Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked browsers - Adaware not able to clean


  • This topic is locked This topic is locked
2 replies to this topic

#1 felipemazza

felipemazza

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 31 January 2015 - 10:20 AM

Good afternoon.

 

I'm having a hard time trying to clean up my father's computer. The browser keep getting hijacked and Adaware is not able to clean them up. Here are the logs. Hope you are able to help me with this situation.

 

Thanks in advance,

Felipe.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-01-2015
Ran by user (administrator) on USER-PC on 31-01-2015 13:16:46
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available profiles: user)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: Português (Brasil)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(A.E.T. Europe B.V.) C:\Windows\System32\aetcrss1.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [676608 2013-06-04] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [11930696 2013-03-29] (Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-27] (AVAST Software)
HKLM\...\Run: [CertificateRegistration] => C:\Windows\system32\aetcrss1.exe [151552 2011-04-21] (A.E.T. Europe B.V.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2197110466-1452795221-1036473379-1000\...\Run: [Google Update] => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-12-15] (Google Inc.)
HKU\S-1-5-21-2197110466-1452795221-1036473379-1000\...\Run: [SoftonicAssistant] => "C:\Users\user\AppData\Local\SoftonicAssistant\SoftonicAssistant.exe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} => C:\Program Files\Baidu Security\Baidu Antivirus\BavShx.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.hao123.com/?tn=bav_pro_hp_01_hao123_br
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\S-1-5-21-2197110466-1452795221-1036473379-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.hao123.com/?tn=bav_pro_hp_01_hao123_br
SearchScopes: HKU\S-1-5-21-2197110466-1452795221-1036473379-1000 -> DefaultScope {A2F06E92-CA72-4576-B28C-EBDE25DFA98E} URL =
SearchScopes: HKU\S-1-5-21-2197110466-1452795221-1036473379-1000 -> {460C3D19-B3D4-4964-A550-77D263B0CCCB} URL = https://www.google.com/search?q={searchTerms}
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 192.168.25.1

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lzk365fl.default
FF SelectedSearchEngine: StartWeb
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2197110466-1452795221-1036473379-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2197110466-1452795221-1036473379-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\buscape.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\mercadolivre.xml
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-12-15]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2015-01-06]
FF HKU\S-1-5-21-2197110466-1452795221-1036473379-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR HomePage: Default -> hxxp://start.iminent.com/?appId=40E5E15F-777E-46EE-A873-8A3F84FCF1D0
CHR StartupUrls: Default -> "hxxp://start.iminent.com/?appId=40E5E15F-777E-46EE-A873-8A3F84FCF1D0"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-15]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-15]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-15]
CHR Extension: (Pesquisa do Google) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-15]
CHR Extension: (Avast Online Security) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-12-16]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-16]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-15]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-15]
StartMenuInternet: Google Chrome.CZUKLJCNISN4XRASZDMQBJVSFQ - C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [291840 2013-06-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-15] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [3192344 2014-12-15] (Avast Software)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44544 2008-12-03] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2008-12-03] (Hewlett-Packard) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amd_sata; C:\Windows\System32\DRIVERS\amd_sata.sys [70824 2012-10-11] (Advanced Micro Devices)
R0 amd_xata; C:\Windows\System32\DRIVERS\amd_xata.sys [34984 2012-10-11] (Advanced Micro Devices)
R2 AODDriver4.2; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [48256 2012-04-09] (Advanced Micro Devices)
R1 AsrAppCharger; C:\Windows\System32\DRIVERS\AsrAppCharger.sys [15656 2011-11-07] (Windows ® Win 7 DDK provider)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-12-15] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2014-12-15] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2014-12-15] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-12-15] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2014-12-15] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2014-12-15] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [91496 2014-12-15] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [206248 2014-12-15] ()
R3 GemCCID; C:\Windows\System32\Drivers\GemCCID.sys [89600 2009-08-10] (Gemalto)
R3 MBfilt; C:\Windows\System32\drivers\MBfilt32.sys [24664 2009-11-17] (Creative Technology Ltd.)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [218192 2014-12-15] (Avast Software)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-31 13:16 - 2015-01-31 13:17 - 00013212 _____ () C:\Users\user\Downloads\FRST.txt
2015-01-31 13:16 - 2015-01-31 13:16 - 01122304 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-01-31 13:16 - 2015-01-31 13:16 - 00000000 ____D () C:\FRST
2015-01-31 13:14 - 2015-01-31 13:14 - 00000000 ____D () C:\Users\user\AppData\Roaming\Baidu
2015-01-31 13:08 - 2015-01-31 13:08 - 00000197 _____ () C:\Windows\system32\2015-01-31-15-08-23.098-AvastVBoxSVC.exe-3916.log
2015-01-31 13:05 - 2015-01-31 13:05 - 00000000 ____D () C:\Users\Todos os Usuários\Baidu
2015-01-31 13:05 - 2015-01-31 13:05 - 00000000 ____D () C:\ProgramData\Baidu
2015-01-31 13:01 - 2015-01-31 13:04 - 00000000 ____D () C:\AdwCleaner
2015-01-31 13:00 - 2015-01-31 13:00 - 02194432 _____ () C:\Users\user\Downloads\AdwCleaner(1).exe
2015-01-31 12:57 - 2015-01-31 12:57 - 00000197 _____ () C:\Windows\system32\2015-01-31-14-57-03.094-AvastVBoxSVC.exe-3252.log
2015-01-31 08:19 - 2015-01-31 08:20 - 00000197 _____ () C:\Windows\system32\2015-01-31-10-19-53.013-AvastVBoxSVC.exe-3108.log
2015-01-30 17:22 - 2015-01-30 17:23 - 00000197 _____ () C:\Windows\system32\2015-01-30-19-22-49.004-AvastVBoxSVC.exe-3448.log
2015-01-30 07:06 - 2015-01-30 07:06 - 00000197 _____ () C:\Windows\system32\2015-01-30-09-06-06.030-AvastVBoxSVC.exe-2828.log
2015-01-29 10:55 - 2015-01-29 10:55 - 00020425 _____ () C:\Users\user\Documents\Manifestação de Rogério Avila Coelho.pdf.p7s
2015-01-28 07:07 - 2015-01-28 07:07 - 00000197 _____ () C:\Windows\system32\2015-01-28-09-07-05.053-AvastVBoxSVC.exe-3008.log
2015-01-27 17:34 - 2015-01-27 17:34 - 00021822 _____ () C:\Users\user\Documents\Amanda Valeria Avancir Fujihara -  Emenda à Inicial.pdf.p7s
2015-01-27 11:08 - 2015-01-27 11:08 - 00031571 _____ () C:\Users\user\Documents\Marcelo Inocêncio Rodrigues Reis pedido de progressão de regime prisional.pdf.p7s
2015-01-27 07:51 - 2015-01-27 07:51 - 00000197 _____ () C:\Windows\system32\2015-01-27-09-51-02.049-AvastVBoxSVC.exe-3688.log
2015-01-26 11:27 - 2015-01-26 11:27 - 00497208 _____ () C:\Users\user\RGC1E31.P7S
2015-01-26 07:55 - 2015-01-26 07:55 - 00000197 _____ () C:\Windows\system32\2015-01-26-09-55-37.031-AvastVBoxSVC.exe-3344.log
2015-01-23 16:06 - 2015-01-23 16:14 - 00029076 _____ () C:\Users\user\Documents\PEDIDO DE ALVARÁ JUDICIAL DE ROGÉRIO AVILA COELHO AA 2.pdf.p7s
2015-01-23 14:22 - 2015-01-23 14:22 - 00028157 _____ () C:\Users\user\Documents\Pedido de Alvará de Rogério Avila Colelho a1.pdf.p7s
2015-01-23 14:07 - 2015-01-23 14:07 - 00030202 _____ () C:\Users\user\Documents\PEDIDO DE ALVARÁ JUDICIAL DE ROGÉRIO AVILA COELHO.pdf.p7s
2015-01-23 10:34 - 2015-01-23 10:34 - 00003329 _____ () C:\Users\user\Documents\Acórdão-1212373-4 maicon.htm
2015-01-23 10:34 - 2015-01-23 10:34 - 00000000 ____D () C:\Users\user\Documents\Acórdão-1212373-4 maicon_arquivos
2015-01-22 11:16 - 2015-01-22 11:16 - 00044146 _____ () C:\Users\user\Documents\Acão de Alimentos e Guarda ANABELLA GADONSKI DA SILVA GOMES.pdf.p7s
2015-01-22 09:09 - 2015-01-22 09:09 - 00019978 _____ () C:\Users\user\Documents\Amanda Valeria Avancir Fujihara -  Manifestação.pdf.p7s
2015-01-21 18:13 - 2015-01-21 18:13 - 00000197 _____ () C:\Windows\system32\2015-01-21-20-13-44.095-AvastVBoxSVC.exe-4348.log
2015-01-21 11:22 - 2015-01-21 11:22 - 00020253 _____ () C:\Users\user\Documents\Renúncia de Mandato de Ari Soares trindade.pdf.p7s
2015-01-21 08:00 - 2015-01-21 08:01 - 00000197 _____ () C:\Windows\system32\2015-01-21-10-00-45.064-AvastVBoxSVC.exe-3884.log
2015-01-20 16:44 - 2015-01-20 16:44 - 00040562 _____ () C:\Users\user\Documents\GREGÓRIO PECHEBOVIS MANIFESTAÇÃO a1.pdf.p7s
2015-01-20 15:44 - 2015-01-20 15:44 - 00021344 _____ () C:\Users\user\Documents\APELAÇÃO DE MARCELO INOCÊNCIO RODRIGUES DOS REIS A1.pdf.p7s
2015-01-20 14:59 - 2015-01-20 14:59 - 00000197 _____ () C:\Windows\system32\2015-01-20-16-59-12.095-AvastVBoxSVC.exe-2348.log
2015-01-20 07:03 - 2015-01-20 07:04 - 00000197 _____ () C:\Windows\system32\2015-01-20-09-03-48.012-AvastVBoxSVC.exe-3832.log
2015-01-19 16:43 - 2015-01-19 16:43 - 00022149 _____ () C:\Users\user\Documents\MANIFESTAÇÃO DE LILLIAN DE OLIVEIRA CAPUCHO.pdf.p7s
2015-01-19 16:07 - 2015-01-19 16:07 - 00000197 _____ () C:\Windows\system32\2015-01-19-18-07-29.012-AvastVBoxSVC.exe-3368.log
2015-01-19 15:05 - 2015-01-19 15:05 - 00000197 _____ () C:\Windows\system32\2015-01-19-17-05-12.092-AvastVBoxSVC.exe-432.log
2015-01-19 13:55 - 2015-01-19 13:55 - 00000197 _____ () C:\Windows\system32\2015-01-19-15-55-11.073-AvastVBoxSVC.exe-3908.log
2015-01-19 07:37 - 2015-01-19 07:37 - 00000197 _____ () C:\Windows\system32\2015-01-19-09-37-04.038-AvastVBoxSVC.exe-2284.log
2015-01-17 09:27 - 2015-01-17 09:27 - 00000197 _____ () C:\Windows\system32\2015-01-17-11-27-05.021-AvastVBoxSVC.exe-4052.log
2015-01-17 08:31 - 2015-01-17 08:31 - 00000197 _____ () C:\Windows\system32\2015-01-17-10-31-07.049-AvastVBoxSVC.exe-4288.log
2015-01-16 13:04 - 2015-01-16 13:04 - 00000197 _____ () C:\Windows\system32\2015-01-16-15-04-39.026-AvastVBoxSVC.exe-3668.log
2015-01-16 07:38 - 2015-01-16 07:39 - 00000197 _____ () C:\Windows\system32\2015-01-16-09-38-44.089-AvastVBoxSVC.exe-3664.log
2015-01-15 16:54 - 2015-01-15 16:54 - 00000197 _____ () C:\Windows\system32\2015-01-15-18-54-19.025-AvastVBoxSVC.exe-3192.log
2015-01-15 13:25 - 2015-01-15 13:25 - 00000197 _____ () C:\Windows\system32\2015-01-15-15-25-40.025-AvastVBoxSVC.exe-3784.log
2015-01-15 08:15 - 2015-01-15 08:16 - 00000197 _____ () C:\Windows\system32\2015-01-15-10-15-46.098-AvastVBoxSVC.exe-3164.log
2015-01-14 10:56 - 2015-01-14 10:56 - 00003584 _____ () C:\Users\user\Documents\Acórdão-1264076-3.htm
2015-01-14 10:56 - 2015-01-14 10:56 - 00000000 ____D () C:\Users\user\Documents\Acórdão-1264076-3_arquivos
2015-01-14 09:38 - 2015-01-27 13:14 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-14 08:11 - 2015-01-14 08:11 - 00000197 _____ () C:\Windows\system32\2015-01-14-10-11-01.050-AvastVBoxSVC.exe-3576.log
2015-01-13 08:20 - 2015-01-08 06:01 - 00330272 _____ (Baidu, Inc.) C:\Windows\system32\BdSandboxDll32.dll
2015-01-12 15:07 - 2015-01-12 15:07 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-01-11 12:12 - 2015-01-11 12:12 - 00000197 _____ () C:\Windows\system32\2015-01-11-14-12-14.097-AvastVBoxSVC.exe-4132.log
2015-01-09 11:06 - 2015-01-09 11:06 - 00036529 _____ () C:\Users\user\Documents\Ação de Guarda de Amanda Valeria Avancir Fujihara.pdf.p7s
2015-01-09 10:39 - 2015-01-09 10:39 - 00017394 _____ () C:\Users\user\Documents\Carlos Alexandre de Mello - testemunha de defesa.pdf.p7s
2015-01-09 08:13 - 2015-01-09 08:14 - 00000197 _____ () C:\Windows\system32\2015-01-09-10-13-52.009-AvastVBoxSVC.exe-3628.log
2015-01-08 11:04 - 2015-01-08 11:04 - 00029469 _____ () C:\Users\user\CARLOS1.P7S
2015-01-08 07:46 - 2015-01-08 07:46 - 00000197 _____ () C:\Windows\system32\2015-01-08-09-46-38.091-AvastVBoxSVC.exe-4188.log
2015-01-07 16:29 - 2015-01-07 16:30 - 00000197 _____ () C:\Windows\system32\2015-01-07-18-29-53.064-AvastVBoxSVC.exe-4396.log
2015-01-07 11:14 - 2015-01-07 11:14 - 00022329 _____ () C:\Users\user\Documents\Marise Correia da Silva confirmação de endereço.pdf.p7s
2015-01-07 10:31 - 2015-01-07 10:31 - 00504395 _____ () C:\Users\user\declaração de união estável de marise.jpeg
2015-01-07 09:13 - 2015-01-07 09:13 - 00023114 _____ () C:\Users\user\Documents\Douglas Fernandes de Oliveira Resposta à Acusação.pdf.p7s
2015-01-07 08:54 - 2015-01-07 08:54 - 00000197 _____ () C:\Windows\system32\2015-01-07-10-54-08.048-AvastVBoxSVC.exe-4228.log
2015-01-06 14:00 - 2015-01-06 14:00 - 00000000 ____D () C:\Users\user\AppData\Local\HP
2015-01-06 13:58 - 2015-01-06 14:00 - 00000000 ____D () C:\Users\user\AppData\Roaming\HP
2015-01-06 13:58 - 2015-01-06 13:58 - 00000000 ____D () C:\Users\Todos os Usuários\WEBREG
2015-01-06 13:58 - 2015-01-06 13:58 - 00000000 ____D () C:\ProgramData\WEBREG
2015-01-06 13:57 - 2015-01-13 14:50 - 00000000 ____D () C:\Users\user\AppData\Roaming\HpUpdate
2015-01-06 13:57 - 2015-01-06 13:57 - 00001327 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Central de Soluções HP.lnk
2015-01-06 13:57 - 2015-01-06 13:57 - 00001321 _____ () C:\Users\Public\Desktop\Central de Soluções HP.lnk
2015-01-06 13:57 - 2015-01-06 13:57 - 00000000 ____D () C:\Users\Todos os Usuários\HP Product Assistant
2015-01-06 13:57 - 2015-01-06 13:57 - 00000000 ____D () C:\ProgramData\HP Product Assistant
2015-01-06 13:56 - 2015-01-06 13:56 - 00001137 _____ () C:\Users\Public\Desktop\Loja de Suprimentos HP.lnk
2015-01-06 13:55 - 2015-01-06 13:55 - 00000000 ____D () C:\Program Files\Common Files\HP
2015-01-06 13:54 - 2015-01-06 13:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2015-01-06 13:54 - 2015-01-06 13:54 - 00000000 ____D () C:\Program Files\Common Files\Hewlett-Packard
2015-01-06 13:53 - 2015-01-06 13:57 - 00000000 ____D () C:\Program Files\HP
2015-01-06 13:53 - 2008-10-06 15:38 - 00121344 _____ (Hewlett-Packard Company) C:\Windows\system32\hpf3l083.dll
2015-01-06 13:52 - 2015-01-06 13:58 - 00175918 _____ () C:\Windows\hpoins37.dat
2015-01-06 13:52 - 2015-01-06 13:58 - 00000817 _____ () C:\Users\Todos os Usuários\hpzinstall.log
2015-01-06 13:52 - 2015-01-06 13:58 - 00000817 _____ () C:\ProgramData\hpzinstall.log
2015-01-06 13:52 - 2010-02-03 10:05 - 00000558 ____N () C:\Windows\hpomdl37.dat
2015-01-06 13:51 - 2015-01-06 13:58 - 00000000 ____D () C:\Users\Todos os Usuários\HP
2015-01-06 13:51 - 2015-01-06 13:58 - 00000000 ____D () C:\ProgramData\HP
2015-01-06 13:51 - 2008-10-30 06:37 - 00737280 _____ (Hewlett-Packard) C:\Windows\system32\hposwia_d02a.dll
2015-01-06 13:51 - 2008-10-30 06:37 - 00598016 _____ (Hewlett-Packard Co.) C:\Windows\system32\hpost_d02a.dll
2015-01-06 13:51 - 2008-10-30 06:37 - 00307200 _____ (Hewlett-Packard Co.) C:\Windows\system32\hposc_d02a.dll
2015-01-06 13:51 - 2008-10-30 06:35 - 00271704 _____ (Hewlett-Packard) C:\Windows\system32\hpzids01.dll
2015-01-06 13:47 - 2015-01-06 13:47 - 00000838 _____ () C:\Users\user\Desktop\Suporte.lnk
2015-01-06 13:46 - 2015-01-06 13:46 - 00003031 _____ () C:\Users\user\Desktop\Microsoft Word 2010.lnk
2015-01-06 13:46 - 2015-01-06 13:46 - 00000000 ____D () C:\Users\user\AppData\Roaming\TeamViewer
2015-01-06 07:38 - 2015-01-06 07:38 - 00000197 _____ () C:\Windows\system32\2015-01-06-09-38-54.090-AvastVBoxSVC.exe-3096.log
2015-01-05 07:25 - 2015-01-05 07:25 - 00000197 _____ () C:\Windows\system32\2015-01-05-09-25-04.094-AvastVBoxSVC.exe-3408.log
2015-01-02 12:37 - 2015-01-02 12:38 - 00000197 _____ () C:\Windows\system32\2015-01-02-14-37-43.096-AvastVBoxSVC.exe-2684.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-31 13:12 - 2009-07-14 02:34 - 00028128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-31 13:12 - 2009-07-14 02:34 - 00028128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-31 13:09 - 2014-12-15 14:29 - 00338291 _____ () C:\Windows\WindowsUpdate.log
2015-01-31 13:05 - 2010-11-20 19:48 - 00147438 _____ () C:\Windows\PFRO.log
2015-01-31 13:05 - 2009-07-14 02:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-31 13:05 - 2009-07-14 02:39 - 00028431 _____ () C:\Windows\setupact.log
2015-01-31 08:20 - 2014-12-16 09:51 - 00000902 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-30 10:54 - 2014-12-15 17:44 - 00001074 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2197110466-1452795221-1036473379-1000UA.job
2015-01-30 09:27 - 2014-12-15 18:08 - 00000000 ____D () C:\Users\user\Documents\BACKUP Meus Documentos MAZZA
2015-01-28 07:05 - 2014-12-15 17:46 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-27 07:59 - 2014-12-15 18:08 - 00002323 _____ () C:\Users\user\Desktop\Google Chrome.lnk
2015-01-26 14:17 - 2011-01-26 00:48 - 00702882 _____ () C:\Windows\system32\prfh0416.dat
2015-01-26 14:17 - 2011-01-26 00:48 - 00145668 _____ () C:\Windows\system32\prfc0416.dat
2015-01-26 14:17 - 2010-11-20 19:01 - 01626900 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-09 16:01 - 2014-12-15 18:10 - 00000000 ____D () C:\Users\user\Documents\Minhas digitalizações
2015-01-07 08:52 - 2009-07-14 02:33 - 00407872 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-06 13:59 - 2014-12-15 14:57 - 00109208 _____ () C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-06 13:58 - 2009-07-14 00:04 - 00000513 _____ () C:\Windows\win.ini
2015-01-06 13:55 - 2009-07-14 02:52 - 00000000 ____D () C:\Windows\twain_32

==================== Files in the root of some directories =======

2015-01-06 13:52 - 2015-01-06 13:58 - 0000817 _____ () C:\ProgramData\hpzinstall.log

Some content of TEMP:
====================
C:\Users\user\AppData\Local\Temp\BavPro_Setup_Mini_051.exe
C:\Users\user\AppData\Local\Temp\BootstrapperIminent.exe
C:\Users\user\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\user\AppData\Local\Temp\ICReinstall_PdfCreatorSetup(1).exe
C:\Users\user\AppData\Local\Temp\ICReinstall_PdfCreatorSetup.exe
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\SoftonicAssistant_v0-1-6.exe
C:\Users\user\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-26 10:08

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:03 PM

Posted 01 February 2015 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} => C:\Program Files\Baidu Security\Baidu Antivirus\BavShx.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2197110466-1452795221-1036473379-1000 -> {460C3D19-B3D4-4964-A550-77D263B0CCCB} URL = https://www.google.com/search?q={searchTerms}
FF SelectedSearchEngine: StartWeb
CHR HomePage: Default -> hxxp://start.iminent.com/?appId=40E5E15F-777E-46EE-A873-8A3F84FCF1D0
CHR StartupUrls: Default -> "hxxp://start.iminent.com/?appId=40E5E15F-777E-46EE-A873-8A3F84FCF1D0"
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-16]
Task: {0C35E961-11C3-4E1B-B954-9A7D93C01C8A} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Baidu Security\Duplicaterecord.js" <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:03 PM

Posted 06 February 2015 - 09:09 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users