Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VAC issue with Steam that stemmed from browser hijacker


  • This topic is locked This topic is locked
6 replies to this topic

#1 traurigaugen

traurigaugen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 January 2015 - 03:10 PM

I've tried to re-enable DEP and everything else but I'm pretty sure there's still something infected in here. Please let me know what you'd need to look at. I've ran Avast (because AVG didn't find anything) and it came up with a Win32:Adware-gen & 2 Android:Banker-Z entries. 

Successfully removed/quarantined. 

Re-followed all the steps per Valve's tutorial on this particular issue and still had the problem. So I'm here. Please tell me what scans I should run to help you determine if there's something in this machine still, I'd love to know. I have not had browser redirects, program redirects or any trouble adding or removing software lately. 

Your help appreciated :)

I've attached hijack this, combofix and Farbar logs

**I read how you said not to run combofix before being told to, I apologize I'm new to the site and had run it before even finding you guys :\**

Attached Files


Edited by traurigaugen, 18 January 2015 - 03:20 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:54 AM

Posted 19 January 2015 - 08:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1964850363-3977046481-880695702-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL No File
FF Plugin HKU\S-1-5-21-1964850363-3977046481-880695702-1000: @soe.sony.com/installer,version=1.0.3 -> C:\Users\trauri\AppData\LocalLow\Sony Online Entertainment\npsoe.dll No File
CHR Extension: (Bitly | Unleash the power of the link) - C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic [2014-12-09]
CHR Extension: (Google Wallet) - C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-05]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic

Place the fix here...

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 traurigaugen

traurigaugen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 19 January 2015 - 09:37 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-01-2015 01
Ran by trauri at 2015-01-19 21:36:19 Run:1
Running from D:\Users\trauri\Downloads
Loaded Profiles: trauri (Available profiles: trauri)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1964850363-3977046481-880695702-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL No File
FF Plugin HKU\S-1-5-21-1964850363-3977046481-880695702-1000: @soe.sony.com/installer,version=1.0.3 -> C:\Users\trauri\AppData\LocalLow\Sony Online Entertainment\npsoe.dll No File
CHR Extension: (Bitly | Unleash the power of the link) - C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic [2014-12-09]
CHR Extension: (Google Wallet) - C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-05]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic
 
Place the fix here...
 
End
*****************
 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrivePro1 (ErrorConflict)" => Key deleted successfully.
HKCR\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrivePro2 (SyncInProgress)" => Key deleted successfully.
HKCR\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrivePro3 (InSync)" => Key deleted successfully.
HKCR\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => Key not found. 
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1964850363-3977046481-880695702-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0" => Key deleted successfully.
"HKU\S-1-5-21-1964850363-3977046481-880695702-1000\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3" => Key deleted successfully.
C:\Users\trauri\AppData\LocalLow\Sony Online Entertainment\npsoe.dll not found.
C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic => Moved successfully.
C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
cpuz136 => Service deleted successfully.
EagleX64 => Service deleted successfully.
GPUZ => Service deleted successfully.
MBAMSwissArmy => Service deleted successfully.
"C:\Users\trauri\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic" => File/Directory not found.
Place the fix here... => Error: No automatic fix found for this entry.
 
==== End of Fixlog 21:36:19 ====


#4 traurigaugen

traurigaugen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 19 January 2015 - 09:41 PM

 Results of screen317's Security Check version 0.99.93  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Java 8 Update 25  
 Java version 32-bit out of Date! 
 Adobe Flash Player 16.0.0.235  
 Adobe Reader 10.1.3 Adobe Reader out of Date!  
 Mozilla Firefox 30.0 Firefox out of Date!  
 Google Chrome (39.0.2171.95) 
 Google Chrome (39.0.2171.99) 
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#5 traurigaugen

traurigaugen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 19 January 2015 - 10:02 PM

Unfortunately this did not fix my problem with the steam service allowing me to play on secure servers. What exactly did this fix if you don't mind me asking? Also, thank you for the help!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:54 AM

Posted 20 January 2015 - 08:27 AM

I removed the malware settings and all of the empty registry entries.

===

You have the latest version of Java 8 Update 25

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Have you tried the fixes on this page.
http://www.vistax64.com/tutorials/120778-dep-enable-disable.html

As this is not malware and not my forte, I suggest you start a new topic in the Windows 7 forum.
http://www.bleepingcomputer.com/forums/f/167/windows-7/
===

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:54 AM

Posted 26 January 2015 - 09:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users