Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads by coupon


  • This topic is locked This topic is locked
14 replies to this topic

#1 Lachapi

Lachapi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 06 July 2015 - 01:02 PM

correct name is Ads by Activecoupons

 

i keep getting this extension added to chrome by itself. i remove it and when i restart its there again. ive ran multiple tools malwarebytes hitman eset etc etc. they remove everything but its comes back. i did them in safe mode it deleted everything but still back, keeps opening random pages at will.. dont know what else to do..

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-07-2015
Ran by LA Chapi (administrator) on MELISSA on 06-07-2015 13:37:20
Running from C:\Documents and Settings\LA Chapi\My Documents\Downloads
Loaded Profiles: LA Chapi (Available Profiles: LA Chapi & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Enigma Software Group USA, LLC.) C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1359064 2015-04-01] (COMODO)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-06-29] (Oracle Corporation)
HKLM\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2015-01-14] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2015-01-14] (Microsoft Corporation) <==== ATTENTION 
SecurityProviders: msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1757981266-1177238915-1672556253-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1757981266-1177238915-1672556253-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-06-29] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-06-29] (Oracle Corporation)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{0E275284-4DBD-4B24-B78B-6414ADB7B941}: [DhcpNameServer] 10.0.0.1
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\LA Chapi\Application Data\Mozilla\Firefox\Profiles\jfrht57y.default
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-06-29] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-06-29] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Extension: BitComet Video Downloader - C:\Documents and Settings\LA Chapi\Application Data\Mozilla\Firefox\Profiles\jfrht57y.default\Extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB} [2015-06-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-05-13]
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (No Name) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-13]
CHR Extension: (No Name) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-13]
CHR Extension: (No Name) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-13]
CHR Extension: (YouTube) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-13]
CHR Extension: (Google Search) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-13]
CHR Extension: (BitComet Download Extension for Chrome) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhigneefebkcagnpnpbibganpmfgebnk [2015-06-26]
CHR Extension: (No Name) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-13]
CHR Extension: (No Name) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-21]
CHR Extension: (Gmail) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-13]
CHR HKLM\...\Chrome\Extension: [dhigneefebkcagnpnpbibganpmfgebnk] - https://clients2.google.com/service/update2/crx
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4351816 2015-04-01] (COMODO)
U3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [1664728 2015-04-01] (COMODO)
U2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [827272 2013-03-07] (Broadcom Corporation)
U2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [32648 2013-03-07] (Broadcom Corporation)
U2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [132768 2011-11-09] (Intel Corporation)
U4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
U2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
U2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
U2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [770432 2013-07-17] (Enigma Software Group USA, LLC.)
U2 STacSV; C:\Program Files\IDT\WDM\stacsv.exe [245842 1999-12-31] (IDT, Inc.)
U2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [2768896 1999-12-31] (Dell Inc.) [File not signed]
U2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
U3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
U4 HidServ; %SystemRoot%\System32\hidserv.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U3 AESTAud; C:\WINDOWS\System32\drivers\AESTAud.sys [113664 1999-12-31] (Andrea Electronics Corporation)
U3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [3369984 1999-12-31] (Broadcom Corporation)
U1 cmderd; C:\WINDOWS\System32\DRIVERS\cmderd.sys [15576 2015-04-01] (COMODO)
U1 cmdGuard; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [627032 2015-04-01] (COMODO)
U1 cmdHlp; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [29912 2015-04-01] (COMODO)
U3 cvusbdrv; C:\WINDOWS\System32\Drivers\cvusbdrv.sys [41480 2013-03-07] (Broadcom Corporation)
U3 e1yexpress; C:\WINDOWS\System32\DRIVERS\e1y5132.sys [250584 2011-10-20] (Intel Corporation)
U3 eapihdrv; C:\Documents and Settings\LA Chapi\Local Settings\temp\ehdrv.sys [135760 2015-06-29] (ESET)
U3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13904 2011-05-06] ()
U3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
U3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [35992 2015-06-27] ()
U0 Inspect; C:\WINDOWS\System32\DRIVERS\inspect.sys [105688 2015-04-01] (COMODO)
U3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
U0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
U0 mv61xxmm; C:\WINDOWS\system32\Drivers\mv61xxmm.sys [14184 2015-01-14] (Marvell Semiconductor Inc.)
U0 mv64xxmm; C:\WINDOWS\system32\Drivers\mv64xxmm.sys [5632 2015-01-14] (Marvell Semiconductor Inc.) [File not signed]
U0 mvxxmm; C:\WINDOWS\system32\Drivers\mvxxmm.sys [14184 2015-01-14] (Marvell Semiconductor Inc.)
U3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1660691 1999-12-31] (IDT, Inc.)
U3 SWDUMon; C:\WINDOWS\System32\DRIVERS\SWDUMon.sys [13368 2015-06-27] (SlimWare Utilities, Inc.)
U3 catchme; \??\C:\DOCUME~1\LACHAP~1\LOCALS~1\Temp\catchme.sys [X]
U2 CertPropSvc; No ImagePath
U4 IntelIde; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-06 13:36 - 2015-07-06 13:37 - 00000000 ____D C:\FRST
2015-07-06 13:36 - 2015-07-06 13:36 - 00001732 _____ C:\WINDOWS\system32\Drivers\fvstore.dat
2015-07-06 13:36 - 2015-07-06 13:36 - 00000000 ___HD C:\VTRoot
2015-06-29 01:23 - 2015-06-29 01:23 - 00000000 ____D C:\Program Files\ESET
2015-06-29 01:21 - 2015-06-29 01:21 - 00000000 ____D C:\WINDOWS\Sun
2015-06-29 01:21 - 2015-06-29 01:21 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Oracle
2015-06-29 01:19 - 2015-06-29 01:19 - 00000000 ____D C:\Program Files\Common Files\Java
2015-06-29 01:19 - 2015-06-29 01:19 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Sun
2015-06-29 01:19 - 2015-06-29 01:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2015-06-29 01:19 - 2015-06-29 01:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sun
2015-06-29 01:19 - 2015-06-29 01:18 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-06-29 01:19 - 2015-06-29 01:18 - 00096352 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-06-29 01:18 - 2015-06-29 01:18 - 00000000 ____D C:\Program Files\Java
2015-06-29 01:18 - 2015-06-29 01:18 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Oracle
2015-06-29 01:14 - 2015-06-29 01:14 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Sun
2015-06-29 01:09 - 2015-06-29 01:21 - 00000000 ____D C:\Documents and Settings\LA Chapi\Desktop\JavaRa-2.6
2015-06-29 00:55 - 2015-06-29 00:55 - 00000492 _____ C:\Documents and Settings\LA Chapi\My Documents\spider.sav
2015-06-28 03:03 - 2015-06-28 03:03 - 00004757 _____ C:\WINDOWS\KB2909921-IE8.log
2015-06-28 03:03 - 2015-06-28 03:03 - 00000000 ____D C:\WINDOWS\ie8updates
2015-06-27 04:49 - 2015-07-05 21:46 - 00000024 _____ C:\Documents and Settings\LA Chapi\Application Data\appdataFr25.bin
2015-06-27 04:26 - 2015-07-06 02:44 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
2015-06-27 04:26 - 2015-07-06 00:03 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
2015-06-27 04:26 - 2015-07-05 21:45 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
2015-06-27 04:25 - 2015-07-06 13:35 - 01474832 _____ C:\WINDOWS\system32\Drivers\sfi.dat
2015-06-27 04:25 - 2015-07-06 00:02 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
2015-06-27 04:22 - 2015-06-27 04:22 - 00065536 _____ C:\WINDOWS\system32\config\COMODO I.evt
2015-06-27 04:22 - 2015-06-27 04:22 - 00001695 _____ C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk
2015-06-27 04:22 - 2015-06-27 04:22 - 00000000 ____D C:\Program Files\COMODO
2015-06-27 04:22 - 2015-06-27 04:22 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\COMODO
2015-06-27 04:22 - 2015-06-27 04:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Shared Space
2015-06-27 04:21 - 2015-06-27 04:21 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Comodo Downloader
2015-06-27 04:20 - 2015-06-27 04:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Comodo
2015-06-27 04:18 - 2015-06-27 04:18 - 00005491 _____ C:\sh4_service.log
2015-06-27 03:42 - 2015-06-27 03:42 - 00001979 _____ C:\Documents and Settings\LA Chapi\Desktop\SpyHunter.lnk
2015-06-27 03:42 - 2015-06-27 03:42 - 00000000 ____D C:\sh4ldr
2015-06-27 03:42 - 2015-06-27 03:42 - 00000000 ____D C:\Documents and Settings\LA Chapi\Start Menu\Programs\SpyHunter
2015-06-27 03:41 - 2015-06-27 03:42 - 00000000 ____D C:\WINDOWS\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
2015-06-27 03:41 - 2015-06-27 03:41 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2015-06-27 03:30 - 2015-06-28 03:03 - 11113472 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 02006016 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00743424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00630272 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00522240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00247808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00055296 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2015-06-27 03:30 - 2015-06-28 03:03 - 00012800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2015-06-27 03:30 - 2015-06-27 03:42 - 00000000 ____D C:\Program Files\Enigma Software Group
2015-06-27 03:29 - 2015-06-27 03:33 - 00000000 ____D C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2015-06-27 03:14 - 2015-06-27 03:14 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\VS Revo Group
2015-06-27 03:13 - 2015-06-27 03:13 - 00000925 _____ C:\Documents and Settings\All Users\Desktop\Revo Uninstaller Pro.lnk
2015-06-27 03:13 - 2015-06-27 03:13 - 00000000 ____D C:\Program Files\VS Revo Group
2015-06-27 03:13 - 2015-06-27 03:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Revo Uninstaller Pro
2015-06-27 03:13 - 2015-06-27 03:13 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\VS Revo Group
2015-06-27 03:13 - 2009-12-30 10:20 - 00027064 _____ (VS Revo Group) C:\WINDOWS\system32\Drivers\revoflt.sys
2015-06-27 02:58 - 2015-06-27 02:58 - 00000006 __RSH C:\1d8784c7a421d340cfd179503fe59ddc798a351c
2015-06-27 02:58 - 2015-06-27 02:58 - 00000000 __SHD C:\611927
2015-06-27 02:58 - 2015-06-27 00:17 - 00000000 __SHD C:\611827
2015-06-27 02:27 - 2015-06-27 02:30 - 00000000 ____D C:\AdwCleaner
2015-06-27 02:20 - 2015-06-27 02:20 - 00000000 __SHD C:\Documents and Settings\LA Chapi\IECompatCache
2015-06-27 02:18 - 2015-06-27 02:32 - 00013368 _____ (SlimWare Utilities, Inc.) C:\WINDOWS\system32\Drivers\SWDUMon.sys
2015-06-27 02:18 - 2015-06-27 02:18 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\SlimWare Utilities Inc
2015-06-27 02:15 - 2015-07-06 12:11 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2015-06-27 02:15 - 2015-06-29 00:37 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2015-06-27 02:15 - 2015-06-27 02:15 - 00013630 _____ C:\ComboFix.txt
2015-06-27 01:59 - 2015-06-27 01:59 - 00001485 _____ C:\Documents and Settings\LA Chapi\Desktop\JRT.txt
2015-06-27 01:52 - 2015-06-27 01:52 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2015-06-27 01:38 - 2015-06-27 03:49 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2015-06-27 01:38 - 2015-06-27 02:17 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-06-27 01:38 - 2015-06-27 01:58 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2015-06-27 01:38 - 2015-06-27 01:51 - 00000000 ____D C:\Documents and Settings\Administrator
2015-06-27 01:38 - 2015-06-27 01:38 - 00000000 __SHD C:\WINDOWS\CSC
2015-06-27 01:38 - 2015-05-13 01:41 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2015-06-27 01:38 - 2015-05-13 01:41 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2015-06-27 01:38 - 2015-05-13 01:41 - 00000000 ___RD C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-06-27 01:36 - 2015-06-27 03:05 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-06-27 01:35 - 2015-06-27 01:35 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-27 01:35 - 2015-06-27 01:35 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-06-27 01:35 - 2015-06-27 01:35 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-27 01:35 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-06-27 01:35 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-06-27 00:17 - 2015-06-27 00:17 - 00001163 ____N C:\spyhunter.log
2015-06-26 22:37 - 2015-07-06 13:38 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\temp
2015-06-26 22:32 - 2015-06-26 22:32 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2015-06-26 22:32 - 2015-06-26 22:32 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2015-06-26 22:32 - 2015-06-26 22:32 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2015-06-26 22:32 - 2015-06-26 22:32 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2015-06-26 22:32 - 2015-06-26 22:32 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2015-06-26 22:26 - 2015-06-26 22:26 - 00000000 _RSHD C:\cmdcons
2015-06-26 22:26 - 2015-05-13 01:31 - 00000211 _____ C:\Boot.bak
2015-06-26 22:26 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2015-06-26 22:23 - 2011-06-26 02:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2015-06-26 22:23 - 2010-11-07 13:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2015-06-26 22:23 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-06-26 22:22 - 2015-06-27 02:15 - 00000000 ____D C:\Qoobox
2015-06-26 22:22 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-06-26 22:22 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-06-26 22:22 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-06-26 22:22 - 2000-08-30 20:00 - 00098816 _____ C:\WINDOWS\sed.exe
2015-06-26 22:22 - 2000-08-30 20:00 - 00080412 _____ C:\WINDOWS\grep.exe
2015-06-26 22:22 - 2000-08-30 20:00 - 00068096 _____ C:\WINDOWS\zip.exe
2015-06-26 22:21 - 2015-06-26 22:36 - 00000000 ____D C:\WINDOWS\erdnt
2015-06-26 22:13 - 2015-06-26 22:13 - 00000000 ____D C:\RegBackup
2015-06-26 22:11 - 2015-06-27 02:10 - 00003276 _____ C:\Documents and Settings\LA Chapi\Desktop\Rkill.txt
2015-06-26 21:59 - 2015-06-27 01:56 - 00035992 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2015-06-26 21:58 - 2015-06-26 21:58 - 00017600 _____ C:\WINDOWS\system32\.crusader
2015-06-26 21:48 - 2015-06-26 21:48 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-26 21:47 - 2015-06-26 21:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2015-06-26 21:47 - 2015-06-06 17:42 - 10113976 _____ (SurfRight B.V.) C:\Documents and Settings\LA Chapi\Desktop\HitmanProBeta.exe.BAK
2015-06-26 21:47 - 2015-06-06 17:39 - 10113976 _____ (SurfRight B.V.) C:\Documents and Settings\LA Chapi\Desktop\HitmanProBeta.exe
2015-06-26 21:44 - 2015-06-26 21:44 - 00000000 ____D C:\Program Files\7-Zip
2015-06-26 21:44 - 2015-06-26 21:44 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
2015-06-26 21:16 - 2015-06-26 21:18 - 00000000 ____D C:\Program Files\SpywareBlaster
2015-06-26 21:16 - 2015-06-26 21:16 - 00000754 _____ C:\Documents and Settings\All Users\Desktop\SpywareBlaster.lnk
2015-06-26 21:16 - 2015-06-26 21:16 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
2015-06-26 21:16 - 2015-06-26 21:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Licenses
2015-06-26 21:12 - 2015-06-26 21:39 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-06-26 21:12 - 2015-06-26 21:12 - 00000933 _____ C:\Documents and Settings\LA Chapi\Desktop\Spybot - Search & Destroy.lnk
2015-06-26 21:12 - 2015-06-26 21:12 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2015-06-26 21:12 - 2015-06-26 21:12 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
2015-06-26 18:56 - 2015-06-26 18:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-06-26 18:33 - 2015-06-27 03:50 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\BitComet
2015-06-26 18:33 - 2015-06-26 18:33 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\BitComet.lnk
2015-06-26 18:33 - 2015-06-26 18:33 - 00000000 ____D C:\Program Files\BitComet
2015-06-26 18:33 - 2015-06-26 18:33 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\BitComet
2015-06-25 23:47 - 2015-06-25 23:47 - 00000076 _____ C:\Documents and Settings\LA Chapi\My Documents\Varios.txt
2015-06-25 23:46 - 2015-06-26 20:25 - 00000000 ____D C:\Program Files\No Cyrus
2015-06-22 20:40 - 2015-06-22 20:41 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Mozilla
2015-06-22 20:40 - 2015-06-22 20:40 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
2015-06-18 17:12 - 2015-06-18 17:12 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Logitech® Webcam Software
2015-06-18 17:09 - 2015-06-18 17:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\LogiShrd
2015-06-18 17:08 - 2015-06-26 21:35 - 00004216 _____ C:\WINDOWS\LDPINST.LOG
2015-06-18 17:08 - 2015-06-18 17:08 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Leadertech
2015-06-18 17:07 - 2015-06-26 21:36 - 00000000 ____D C:\Program Files\Common Files\LogiShrd
2015-06-18 17:07 - 2015-06-26 21:35 - 00000000 ____D C:\Program Files\Logitech
2015-06-18 16:59 - 2013-07-17 00:58 - 00060160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbaudio.sys
2015-06-18 16:59 - 2013-07-17 00:58 - 00060160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBAUDIO.sys
2015-06-15 02:27 - 2015-06-15 02:27 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Unity
2015-06-15 02:25 - 2015-06-26 21:58 - 00000000 ____D C:\Documents and Settings\LA Chapi\My Documents\Descargas
2015-06-15 02:25 - 2015-06-26 21:37 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Unity
2015-06-14 22:42 - 2015-06-25 23:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-06-14 22:42 - 2015-06-14 22:42 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-06-14 22:42 - 2015-06-14 22:42 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-06-14 22:42 - 2015-06-14 22:42 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-06-14 22:42 - 2015-06-14 22:42 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Mozilla
2015-06-14 22:42 - 2015-06-14 22:42 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Mozilla
2015-06-14 22:42 - 2015-06-14 22:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Mozilla
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-06 13:26 - 2015-05-13 16:39 - 00056357 _____ C:\WINDOWS\system32\nvModes.001
2015-07-06 12:11 - 2015-05-13 01:39 - 01148473 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-05 21:35 - 2015-05-13 01:47 - 00032612 _____ C:\WINDOWS\SchedLgU.Txt
2015-07-05 21:20 - 2015-05-13 11:36 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-07-05 21:14 - 2015-05-12 21:27 - 00575640 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-05 21:10 - 2015-05-13 01:47 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-05 21:10 - 2008-04-14 05:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-07-05 21:09 - 2015-05-13 01:48 - 00000178 ___SH C:\Documents and Settings\LA Chapi\ntuser.ini
2015-07-05 21:09 - 2015-05-12 21:30 - 00000216 _____ C:\WINDOWS\wiadebug.log
2015-07-05 21:09 - 2015-05-12 21:30 - 00000048 _____ C:\WINDOWS\wiaservc.log
2015-07-05 20:47 - 2015-05-13 11:34 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Skype
2015-07-05 11:51 - 2015-05-13 11:38 - 00246952 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-07-03 10:55 - 2015-05-13 16:39 - 00004972 _____ C:\WINDOWS\system32\nvAppTimestamps
2015-07-03 05:22 - 2015-05-13 11:33 - 00002265 _____ C:\Documents and Settings\All Users\Desktop\Skype.lnk
2015-06-30 04:07 - 2015-05-12 21:26 - 00789245 _____ C:\WINDOWS\setupapi.log
2015-06-29 18:35 - 2015-05-12 21:25 - 00195270 _____ C:\WINDOWS\setupact.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00155677 _____ C:\WINDOWS\iis6.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00111110 _____ C:\WINDOWS\FaxSetup.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00077575 _____ C:\WINDOWS\ocgen.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00057772 _____ C:\WINDOWS\tsoc.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00049219 _____ C:\WINDOWS\comsetup.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00040468 _____ C:\WINDOWS\msmqinst.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00028395 _____ C:\WINDOWS\ntdtcsetup.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00020627 _____ C:\WINDOWS\netfxocm.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00008581 _____ C:\WINDOWS\MedCtrOC.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00006228 _____ C:\WINDOWS\tabletoc.log
2015-06-28 03:03 - 2015-05-12 21:27 - 00001374 _____ C:\WINDOWS\imsins.log
2015-06-27 04:02 - 2015-05-13 01:48 - 00001599 _____ C:\Documents and Settings\LA Chapi\Start Menu\Programs\Remote Assistance.lnk
2015-06-27 03:52 - 2015-05-13 01:41 - 00001607 _____ C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
2015-06-27 03:52 - 2015-05-13 01:41 - 00001599 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2015-06-27 02:53 - 2015-05-13 01:47 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-06-27 02:20 - 2015-05-13 01:48 - 00000000 ____D C:\Documents and Settings\LA Chapi
2015-06-27 02:17 - 2015-05-13 01:47 - 00000000 __SHD C:\Documents and Settings\LocalService
2015-06-27 02:17 - 2015-05-12 21:14 - 00000000 ____D C:\WINDOWS\security
2015-06-27 02:14 - 2008-04-14 05:00 - 00000227 _____ C:\WINDOWS\system.ini
2015-06-26 22:32 - 2015-05-12 21:23 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2015-06-26 22:32 - 2015-05-12 21:23 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak
2015-06-26 22:32 - 2015-05-12 21:22 - 23068672 _____ C:\WINDOWS\system32\config\software.bak
2015-06-26 22:32 - 2015-05-12 21:22 - 04980736 _____ C:\WINDOWS\system32\config\system.bak
2015-06-26 22:32 - 2015-05-12 21:22 - 00524288 _____ C:\WINDOWS\system32\config\default.bak
2015-06-26 22:26 - 2015-05-12 21:22 - 00000327 __RSH C:\boot.ini
2015-06-26 21:37 - 2015-05-23 21:37 - 00000000 ____D C:\Program Files\PopCap Games
2015-06-25 17:12 - 2015-05-13 11:33 - 00000000 ___RD C:\Program Files\Skype
2015-06-25 17:12 - 2015-05-13 11:33 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2015-06-25 16:32 - 2015-05-13 11:34 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2015-06-23 19:04 - 2015-05-13 01:35 - 00020518 _____ C:\WINDOWS\wmsetup.log
2015-06-23 15:59 - 2015-05-22 18:55 - 00000000 ____D C:\Documents and Settings\LA Chapi\Desktop\My Shared Folder
2015-06-22 13:56 - 2015-05-13 11:47 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-06-10 18:58 - 2015-05-19 13:50 - 00000000 ____D C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Adobe
2015-06-10 18:58 - 2015-05-13 02:51 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\Adobe
2015-06-10 18:51 - 2015-05-13 03:54 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-06-10 18:44 - 2015-01-14 07:39 - 136900096 _____ (Microsoft Corporation) C:\WINDOWS\system32\mrt.exe
 
==================== Files in the root of some directories =======
 
2015-06-27 04:49 - 2015-07-05 21:46 - 0000024 _____ () C:\Documents and Settings\LA Chapi\Application Data\appdataFr25.bin
2015-05-22 20:19 - 2015-05-22 20:19 - 0003584 _____ () C:\Documents and Settings\LA Chapi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-05 13:28 - 2008-02-05 13:28 - 0000051 _____ () C:\Documents and Settings\LA Chapi\Local Settings\Application Data\setup.txt
 
Some files in TEMP:
====================
C:\Documents and Settings\LA Chapi\Local Settings\temp\SpyHunter4.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of log ============================
 

Attached Files


Edited by Lachapi, 06 July 2015 - 01:06 PM.


BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 07 July 2015 - 03:11 PM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.


Hello Lachapi,

My name is mAL_rEm018, but feel free to call me mAL.  I'm an undergraduate trainee and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.
 

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing you logs and will return as soon as possible, with additional instructions.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 07 July 2015 - 06:21 PM

Ok! I will be waiting



#4 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 July 2015 - 04:09 AM

Sir, no intentions to bump this topic. Just want to make sure you are still with me.  I am struggling. I cant use the laptop for anything webrowsing related. Them pas popping, th ads by coupon screen opening, cant evn install popup blockers becuse its denying them. Im at a lost here...

 

Sorry again for thee bumping of this thread.. Wouldnt do it if truly wasnt like an emergency since I do online schooling :/



#5 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 09 July 2015 - 01:09 PM

Hello Lachapi,

I apologise for the delay in getting back to you.

Please do the following..

Backup your registry with Erunt

  • Download ERUNT from the following link ERUNT
  • Open Erunt
  • Do not change the default location of the Registry backup.
  • In the Backup options box select System registry and Current user registry.
  • Click on OK and wait until the backup is complete.
  • Exit the program.
  • If you have any problem backing up your registry, stop and let me know in your next post.


Create a system restore point


  • Close all opened programs.
  • Open the Start menu and click on All Programs.
  • Select Accessories and System Tools.
  • Open System Restore.
  • Select Create a restore point and then Next.
  • Type Disinfection in the Restore point description box.
  • Click Create.
  • When the process is over, restart your computer.


I noticed that you ran Combofix.  This is a very powerful tool that could cause serious damage to your computer if you don't know what you're doing.  Do not use it unless you are asked to by a trained helper.  Please navigate to the following location:


  • C:\ComboFix.txt

  • Please post Combofix.txt in your next reply.


While analysing your logs I noticed the following:


CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome is corrupted.  This is most likely the reason why the extension keeps re-installing itself in Chrome.  In the next steps we will remove and re-install Chrome, therefore I advise you to save your bookmarks, since you will lose them during the process.  The information for doing this can be found here.


To remove Google Chrome

  • Open the Start menu and click Control Panel.
  • Double-click Add or Remove Programs.
  • Select the following program:

    Google Chrome

  • Click Remove.
  • When asked if you want to uninstall, place a checkmark next to Also delete your browsing data and select Uninstall.
  • Reboot your computer.


To re-install Google Chrome, please do the following..


  • Click on the following link: Google Chrome.
  • Read the Terms of Service and select Accept and Install.
  • Save ChromeSetup.exe to your desktop.
  • Go to your desktop and double-click on ChromeSetup.exe.
  • Google Chrome will then install itself.
  • When the process is over, Chrome will open.


-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • Were you able to remove/re-install Google Chrome?
  • Do you still have issues with Chrome?
  • Combofix.txt
    Please post everything in the order given.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#6 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 July 2015 - 06:09 PM

no.

yes.

no.

 

ComboFix 15-06-26.01 - LA Chapi 06/27/2015   2:11.2.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3572.3045 [GMT -4:00]
Running from: c:\documents and settings\LA Chapi\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2015-05-27 to 2015-06-27  )))))))))))))))))))))))))))))))
.
.
2015-06-27 06:08 . 2015-06-27 06:08 24 ----a-w- c:\documents and settings\LA Chapi\Application Data\appdataFr25.bin
2015-06-27 05:51 . 2015-06-27 05:51 52440 ----a-w- c:\windows\system32\drivers\bsdsrtt.sys
2015-06-27 05:38 . 2015-06-27 05:38 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DBDE558-1CAB-43CD-BA77-AC847401B7E1}\offreg.956.dll
2015-06-27 05:38 . 2015-06-27 05:51 -------- d-----w- c:\documents and settings\Administrator
2015-06-27 05:36 . 2015-06-27 05:38 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-06-27 05:35 . 2015-06-18 12:41 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-06-27 05:35 . 2015-06-18 12:41 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-06-27 05:35 . 2015-06-27 05:35 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-06-27 02:13 . 2015-06-27 02:13 -------- d-----w- C:\RegBackup
2015-06-27 02:10 . 2015-06-27 02:10 39168 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DBDE558-1CAB-43CD-BA77-AC847401B7E1}\MpKsl3c457041.sys
2015-06-27 01:59 . 2015-06-27 01:59 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DBDE558-1CAB-43CD-BA77-AC847401B7E1}\offreg.1020.dll
2015-06-27 01:59 . 2015-06-27 05:56 35992 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2015-06-27 01:48 . 2015-06-27 01:48 -------- d-----w- c:\program files\HitmanPro
2015-06-27 01:47 . 2015-06-27 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2015-06-27 01:44 . 2015-06-27 01:44 -------- d-----w- c:\program files\7-Zip
2015-06-27 01:16 . 2015-06-27 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Licenses
2015-06-27 01:16 . 2015-06-27 01:18 -------- d-----w- c:\program files\SpywareBlaster
2015-06-27 01:12 . 2015-06-27 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2015-06-27 01:12 . 2015-06-27 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2015-06-26 22:56 . 2015-06-26 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2015-06-26 22:34 . 2015-06-27 05:51 -------- d-----w- C:\Downloads
2015-06-26 22:33 . 2015-06-27 05:36 -------- d-----w- c:\documents and settings\LA Chapi\Application Data\BitComet
2015-06-26 22:33 . 2015-06-26 22:33 -------- d-----w- c:\program files\BitComet
2015-06-26 22:10 . 2015-06-12 07:54 9252600 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DBDE558-1CAB-43CD-BA77-AC847401B7E1}\mpengine.dll
2015-06-26 03:46 . 2015-06-27 00:25 -------- d-----w- c:\program files\No Cyrus
2015-06-26 03:43 . 2015-06-26 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{f23d8de4-b4b6-3bf5-f23d-d8de4b4b3792}
2015-06-25 19:44 . 2015-06-12 07:54 9252600 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-06-23 00:40 . 2015-06-23 00:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2015-06-18 21:12 . 2015-06-18 21:12 -------- d-----w- c:\documents and settings\LA Chapi\Local Settings\Application Data\Logitech® Webcam Software
2015-06-18 21:09 . 2015-06-18 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2015-06-18 21:08 . 2015-06-18 21:08 -------- d-----w- c:\documents and settings\LA Chapi\Application Data\Leadertech
2015-06-18 21:07 . 2015-06-27 01:35 -------- d-----w- c:\program files\Logitech
2015-06-18 21:07 . 2015-06-27 01:36 -------- d-----w- c:\program files\Common Files\LogiShrd
2015-06-18 20:59 . 2013-07-17 04:58 60160 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2015-06-18 20:59 . 2013-07-17 04:58 60160 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2015-06-15 06:27 . 2015-06-15 06:27 -------- d-----w- c:\documents and settings\LA Chapi\Application Data\Unity
2015-06-15 06:25 . 2015-06-27 01:37 -------- d-----w- c:\documents and settings\LA Chapi\Local Settings\Application Data\Unity
2015-06-15 02:42 . 2015-06-15 02:42 -------- d-----w- c:\documents and settings\LA Chapi\Local Settings\Application Data\Mozilla
2015-06-15 02:42 . 2015-06-15 02:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2015-05-28 19:23 . 2015-05-28 19:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2015-01-14 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlimDrivers"="c:\program files\SlimDrivers\SlimDrivers.exe" [2015-02-27 29731096]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2015-03-30 13135512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2000-01-01 3035136]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2000-01-01 495708]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2014-08-01 15724504]
"NvMediaCenter"="NvMCTray.dll" [2014-08-01 376096]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2014-08-01 2593056]
"NvBackend"="c:\program files\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-08-01 2403104]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-04 488816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" [2015-06-18 54072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
"25251:TCP"= 25251:TCP:BitComet 25251 TCP
"25251:UDP"= 25251:UDP:BitComet 25251 UDP
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [1/14/2015 7:45 AM 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [1/14/2015 7:45 AM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [1/14/2015 7:45 AM 14184]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [6/26/2015 9:59 PM 35992]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [3/7/2013 10:06 PM 827272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [3/7/2013 10:06 PM 32648]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [5/13/2015 4:06 PM 132768]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [6/27/2015 1:35 AM 1871160]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [6/27/2015 1:35 AM 1133880]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2015 4:42 PM 327296]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/13/2015 4:07 PM 113664]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [5/13/2015 4:37 PM 41480]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [4/4/2008 7:40 PM 250584]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/27/2015 1:35 AM 23256]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 17889884
*NewlyCreated* - 24945706
*NewlyCreated* - PARPORT
*Deregistered* - 17889884
*Deregistered* - 24945706
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-06-22 17:54 990024 ----a-w- c:\program files\Google\Chrome\Application\43.0.2357.130\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-06-27 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:1260;https=127.0.0.1:1260
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
Trusted Zone: dell.com
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{0E275284-4DBD-4B24-B78B-6414ADB7B941}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\LA Chapi\Application Data\Mozilla\Firefox\Profiles\jfrht57y.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-06-27 02:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(536)
c:\windows\system32\WININET.dll
.
Completion time: 2015-06-27  02:15:32
ComboFix-quarantined-files.txt  2015-06-27 06:15
ComboFix2.txt  2015-06-27 02:37
.
Pre-Run: 139,703,721,984 bytes free
Post-Run: 139,701,694,464 bytes free
.
- - End Of File - - B358EBFF390425E88E3BEBE9BCBA63FC
8F558EB6672622401DA993E1E865C861


#7 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 09 July 2015 - 11:52 PM

Hello Lachapi,

Please answer the following question..

  • Did you have or do you have a Proxy set up?

    uInternet Settings,ProxyOverride = <-loopback>
    uInternet Settings,ProxyServer = http=127.0.0.1:1260;https=127.0.0.1:1260

  • Do you know what the following folder is?

    C:\Documents and Settings\LA Chapi\My Documents\Descargas

  • How is your computer running?


    Please do the following..
  • Please click on the following link Jotti
  • Select Browse.
  • Go to the following locations on your computer:

    c:\windows\system32\drivers\bsdsrtt.sys

  • Click on Open and then Submit file.
  • When the scan is finished copy and paste the web address in your following post.
    Note: you can only upload one file at a time.

Removing programs in Windows XP


  • Open the Start menu and click Control Panel.
  • Double-click Add or Remove Programs.
  • Select the following program:

    BitComet 1.38
    SpyHunter
    SpywareBlaster 5.0

  • Click Remove.
  • When asked if you want to uninstall, place a checkmark next to Also delete your browsing data and select Uninstall.
  • Reboot your computer.


You have several anti-malware programs on your computer.  Although this might seem like a good idea, you are in fact putting your computer at risk because they can and will interfere between each other.  Please choose one of the programs below and make sure it's enabled (if you have trouble doing so let me know), then remove the other two using the steps above.


COMODO Internet Security Premium
Microsoft Security Essentials
Spybot - Search & Destroy



Next..




  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2015-01-14] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1757981266-1177238915-1672556253-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
CHR Extension: (BitComet Download Extension for Chrome) - C:\Documents and Settings\LA Chapi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhigneefebkcagnpnpbibganpmfgebnk [2015-06-26]
CHR HKLM\...\Chrome\Extension: [dhigneefebkcagnpnpbibganpmfgebnk] - https://clients2.google.com/service/update2/crx
FF Extension: BitComet Video Downloader - C:\Documents and Settings\LA Chapi\Application Data\Mozilla\Firefox\Profiles\jfrht57y.default\Extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB} [2015-06-26]
U2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
U3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
U4 HidServ; %SystemRoot%\System32\hidserv.dll [X]
U3 catchme; \??\C:\DOCUME~1\LACHAP~1\LOCALS~1\Temp\catchme.sys [X]
U2 CertPropSvc; No ImagePath
U4 IntelIde; No ImagePath
StandardProfile\AuthorizedApplications: [C:\Program Files\BitComet\BitComet.exe] => Enabled:BitComet.exe
StandardProfile\GloballyOpenPorts: [25251:TCP] => Enabled:BitComet 25251 TCP
StandardProfile\GloballyOpenPorts: [25251:UDP] => Enabled:BitComet 25251 UDP
2015-06-27 04:49 - 2015-07-05 21:46 - 00000024 _____ C:\Documents and Settings\LA Chapi\Application Data\appdataFr25.bin
2015-06-25 23:46 - 2015-06-26 20:25 - 00000000 ____D C:\Program Files\No Cyrus
2015-06-26 18:33 - 2015-06-27 03:50 - 00000000 ____D C:\Documents and Settings\LA Chapi\Application Data\BitComet
2015-06-26 18:33 - 2015-06-26 18:33 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\BitComet.lnk
2015-06-26 18:33 - 2015-06-26 18:33 - 00000000 ____D C:\Program Files\BitComet
2015-06-26 18:33 - 2015-06-26 18:33 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\BitComet
2015-06-27 03:41 - 2015-06-27 03:42 - 00000000 ____D C:\WINDOWS\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
2015-06-27 03:29 - 2015-06-27 03:33 - 00000000 ____D C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2015-06-27 02:58 - 2015-06-27 02:58 - 00000000 __SHD C:\611927
2015-06-27 02:58 - 2015-06-27 00:17 - 00000000 __SHD C:\611827
C:\Documents and Settings\LA Chapi\Local Settings\temp\SpyHunter4.exe

Hosts:
EmptyTemp:
CMD: ipconfig /flushdns
CreateRestorePoint:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log



Adwcleaner


  • Please download AdwCleaner to you Desktop from here.
  • Close all your programs and double-click AdwCleaner.exe.
  • Click on Scan.
  • After the scan is over, select Logfile.
  • A notepad window will open.  Please copy/paste the contents in your next reply.
    Note: do not select Cleaning at this point


-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • Answer to my questions.
  • Jotti link
  • fixlog.txt
  • Adwcleaner log
    Please post everything in the order given.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#8 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 11 July 2015 - 11:46 PM

Hello Lachapi,

Do you still need help?  It's been 48 hours since my last reply.  If you don't require assistance anymore I would really appreciate it if you let me know.

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#9 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 July 2015 - 03:31 PM

Sorry school kept me busy. After the first round of steps everything was fine. but i did the 2nd round anyways. i know the folder you mentioned. th one to scan in jotti wasnt thre so i guss it got dleted somhow. Did the txt fix and adware found nothing. cant provide logs im not home. but havent had problms since first round so i believe its clean.

 

Thanks



#10 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 July 2015 - 03:41 PM

Adwcleaner found this. What to do?

Attached Files



#11 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 12 July 2015 - 04:03 PM

Hello Lachapi,
 

Sorry school kept me busy. After the first round of steps everything was fine. but i did the 2nd round anyways. i know the folder you mentioned. th one to scan in jotti wasnt thre so i guss it got dleted somhow. Did the txt fix and adware found nothing. cant provide logs im not home. but havent had problms since first round so i believe its clean.

We still have some more work to do, so please stick with this topic until I give you the "all clean".  

You only posted the AdwCleaner log.  I still need to see the following information:
 

  • Answer to my questions
  • fixlog.txt

Please post them when ready.

mAL

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#12 Lachapi

Lachapi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 July 2015 - 05:30 PM

For some reason after restarting fixlog.txt is not there. did a search and cant find it. only fixlist.txt is there :/ I answered your question the one missing was the proxy one and no i dont use proxy.

 

should i run fixlist again?


Edited by Lachapi, 12 July 2015 - 05:40 PM.


#13 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 12 July 2015 - 07:41 PM

Hello Lachapi,
 

should i run fixlist again?

 

Do not run the fixlist again.  Please answer the following question: Did you save the fixlist.txt in the following location prior to doing the fix?
 

C:\Documents and Settings\LA Chapi\My Documents\Downloads

 


Edited by mAL_rEm018, 12 July 2015 - 07:58 PM.

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#14 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 13 July 2015 - 05:05 PM

Hello Lachapi,

Let's try the following..
 

  • Double click Frst.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

fixlog.txt

  • Press the Search Files button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#15 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 16 July 2015 - 04:46 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users