Fixlogs. Just the CMD Fix you told me to do were functioning, this is also attached.
 
 I hope you can help me with writing functioning Fixlists.
 
 Quote
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 
 Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?
 
 They are not PUM's. Microsoft.com and msn.com are legit sites.
 
 Yes I kow these are legit sites, but Browser redirections, Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.
 
 So, my opinion is removing them the next time, if the problem of the not already properly functioning Fixlists is fixed itself.
 
 Quote
 FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 
 These are also PUM's, which aren't needed, right?
 
 This addon updates all Google software, it's not a PUP.
 
 Yes, I also know, but are Google update Plugins really required in Firefox?
 
 
 Quote
 - Created & Modified:[...]
 
 Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?
 
 These are legit files. You can unhide them, but it's not recommanded.
 
 Why it is not recommended? It won't make any damage and the security aspect is according to my opinion not mattering because I'm not going to make any damage to System components because I have sufficient knowledge for doing nothing into that direction.
 
 Quote
 - Installed Programs:[...]
 
 As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)
 
 These are hidden by design.
 
 
 Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.
 
 
 Quote
 Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()
 
 Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]
 
 FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.
 
 Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?
 In this case, I won't do anything, or is it useful to just replace it with a absolutely sure clean copy?
 
 
 Quote
 - Internet Explorer Restricted Sites:[...]
 
 The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?
 
 These sites are malicious so the are indeed restricted for a special reason.
 
 So I will let them alone, if this 7936 sites are really malicious.
 
 
 Quote
 DNS Servers: 192.168.2.1
 
 Does not look like a hijacked DNS Server to me, or?     (Won't do anything)
 
 It's your Internet gateway.
 
 Yes but for example, I checked it with whois.domaintools.com, and found no hints for an Hijacking of this DNS Server.
 I also did the same with:
 
 Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1 
 
 There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?
 
 Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?
 
 No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.
 
 Yes with the
 "Application Error (Source Application Error)" , this one:
 Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
 Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
 Ausnahmecode: 0xc0000005
 Fehleroffset: 0x0002e927
 ID des fehlerhaften Prozesses: 0x2070
 Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
 Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
 Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
 Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6
 
 There is nothing I can do about, but
 
 
 
 EDIT: I hope you can help me with my problem.
 
 Regards Lobas
 
 *I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*
- 
				*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*
 
 
 with them: They are 9 not only the example I put in yesterday.
 
 "Application Error (Source SideBySide)" 
 Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 01:18:22 PM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 07:54:46 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 04:54:24 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZUSATZ.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZIFRIS.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 03:36:32 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\VORGABE.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STKMAIN.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
 Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STAMMEN.EXE". Fehler in
 Manifest- oder Richtliniendatei "" in Zeile .
 Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
 einer anderen, bereits aktiven Komponentenversion.
 In Konflikt stehende Komponenten:.
 Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 
 Wouldn't it here make sense to remove one of the conflicting components?
 I wasn't really sure if your answer was for the "Application Error (Source Application Error)", or for the 9 "Application Errors (Source SideBySide)"
 Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files
 
 C:\doc2\prog\wprog\DOC.EXE
 C:\DOC2\PROG\WPROG\ROUTINE.EXE
 c:\doc2\prog\wprog\ZUSATZ.EXE
 c:\doc2\prog\wprog\ZIFRIS.EXE
 c:\doc2\prog\wprog\VORGABE.EXE
 c:\doc2\prog\wprog\STKMAIN.EXE
 c:\doc2\prog\wprog\STAMMEN.EXE
 
 belong to a program they operate?
 
 
 
 EDIT: I hope you can help me with my problem.
 
 Regards Lobas
 
 *Post is still in work, will remove this line when I have last modified this post.*
- 
				Hi Lobas,
 
 Yesterday I made my first attempts with Fixlists for PCSRV. Your FixLists are not written correctly. There is a chance you wil break your system if you don't know what you are doing.
 
 Just the CMD Fix you told me to do were functioning, this is also attached. The service was succesfully deleted.
 
 I hope you can help me with writing functioning Fixlists. I do not write Fixlists when there is nothing to fix.
 
 Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them. Starts Page and Search Scope must contain a value. You can change their values but not delete them.
 
 Yes, I also know, but are Google update Plugins really required in Firefox? No they are not required but will automatically be reinstalled when you install/update a Google software.
 
 Why it is not recommended? [...]I'm not going to make any damage to System components If that's the case, go ahead.
 
 Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections. See my answer just above.
 
 Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder? Yes.
 Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files You should contact the compagny for both error types
 
 belong to a program they operate? Yes, C:\doc2\prog\wprog.
 
 Regards.
- 
				Quote
 - CodeIntegrity[...]
 
 It's a warning about some drivers not being signed, nothing suspicious.
 
 So I shall ignore this not digitally signed drivers?
 
 
 
 So, at the moment I will switch to the other PC's and look on PCSRV again another time:
 
 On the other PC's there seem to be more and partially also more urgent things to do.
 So, at first, I'm going to concentrate on them
 
 
 ~  PC01:
 
 - Regisry:
 
 ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~$FO °LOST & FOUND°.rtf [2017-05-29] ()
 BootExecute: autocheck autochk * Partizan
 
 
 The first belongs to a group of files that are often infected by various malware.
 
 The one in the middle, I don't know, if suspicious, maybe it's just such a copy generated in e.g. Local\AppData\Temp, I don't know
 
 The last one belongs to the group of "Greatis Software/Partizan/UnHackMe" objects, which should clearly removed.
 
 
 - Hosts File:
 
 The hosts file contains some malicious entries. But later we will see more about this topic.
 
 Hosts: Es ist mehr als ein Eintrag in der Hosts Datei zu finden. Siehe Hosts-Bereich in Addition.txt 
 
 Are in this case both of them OK?
 
 Why are in this case two objects on that list?
 
 And why are they here named "DHCPNameServer" instead of just "NameServer" at PCSRV?
 
 And why I had a long time ago a RogueKiller recognition named also "DhcpNameServer"?
 
 Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
 Tcpip\..\Interfaces\{68856CE8-6189-4083-B4AB-7252F866F3FC}: [DhcpNameServer] 192.168.2.1
 
 
 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
 SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 FF Extension: (Avira SafeSearch Plus) - C:\Users\Stumpf\AppData\Roaming\Mozilla\Firefox\Profiles\xj2ez0p8.default\Extensions\safesearch@avira.com.xpi [2017-09-18]
 FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
 FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
 CHR Extension: (Avira Browserschutz) - C:\Users\Stumpf\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2017-06-19]
 S3 Browser; C:\Windows\System32\browser.dll [136704 2012-07-05] (Microsoft Corporation) [Datei ist nicht signiert]
 R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [Datei ist nicht signiert]
 R2 Schedule; C:\Windows\system32\schedsvc.dll [1110016 2015-08-05] (Microsoft Corporation) [Datei ist nicht signiert]
 S4 AVKService; "C:\Program Files (x86)\G DATA\AntiVirus\AVK\AVKService.exe" [X]
 S0 nmfmfx; kein ImagePath
 S0 ovanvq; kein ImagePath
 U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2017-01-12] (Greatis Software)
 U0 aswVmm; kein ImagePath
 2017-01-16 19:26 - 2017-01-16 19:26 - 056816244 _____ () C:\Program Files (x86)\UnHackMe.rar
 Dateien, die verschoben oder gelöscht werden sollten:
 ====================
 C:\Users\Temp CON\install_flashplayer11x32_mssd_aih(1).exe
 Amazon 1Button App (HKLM-x32\...\{4D875057-4353-4B8F-93E5-8C3DC7F34EA9}) (Version: 1.0.8 - Amazon) Hidden <==== ACHTUNG
 ContextMenuHandlers1: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
 ContextMenuHandlers1: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
 ContextMenuHandlers6: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
 ContextMenuHandlers6: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
 Task: {AC5CFE36-BD49-4ECB-80FE-CC15B327D116} - \{D0BFC29C-0F57-453A-881A-7D38448ED39A} -> Keine Datei <==== ACHTUNG
 Shortcut: C:\Users\Stumpf\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Eigene Websites auf MSN\target.lnk -> hxxp://de.msnusers.co
 
 In Short:
 - There are objects with no target, no matter what kind of objects they are.
 - There are leftovers of Avira, which is uninstalled a long time ago. Avira Toolbars etc. are just annoying.
 - There are missing digital signatures.
 - There are Greatis Software/Partizan/UnHackMe objects which is uninstalled a long time ago, and it's leftovers should follow it.
 - There are objects, Farbar itself warns of.
 - There are objects Farbar instructs to delete.
 - There is one Shortcut Farbar marks as suspicious.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 *Post is still in work, will remove this line when I have last modified this post.*