Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YourAdExchange problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 M. de Jager

M. de Jager

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 10 January 2015 - 02:47 PM

Hi,

 

Getting random advertisments in new tabs.

 

Suggested to open here(?) a topic: http://www.bleepingcomputer.com/forums/t/562659/youradexchange/

 

Using Windows 8.1, so can't run DDS.

 

A random page that opens: hxxp://www.hotchatdate.com/uk/ac/2_cb30772-chat-sf1c_v3.php?lid=c-opt-sf1c_v3&kw=pop_acuksf1b&c1=12-&u=Miah&a=23&i=sf1b&cid=u503d4a7254946a93749d48238f

 

Runned a full scan of Malwarebytes' Anti-Malware:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scandatum: 11-1-2015
Scantijd: 15:22:33
Logbestand: 
Beheerder: Ja
 
Versie: 2.00.4.1028
Malwaredatabase: v2015.01.11.07
Rootkitdatabase: v2015.01.07.01
Licentie: Premium
Malwarebescherming: Ingeschakeld
Kwaadaardige Website Bescherming: Ingeschakeld
Zelfbescherming: Uitgeschakeld
 
Besturingssysteem: Windows 8.1
Processor: x64
Bestandssysteem: NTFS
Gebruiker: Mark
 
Scantype: Bedreigingsscan
Resultaat: Voltooid
Objecten Gescand: 567507
Verstreken Tijd: 53 m, 38 s
 
Geheugen: Ingeschakeld
Opstarten: Ingeschakeld
Bestandssysteem: Ingeschakeld
Archieven: Ingeschakeld
Rootkits: Uitgeschakeld
Heuristiek: Ingeschakeld
POP: Ingeschakeld
POA: Ingeschakeld
 
Processen: 0
(Geen kwaadaardige items gedetecteerd)
 
Modules: 0
(Geen kwaadaardige items gedetecteerd)
 
Registersleutels: 0
(Geen kwaadaardige items gedetecteerd)
 
Registerwaardes: 0
(Geen kwaadaardige items gedetecteerd)
 
Registerdata: 0
(Geen kwaadaardige items gedetecteerd)
 
Mappen: 0
(Geen kwaadaardige items gedetecteerd)
 
Bestanden: 0
(Geen kwaadaardige items gedetecteerd)
 
Fysieke Sectoren: 0
(Geen kwaadaardige items gedetecteerd)
 
 
(end)

Edited by M. de Jager, 11 January 2015 - 10:19 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 12 January 2015 - 08:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 09:23 AM

Hello and thank you for the response!

 

AdwCleaner:

# AdwCleaner v4.107 - Report created 12/01/2015 at 14:58:58

# Updated 07/01/2015 by Xplode
# Database : 2015-01-11.2 [Live]
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : Mark - TEAM-KORKEL
# Running from : C:\Users\Mark\Desktop\Clean tools\adwcleaner_4.107.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbameneiokkgbdmiekhjnmfkcnldhhm
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhlhnicpbhignbdhedgjhgdocnmhomnp
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\fndlhnanhedoklpdaacidomdnplcjcpj
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghipmampnddcpdlppkkamoankmkmcbmh
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\omioeahgfecgfpfldejlnideemfidnkc
Folder Deleted : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Lightshot]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v34.0.5 (x86 nl)
 
 
-\\ Google Chrome v39.0.2171.95
 
 
-\\ Opera v26.0.1656.60
 
 
*************************
 
AdwCleaner[R0].txt - [1281 octets] - [09/01/2015 19:48:51]
AdwCleaner[R1].txt - [2213 octets] - [12/01/2015 14:57:00]
AdwCleaner[S0].txt - [1287 octets] - [09/01/2015 19:50:22]
AdwCleaner[S1].txt - [2156 octets] - [12/01/2015 14:58:58]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2216 octets] ##########

Attached Files



#4 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 09:28 AM

Sorry, posting it gives problems... Attaching it does also... WTF?!

 

How can I share the FRST?

 

I keep getting random advertisments... Forums are lagging.

 

Also had to re-install Google Chrome, so all addons are back(!)

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015
Ran by Mark (administrator) on TEAM-KORKEL on 12-01-2015 15:04:06
Running from C:\Users\Mark\Desktop\Clean tools
Loaded Profile: Mark (Available profiles: Mark & Classic .NET AppPool & .NET v4.5 & DefaultAppPool & .NET v2.0 & .NET v4.5 Classic & .NET v2.0 Classic)
Platform: Windows 8.1 Pro (X64) OS Language: Engels (Verenigde Staten)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(SecureMix LLC) T:\GlassWire\GWCtlSrv.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(My Digital Life Forums) C:\Windows\KMSServerService\KMS Server Service.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Exploit\mbae64.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(TeamViewer GmbH) T:\TeamViewer\TeamViewer_Service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe
(CyberGhost S.R.L) C:\Program Files\CyberGhost 5\Service.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Malware\mbam.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() T:\KMSnano\TriggerKMS.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(TeamViewer GmbH) T:\TeamViewer\TeamViewer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(TeamViewer GmbH) T:\TeamViewer\tv_w32.exe
(TeamViewer GmbH) T:\TeamViewer\tv_x64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(SecureMix LLC) T:\GlassWire\GWIdlMon.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
(Malwarebytes Corporation) T:\Malwarebytes Anti-Exploit\mbae.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(EJIE Technology) T:\Clover\clover.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Edited by M. de Jager, 12 January 2015 - 09:42 AM.


#5 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 09:43 AM

==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-13] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4997872 2014-12-31] (Emsisoft GmbH)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => T:\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Run: [691AB248E2803C3186ECC7E6F794C48B0BEC7D59._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [856904 2014-12-06] (Google Inc.)
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [NoPreviewPane] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [HideSCANetwork] 0
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\...\Policies\Explorer: [HideSCAVolume] 0
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => T:\Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => T:\Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => T:\Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> T:\Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> T:\Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: ExplorerWatcher Class -> {F8A6CAA2-533D-4AED-9E05-8EB19A4021AB} -> T:\Clover\TabHelper64.dll (EJIE Technology)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - T:\Office\Office15\MSOSB.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 195.121.1.34 195.121.1.66
Tcpip\..\Interfaces\{25F922A6-ABDF-409D-A566-90FB6957C85F}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{840D4356-511C-4A8D-AFC2-906A5997C64F}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{CF64F765-D0DF-4010-89EF-7446964A9B50}: [NameServer] 8.8.8.8,8.8.4.4
 
FireFox:
========
FF ProfilePath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\fsonni2k.default-1420972606502
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> T:\Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2378344316-2729968383-1859600024-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Mark\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF StartMenuInternet: FIREFOX.EXE - T:\Firefox\firefox.exe
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.nl/
CHR StartupUrls: Default -> "https://www.google.nl/"
CHR Profile: C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Presentaties) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-19]
CHR Extension: (Angry Birds) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2014-12-19]
CHR Extension: (Google Documenten) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-19]
CHR Extension: (Web Developer) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbameneiokkgbdmiekhjnmfkcnldhhm [2015-01-12]
CHR Extension: (Turn Off the Lights) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn [2015-01-12]
CHR Extension: (IM+) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfdplllgoohfmnpnbplklnkegbffnheo [2014-12-19]
CHR Extension: (Brushed) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjgbcjfpbbfepcccpaffkjofcmglifg [2014-12-19]
CHR Extension: (ColorZilla) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhlhnicpbhignbdhedgjhgdocnmhomnp [2015-01-12]
CHR Extension: (WOT) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2015-01-12]
CHR Extension: (YouTube) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-19]
CHR Extension: (Google Zoeken) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-19]
CHR Extension: (Facebook Customizer (by Adblock Plus)) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\deoeenbkoccjaefmmhpmlegngdjohdcm [2014-12-22]
CHR Extension: (Google Spreadsheets) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-19]
CHR Extension: (Stylish) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2015-01-12]
CHR Extension: (AdBlock Premium) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\fndlhnanhedoklpdaacidomdnplcjcpj [2015-01-12]
CHR Extension: (Pastebin.com) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghipmampnddcpdlppkkamoankmkmcbmh [2015-01-12]
CHR Extension: (Java Web Technology) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdngchafgbccmafgnhejlojlaiicldea [2014-12-19]
CHR Extension: (DotVPN - Free and Secure VPN) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpiecbcckbofpmkkkdibbllpinceiihk [2015-01-07]
CHR Extension: (Turn Off the Lights) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\labjanboighjienkhiabgpefblkbmemd [2014-12-19]
CHR Extension: (Facebook AdBlock) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfpacabphcagfehdgnigmfnbjdampbaa [2014-12-22]
CHR Extension: (Project Naptha) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\molncoemjfmpgdkbdlbjmhlcgniigdnf [2014-12-19]
CHR Extension: (Google Wallet) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-19]
CHR Extension: (Tor) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohielanlcdleofjibfmjbbkaajdcpoil [2014-12-19]
CHR Extension: (Google Publisher Toolbar) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\omioeahgfecgfpfldejlnideemfidnkc [2015-01-12]
CHR Extension: (Click&Clean App) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2014-12-19]
CHR Extension: (OMG! Ubuntu!) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmoodaljflkhbojjaiibgnlindbhebme [2014-12-19]

==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4920104 2014-12-31] (Emsisoft GmbH)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 CGVPNCliService; C:\Program Files\CyberGhost 5\Service.exe [64616 2014-11-03] (CyberGhost S.R.L)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [372736 2014-12-29] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-13] (NVIDIA Corporation)
R2 GlassWire; T:\GlassWire\GWCtlSrv.exe [6296872 2014-12-26] (SecureMix LLC)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [16896 2014-12-29] (Microsoft Corporation)
R2 KMSServerService; C:\Windows\KMSServerService\KMS Server Service.exe [211968 2014-12-19] (My Digital Life Forums) [File not signed]
R2 MbaeSvc; T:\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
R2 MBAMScheduler; T:\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; T:\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MySQL; C:\Program Files\MySQL\MySQL Server 5.1\my.ini [8915 2014-12-29] () [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-13] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-13] (NVIDIA Corporation)
R2 TeamViewer; T:\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [111208 2014-12-22] (RaMMicHaeL)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-07-02] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [546304 2014-12-20] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2014-12-29] (Microsoft Corporation)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3837440 2013-08-14] (Qualcomm Atheros Communications, Inc.)
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [71952 2014-03-31] (ASUS Corporation)
R3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R1 ESProtectionDriver; T:\Malwarebytes Anti-Exploit\mbae64.sys [63064 2014-12-10] ()
R1 gwdrv; C:\Windows\system32\DRIVERS\gwdrv.sys [33296 2014-12-25] (SecureMix LLC)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-12] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2014-11-21] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-13] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
R2 plctrl; C:\Program Files\ASUS\P4G\plctrl.sys [14136 2014-02-11] (Windows ® Win 7 DDK provider)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


#6 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 09:45 AM

It is to much to paste, 5274 lines... Sorry, but the only option:
https://drive.google.com/file/d/0Bz-W-kTJ3WxMc08zTjdGbDg4S0U/view?usp=sharing



#7 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 01:15 PM

The last hour no advertisments, but I'm sure they are NOT gone.

 

Opening a website or searching Google directly from a new tab take longer.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 12 January 2015 - 02:37 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Google Wallet) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-19]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===


Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

How is the computer running now?

#9 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 12 January 2015 - 02:55 PM

Hello,

 

I've lost all my addons... Do I need to re-install them manualy?

 

Here is the Fixlog.txt.
 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-01-2015
Ran by Mark at 2015-01-12 20:40:16 Run:1
Running from C:\Users\Mark\Desktop\Clean tools
Loaded Profile: Mark (Available profiles: Mark & Classic .NET AppPool & .NET v4.5 & DefaultAppPool & .NET v2.0 & .NET v4.5 Classic & .NET v2.0 Classic)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Google Wallet) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-19]
 
End
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-2378344316-2729968383-1859600024-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda directory not found.
 
 
The system needed a reboot. 
 
==== End of Fixlog 20:41:48 ====

--

It was hard to open Chrome, takes me 5 minutes and 50000 clicks.
Edit: I found my "add-ons" all where disabled, only miss my theme. Got my theme back, hurray!

Edited by M. de Jager, 12 January 2015 - 03:12 PM.


#10 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 13 January 2015 - 02:18 AM

Hi again,

 

I can inform you that I didn't get any new pop-ups since yesterday! So that is a good thing, not sure that we are clean now, but if it can I want look some more and maybe get some help to delete old stuff.

Thanks in advance!

 

Update:
I didn't get any new popups and that kind of stuff, what was it exactly and how did I get infected?

Edit:

The browser (Chrome) is slow again, when I search something or open a page from the favorites.

 

Regards,

Mark


Edited by M. de Jager, 13 January 2015 - 10:09 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 13 January 2015 - 10:33 AM

but if it can I want look some more and maybe get some help to delete old stuff.


What do you see in the logs that you want to delete?

I didn't get any new popups and that kind of stuff, what was it exactly and how did I get infected?

There is no way for me to find out how you got infected.
Watch what your open in your e-mal and keep in mind that free programs are some time adding Adware.
Run the AdwCleaner tool if you download free programs.

===

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

#12 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 13 January 2015 - 10:37 AM

 

 

What do you see in the logs that you want to delete?

I'm not sure what I can delete or what not.

 

 

There is no way for me to find out how you got infected.
Watch what your open in your e-mal and keep in mind that free programs are some time adding Adware.
Run the AdwCleaner tool if you download free programs.

Thanks for that advice!

 

 

Reset Chrome...

Works perfect, thank you!



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 13 January 2015 - 10:50 AM

Looking at your logs I would not remove any programs.

You can look at your Chrome Extensions and delete/remove any that your do not use regularly.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

Edited by nasdaq, 13 January 2015 - 10:50 AM.


#14 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 13 January 2015 - 10:56 AM

Okay, I'm happy that everyting has been resolved.

Do you suggest to activate UAC?



#15 M. de Jager

M. de Jager
  • Topic Starter

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 13 January 2015 - 12:58 PM

Hey,

 

Since I don't have any other problems and questions you can tell me how to clean up, I think using Delfix?

After that you can lock this up.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users