Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked/infected by http://istart.webssearches.com


  • This topic is locked This topic is locked
3 replies to this topic

#1 Ashleshy

Ashleshy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 12 October 2014 - 02:36 PM

All my browsers are hijacked by this link    http://istart.webssearches.com/?type=hppp&ts=1413114616&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553 

 

I was able to remove it manually from IE and Firefox but unable to do so in Chrome, I installed MAMB on my system and did a scan and it showed lots of infected items, but I didnt remove those yet just wanted you run it through you guys first....Pls help me get rid of webssearches.com

 

 

DDS LOG

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428
Run by pc at 0:28:38 on 2014-10-13
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1911.351 [GMT 5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\ProgramData\IePluginServices\PluginService.exe
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\BtwRSupportService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\SupTab\HpUI.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\SupTab\Loader64.exe
C:\Program Files (x86)\SupTab\Loader32.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pc\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://istart.webssearches.com/?type=hp&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553
mStart Page = hxxp://istart.webssearches.com/?type=hp&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553
mSearch Page = hxxp://istart.webssearches.com/web/?type=ds&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553&q={searchTerms}
mDefault_Page_URL = hxxp://istart.webssearches.com/?type=hp&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553
mDefault_Search_URL = hxxp://istart.webssearches.com/web/?type=ds&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553&q={searchTerms}
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files (x86)\Hotspot_Shield\prxtbHots.dll
mWinlogon: Userinit = userinit.exe
BHO: Update: {11111111-1111-1111-1111-110311041113} - C:\Program Files (x86)\Update\Update.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: IETabPage Class: {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} - C:\Program Files (x86)\SupTab\SupTab.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files (x86)\Hotspot_Shield\prxtbHots.dll
TB: Hotspot Shield Toolbar: {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - C:\Program Files (x86)\Hotspot_Shield\prxtbHots.dll
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files (x86)\Hotspot_Shield\prxtbHots.dll
uRun: [Facebook Update] "C:\Users\pc\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Badoo Desktop] C:\ProgramData\Badoo\Badoo Desktop\1.6.55.1183\Badoo.Desktop.exe
uRun: [Google Update] "C:\Users\pc\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - 
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{5B3F5DFD-5562-4D8B-8455-3A8D7ABFFBB0} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{5B3F5DFD-5562-4D8B-8455-3A8D7ABFFBB0}\4505D2C494E4B4F5644444447383 : DHCPNameServer = 192.168.1.1 192.168.0.1
TCP: Interfaces\{757F74AE-DE1B-4520-9AB0-B010910A308C} : DHCPNameServer = 8.8.8.8
TCP: Interfaces\{85016433-02F3-4A82-8698-9F17316DA752} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{A6DC78E3-50B0-4F96-AC22-E9BA60773076} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{BABED5D8-4A94-41AC-8F02-8A235DC29F32} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{F223387D-C3F9-42B0-8544-2EACB7B36783} : DHCPNameServer = 8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-mStart Page = hxxp://istart.webssearches.com/?type=hp&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553
x64-mSearch Page = hxxp://istart.webssearches.com/web/?type=ds&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553&q={searchTerms}
x64-mDefault_Page_URL = hxxp://istart.webssearches.com/?type=hp&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553
x64-mDefault_Search_URL = hxxp://istart.webssearches.com/web/?type=ds&ts=1413114534&from=adks&uid=WDCXWD3200BPVT-75JJ5T0_WD-WXJ1A81H6553H6553&q={searchTerms}
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - 
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\h7odqzme.default\
FF - prefs.js: browser.search.selectedEngine - webssearches
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com.pk/
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Users\pc\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\pc\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Users\pc\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 {af16652c-3cdd-4795-b89b-2d9cf16806d6}Gw64;{af16652c-3cdd-4795-b89b-2d9cf16806d6}Gw64;C:\Windows\System32\drivers\{af16652c-3cdd-4795-b89b-2d9cf16806d6}Gw64.sys [2014-8-30 61120]
R1 {af16652c-3cdd-4795-b89b-2d9cf16806d6}w64;{af16652c-3cdd-4795-b89b-2d9cf16806d6}w64;C:\Windows\System32\drivers\{af16652c-3cdd-4795-b89b-2d9cf16806d6}w64.sys [2014-8-31 61120]
R1 {d35974b9-334e-4c0c-9114-a44f8f83cbd3}Gw64;{d35974b9-334e-4c0c-9114-a44f8f83cbd3}Gw64;C:\Windows\System32\drivers\{d35974b9-334e-4c0c-9114-a44f8f83cbd3}Gw64.sys [2014-8-30 61120]
R1 {d35974b9-334e-4c0c-9114-a44f8f83cbd3}w64;{d35974b9-334e-4c0c-9114-a44f8f83cbd3}w64;C:\Windows\System32\drivers\{d35974b9-334e-4c0c-9114-a44f8f83cbd3}w64.sys [2014-8-31 61120]
R1 HssDRV6;Hotspot Shield Routing Driver 6;C:\Windows\System32\drivers\hssdrv6.sys [2014-5-26 44744]
R2 BcmBtRSupport;Bluetooth Driver Management Service;C:\Windows\System32\BtwRSupportService.exe [2013-8-9 2252504]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-21 134944]
R3 bcbtums;Bluetooth USB LD Filter;C:\Windows\System32\drivers\bcbtums.sys [2013-8-9 170712]
R3 btwampfl;btwampfl;C:\Windows\System32\drivers\btwampfl.sys [2013-8-9 166104]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-9-10 35104]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-18 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-8-7 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-8-7 271872]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-10-12 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-10-13 122584]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-10-12 63704]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-3-18 7680512]
R3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2014-3-19 42184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2012-12-7 36928]
S3 nmwcdnsucx64;Nokia USB Flashing Generic;C:\Windows\System32\drivers\nmwcdnsucx64.sys [2011-8-17 12800]
S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2011-8-17 171008]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-25 19456]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2011-5-13 157672]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2011-5-13 16872]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2011-5-13 177640]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2012-10-25 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-25 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-10-25 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2014-7-28 54784]
.
=============== Created Last 30 ================
.
2014-10-12 19:01:07 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-12 18:59:20 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-12 18:59:20 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-10-12 18:59:20 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-10-12 18:59:19 -------- d-----w- C:\ProgramData\Malwarebytes
2014-10-12 18:59:19 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-12 18:18:51 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9C479E6E-7A6A-4F16-A7B6-E0F360FCDC4E}\offreg.dll
2014-10-12 11:51:03 -------- d-----w- C:\Users\pc\AppData\Roaming\SupTab
2014-10-12 11:50:58 -------- d-----w- C:\ProgramData\IePluginServices
2014-10-12 11:50:55 -------- d-----w- C:\Program Files (x86)\SupTab
2014-10-12 11:50:24 -------- d-----w- C:\ProgramData\WindowsMangerProtect
2014-10-12 11:49:47 -------- d-----w- C:\Users\pc\AppData\Roaming\webssearches
2014-10-11 19:38:54 11578928 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9C479E6E-7A6A-4F16-A7B6-E0F360FCDC4E}\mpengine.dll
2014-10-10 18:30:26 11578928 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-08 21:23:56 -------- d-----w- C:\ProgramData\Melesta
2014-10-08 20:51:16 -------- d-----w- C:\Program Files (x86)\OXXOGames
2014-10-03 17:43:17 1188440 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{18478F6A-01C4-42F4-BCBE-48161D703333}\gapaengine.dll
2014-09-26 17:14:32 -------- d-----w- C:\Program Files\iPod
2014-09-26 17:14:31 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-09-26 17:14:31 -------- d-----w- C:\Program Files\iTunes
2014-09-26 17:14:31 -------- d-----w- C:\Program Files (x86)\iTunes
2014-09-26 09:26:48 3675824 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-09-19 21:11:45 -------- d-----r- C:\Program Files (x86)\Skype
.
==================== Find3M  ====================
.
2014-09-26 09:28:04 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-09-26 09:28:03 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-22 06:42:39 278152 ------w- C:\Windows\System32\MpSigStub.exe
2014-08-31 01:04:44 61120 ----a-w- C:\Windows\System32\drivers\{af16652c-3cdd-4795-b89b-2d9cf16806d6}w64.sys
2014-08-29 14:49:40 61120 ----a-w- C:\Windows\System32\drivers\{af16652c-3cdd-4795-b89b-2d9cf16806d6}Gw64.sys
2014-08-12 23:00:10 4575232 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2014-07-28 09:52:00 6112072 ----a-w- C:\Windows\System32\usbaaplrc.dll
2014-07-28 09:52:00 54784 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
.
============= FINISH:  0:32:18.55 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 13 October 2014 - 08:16 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
  
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach this file to your next reply.
 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 15 October 2014 - 10:36 AM

Hi Marius...thanks for your reply....fortunately I was able to remove this malware manually.....Sorry for not replying back to you on time....things are working fine at the moment....thanks again....you may close this topic now.... I posted it twice by mistake....

#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 16 October 2014 - 11:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users