Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown redirect malware infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 nco31

nco31

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 July 2015 - 11:17 PM

Malware causing popups and redirects on Chrome and IE, especially prevalent on kijiji and steam.  Ran Malwarebytes, Ad Aware, Hitman Pro 3, and Super spyware, all found and quartantined multiple items but malware remains. 

thanks in advance for your help!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:26-07-2015
Ran by User (administrator) on USER-PC (27-07-2015 22:07:01)
Running from C:\Users\User\Downloads
Loaded Profiles: User & UpdatusUser (Available Profiles: User & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\BitTorrent\BitTorrent.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(alch) C:\Program Files (x86)\ClamWin\bin\ClamTray.exe
(Disc Soft Ltd) C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Mirillis Ltd.) C:\Program Files (x86)\Mirillis\Splash Lite\SplashLite.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1212560 2012-06-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508256 2012-04-23] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-08-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ClamWin] => C:\Program Files (x86)\ClamWin\bin\ClamTray.exe [86016 2014-11-20] (alch)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [998104 2015-07-07] (Adobe Systems Incorporated)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [BitTorrent] => C:\Users\User\AppData\Roaming\BitTorrent\BitTorrent.exe [1274456 2014-07-10] (BitTorrent Inc.)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [DAEMON Tools Ultra Agent] => C:\Program Files (x86)\DAEMON Tools Ultra\DTAgent.exe [3192056 2013-11-14] (Disc Soft Ltd)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [Desura] => C:\Program Files (x86)\Desura\desura.exe [2529096 2013-08-15] (Desura Pty Ltd)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [2895552 2015-07-23] (Valve Corporation)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [Rogers One Number] => C:\Program Files (x86)\Rogers\Rogers One Number\RogersOneNumber.exe [32447816 2013-12-10] (Rogers)
HKU\S-1-5-21-1444923616-251419135-710734028-1000\...\Run: [EA Core] => "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win7AudioSwitcher_x86_release - Shortcut.lnk [2014-11-11]
ShortcutTarget: Win7AudioSwitcher_x86_release - Shortcut.lnk -> C:\Users\User\Documents\Win7AudioSwitcher_x86_release.exe (Nick_AgN)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
HKU\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1444923616-251419135-710734028-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1444923616-251419135-710734028-1000 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{202EE530-583F-4CA2-95DF-A444C78E7E4F}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{C0E7B1F0-6FF1-4296-B7E0-22FEC1D23CFD}: [DhcpNameServer] 64.59.184.13 64.59.190.242

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: rogers.com/firehorn -> C:\Program Files (x86)\Rogers\Rogers One Number\npRogersOneNumber64.dll [2013-12-10] (Rogers)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-02-20] ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll [2013-08-28] (DivX, LLC)
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2013-08-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-02-09] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-02-09] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: rogers.com/firehorn -> C:\Program Files (x86)\Rogers\Rogers One Number\npRogersOneNumber.dll [2013-12-10] (Rogers)

Chrome:
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed]
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S3 BRSptStub; C:\ProgramData\BitRaider\BRSptStub.exe [363208 2015-07-05] (BitRaider, LLC)
S3 BRSptSvc; C:\ProgramData\BitRaider\BRSptSvc.exe [477960 2014-06-28] (BitRaider, LLC)
R3 Disc Soft Bus Service; C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe [723192 2013-11-14] (Disc Soft Ltd)
S3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160256 2011-08-30] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22128 2012-03-08] ()
S3 BRDriver64; C:\ProgramData\BitRaider\BRDriver64.sys [75048 2014-06-28] (BitRaider)
R3 dtscsibus; C:\Windows\System32\DRIVERS\dtscsibus.sys [29696 2014-02-25] (Disc Soft Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
S3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [11264 2009-07-24] (Primax Ltd)
S3 ALSysIO; \??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys [X]
S3 atillk64; \??\C:\Program Files (x86)\AMD\System Monitor\atillk64.sys [X]
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\User\Downloads\Real Temp\WinRing0x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 22:07 - 2015-07-27 22:07 - 00015340 _____ C:\Users\User\Downloads\FRST.txt
2015-07-27 22:06 - 2015-07-27 22:07 - 00000000 ____D C:\FRST
2015-07-27 22:04 - 2015-07-27 22:04 - 02146816 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2015-07-27 16:53 - 2015-07-27 21:05 - 00000280 _____ C:\Windows\setupact.log
2015-07-27 16:53 - 2015-07-27 16:53 - 00000000 _____ C:\Windows\setuperr.log
2015-07-27 16:32 - 2015-07-27 16:32 - 22606680 _____ (SUPERAntiSpyware) C:\Users\User\Downloads\SUPERAntiSpyware.exe
2015-07-27 16:30 - 2015-07-27 16:30 - 00014960 _____ C:\Users\User\Documents\HitmanPro_20150727_1630.log
2015-07-27 16:21 - 2015-07-27 16:22 - 11032736 _____ (SurfRight B.V.) C:\Users\User\Downloads\HitmanPro_x64.exe
2015-07-27 16:18 - 2015-07-27 17:26 - 00010976 _____ C:\Windows\WindowsUpdate.log
2015-07-27 16:15 - 2015-07-27 16:15 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Computer - Shortcut
2015-07-27 16:15 - 2015-07-27 16:15 - 00000000 ____D C:\Users\User\Documents\Fax
2015-07-27 16:12 - 2015-07-27 16:12 - 00000979 _____ C:\Users\Public\Desktop\Origin.lnk
2015-07-27 16:12 - 2015-07-27 16:12 - 00000000 ____D C:\Users\User\AppData\Roaming\Origin
2015-07-27 16:12 - 2015-07-27 16:12 - 00000000 ____D C:\ProgramData\Origin
2015-07-27 16:12 - 2015-07-27 16:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin
2015-07-27 16:12 - 2015-07-27 16:12 - 00000000 ____D C:\Program Files (x86)\Origin
2015-07-26 21:05 - 2015-07-27 16:07 - 00000000 ____D C:\AdwCleaner
2015-07-25 22:39 - 2015-07-27 01:23 - 00000000 ____D C:\Users\User\Downloads\John.Wick.2014.720p.WEB-DL.x264[ETRG]
2015-07-24 22:29 - 2015-07-24 23:33 - 00000000 ____D C:\Users\User\Downloads\Childs Play 1, 2, 3, 4, 5, 6 - Chucky Hexalogy Eng 720p [H264-mp4]
2015-07-22 00:06 - 2015-07-22 12:39 - 00000000 ____D C:\Program Files (x86)\ce7953e2-dfec-497a-8346-6cda3c53b34f
2015-07-22 00:06 - 2015-07-22 12:15 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-07-22 00:05 - 2015-07-22 00:05 - 00002263 _____ C:\Users\Public\Desktop\Netflix.lnk
2015-07-21 23:56 - 2015-07-21 23:56 - 00000045 _____ C:\user.js
2015-07-21 23:56 - 2015-07-21 23:56 - 00000000 _____ C:\Windows\SysWOW64\Number of results
2015-07-21 23:25 - 2015-07-27 15:40 - 00000000 ____D C:\Program Files\Checker
2015-07-21 23:25 - 2015-07-21 23:31 - 00000000 ____D C:\Users\User\AppData\Local\Chromium
2015-07-21 23:25 - 2015-07-21 23:25 - 00000064 _____ C:\Users\User\AppData\Local\24dd93bcbe0d15a54fec93e4a0263ef1
2015-07-21 23:25 - 2009-06-10 15:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-07-21 23:24 - 2015-07-27 20:29 - 00000340 ____H C:\Windows\Tasks\SYMGYHIKRALFUIDR.job
2015-07-21 23:24 - 2015-07-21 23:24 - 00003372 _____ C:\Windows\System32\Tasks\SYMGYHIKRALFUIDR
2015-07-21 23:24 - 2015-07-21 23:24 - 00000000 ____D C:\ProgramData\7c0535b143fc4671b6ebd202fbffe066
2015-07-21 20:31 - 2015-07-21 20:31 - 00000000 ____D C:\Users\User\AppData\Local\CEF
2015-07-21 12:36 - 2015-07-21 23:39 - 00000000 ____D C:\Users\User\Downloads\The Walking Dead Season 5 Complete stezza1490
2015-07-19 21:15 - 2015-07-20 23:43 - 00000000 ____D C:\Users\User\Downloads\The Last Survivors (2014)
2015-07-16 22:10 - 2015-07-16 22:11 - 00000000 ____D C:\Users\User\AppData\Roaming\com.togeproductions.survivors
2015-07-16 22:10 - 2015-07-16 22:10 - 00002212 _____ C:\Users\UpdatusUser\Desktop\Infectonator Survivors v0.54.lnk
2015-07-16 21:58 - 2015-07-16 22:09 - 56186678 _____ C:\Users\User\Downloads\Infectonator_Survivors_v0.54_setup.exe
2015-07-16 21:53 - 2015-07-16 21:53 - 00000000 ____D C:\Users\User\Downloads\Infectonator Survivors v0.54
2015-07-15 21:50 - 2015-07-15 21:50 - 00001066 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-07-15 16:16 - 2015-07-15 16:16 - 00000000 ____D C:\Users\User\AppData\Roaming\com.sarahnorthway.rebuild3
2015-07-15 16:15 - 2015-07-15 16:15 - 00000000 ____D C:\Program Files (x86)\DRAGAMES.NET
2015-07-15 14:23 - 2015-07-15 14:25 - 106841429 _____ (DRAGAMES.NET ) C:\Users\User\Downloads\rebuild_100.exe
2015-07-13 14:16 - 2015-07-13 14:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAV Filters
2015-07-13 14:16 - 2015-07-13 14:16 - 00000000 ____D C:\Program Files (x86)\LAV Filters
2015-07-11 10:59 - 2015-07-11 10:59 - 00000000 ____D C:\Users\User\Documents\Klei
2015-07-11 10:59 - 2015-07-11 10:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2015-07-11 10:58 - 2015-07-11 10:58 - 00000000 ____D C:\GOG Games
2015-07-11 10:49 - 2015-07-11 10:49 - 00000000 ____D C:\Users\User\Downloads\Don't Starve
2015-07-10 21:56 - 2015-07-10 21:56 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies
2015-07-04 18:29 - 2015-07-07 22:42 - 00000000 ____D C:\Users\User\Downloads\Mad Max Fury Road 2015 1080p WEB-DL x264 AC3-JYK
2015-07-02 14:38 - 2015-07-02 14:38 - 00093414 _____ C:\Users\User\AppData\Roaming\icarus-dxdiag.xml
2015-07-02 10:54 - 2015-07-02 10:54 - 00000000 ____D C:\Users\User\AppData\Roaming\Shooter
2015-06-30 11:00 - 2015-06-30 11:00 - 00000184 _____ C:\Users\User\Documents\kijiji accounts.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 22:06 - 2014-03-29 15:01 - 00818688 ___SH C:\Users\User\Downloads\Thumbs.db
2015-07-27 22:03 - 2013-03-04 18:07 - 00000000 ____D C:\Users\User\AppData\Roaming\BitTorrent
2015-07-27 21:53 - 2013-05-05 22:54 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-27 21:37 - 2014-11-05 15:08 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-27 19:18 - 2013-03-16 20:04 - 00000000 ____D C:\Program Files (x86)\Steam
2015-07-27 17:59 - 2015-06-03 00:43 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D6E8F4BF-8BDA-4F3F-985E-CF8E3EEE5DE7}
2015-07-27 17:24 - 2014-06-09 15:30 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-27 17:23 - 2013-08-10 01:41 - 00000374 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-07-27 17:22 - 2014-11-05 15:08 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-27 17:22 - 2013-03-03 11:53 - 00000000 ____D C:\ProgramData\NVIDIA
2015-07-27 17:22 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-27 16:57 - 2013-06-12 13:19 - 00000000 ____D C:\Windows\pss
2015-07-27 16:53 - 2014-06-05 10:32 - 02097152 ___SH C:\Users\User\Desktop\Thumbs.db
2015-07-27 16:51 - 2014-08-27 21:07 - 00000000 ____D C:\Program Files (x86)\2B6A3384-29F8-4469-8585-001604CFE056
2015-07-27 16:17 - 2014-11-11 22:10 - 00000000 ____D C:\Users\User\AppData\Local\CrashDumps
2015-07-27 16:15 - 2013-05-17 17:40 - 00000000 ____D C:\Users\User\Documents\Install files
2015-07-27 16:13 - 2014-02-02 21:59 - 00000292 _____ C:\Users\User\Desktop\Yahoo Mail.url
2015-07-27 16:12 - 2013-08-20 22:18 - 00000000 ____D C:\ProgramData\Electronic Arts
2015-07-27 16:12 - 2013-07-30 16:56 - 00000000 ____D C:\Program Files (x86)\Electronic Arts
2015-07-27 02:52 - 2014-05-10 14:41 - 00000000 ____D C:\Users\User\AppData\Local\Mirillis
2015-07-25 01:30 - 2009-07-13 22:45 - 00024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-25 01:30 - 2009-07-13 22:45 - 00024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-22 23:12 - 2009-07-13 23:08 - 00032656 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-22 12:42 - 2014-06-09 15:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-22 12:42 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SchCache
2015-07-22 12:21 - 2014-06-09 15:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-22 12:16 - 2009-07-13 23:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-07-22 12:15 - 2009-07-13 22:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-07-22 12:14 - 2015-05-26 23:15 - 00001413 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-21 23:57 - 2013-03-04 17:04 - 00270336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2015-07-21 23:56 - 2014-11-05 15:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-07-21 23:56 - 2013-03-04 17:04 - 00357888 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-07-21 23:56 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\spp
2015-07-21 23:27 - 2013-05-05 22:54 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-21 23:27 - 2013-05-05 22:54 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-21 23:27 - 2013-05-05 22:54 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-21 13:01 - 2013-03-17 10:04 - 00000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-07-21 12:31 - 2013-05-22 21:29 - 00000000 ____D C:\Users\User\AppData\Roaming\vlc
2015-07-16 22:10 - 2014-03-12 09:58 - 00000000 ____D C:\Users\User\Desktop\Games
2015-07-16 22:10 - 2013-08-15 16:04 - 00000000 ____D C:\Program Files (x86)\zomboid
2015-07-15 21:50 - 2013-05-22 16:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-07-15 17:33 - 2013-05-14 10:30 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-07-15 17:32 - 2014-12-25 13:31 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-07-15 14:32 - 2014-11-05 15:08 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-07-15 14:32 - 2014-11-05 15:08 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-07-13 10:57 - 2014-06-28 09:22 - 00000000 ____D C:\Users\User\AppData\Local\Battle.net
2015-07-12 20:42 - 2013-05-17 17:45 - 00000000 ____D C:\Users\User\Documents\Books
2015-07-12 20:41 - 2015-05-12 12:15 - 00000000 ____D C:\Users\User\Documents\flower girl dresses
2015-07-12 20:34 - 2013-03-04 03:10 - 00000000 ____D C:\Windows\Panther
2015-07-11 10:59 - 2009-07-13 23:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-07-10 21:56 - 2013-03-08 20:00 - 00000000 ____D C:\Users\User\Documents\My Games
2015-07-10 21:56 - 2013-03-03 11:53 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2015-07-10 13:48 - 2015-01-19 13:01 - 00000000 ____D C:\Users\User\Documents\twin parks
2015-07-05 10:59 - 2014-06-28 09:30 - 00000000 ____D C:\ProgramData\BitRaider
2015-07-02 14:07 - 2013-08-15 16:11 - 00000000 ____D C:\Program Files (x86)\Desura
2015-07-02 14:06 - 2015-06-26 23:48 - 00000000 ____D C:\Users\User\Downloads\Fury 2014 1080p.BluRay.5.1.x264 . NVEE

==================== Files in the root of some directories =======

2014-08-12 20:10 - 2014-08-31 14:17 - 0000004 _____ () C:\Users\User\AppData\Roaming\appdataFr2.bin
2015-07-02 14:38 - 2015-07-02 14:38 - 0093414 _____ () C:\Users\User\AppData\Roaming\icarus-dxdiag.xml
2015-07-21 23:25 - 2015-07-21 23:25 - 0000064 _____ () C:\Users\User\AppData\Local\24dd93bcbe0d15a54fec93e4a0263ef1
2013-03-03 11:27 - 2013-03-03 11:27 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\User\AppData\Local\Temp\EAD9E22.exe
C:\Users\User\AppData\Local\Temp\HitmanPro.exe
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\sqlite3.dll
C:\Users\User\AppData\Local\Temp\UninstallEADM.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-07-23 20:35

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 30 July 2015 - 10:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Toolbar: HKU\S-1-5-21-1444923616-251419135-710734028-1000 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 ALSysIO; \??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys [X]
S3 atillk64; \??\C:\Program Files (x86)\AMD\System Monitor\atillk64.sys [X]
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\User\Downloads\Real Temp\WinRing0x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Any remaining issues?

#3 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 July 2015 - 12:31 PM

All steps complete, malware appears to remain, browsers are both still redirecting

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:28-07-2015
Ran by User (2015-07-30 10:58:26) Run:1
Running from C:\Users\User\Downloads
Loaded Profiles: User & UpdatusUser (Available Profiles: User & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Toolbar: HKU\S-1-5-21-1444923616-251419135-710734028-1000 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 ALSysIO; \??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys [X]
S3 atillk64; \??\C:\Program Files (x86)\AMD\System Monitor\atillk64.sys [X]
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\User\Downloads\Real Temp\WinRing0x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A13C2648-91D4-4BF3-BC6D-0079707C4389} => value removed successfully
"HKCR\CLSID\{A13C2648-91D4-4BF3-BC6D-0079707C4389}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
ALSysIO => service removed successfully
atillk64 => service removed successfully
BRDriver64_1_3_3_E02B25FC => service removed successfully
gdrv => service removed successfully
WinRing0_1_2_0 => service removed successfully
xhunter1 => service removed successfully
EmptyTemp: => 403.9 MB temporary data Removed.

The system needed a reboot..

==== End of Fixlog 10:59:03 ====

 

 

 

# AdwCleaner v4.208 - Logfile created 30/07/2015 at 11:07:18
# Updated 09/07/2015 by Xplode
# Database : 2015-07-26.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : User - USER-PC
# Running from : C:\Users\User\Documents\Install files\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] -
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] -

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17801

-\\ Google Chrome v44.0.2403.125

-\\ Chromium v

[C:\Users\User\AppData\Local\Chromium\User Data\Default\Secure Preferences] - Deleted [Homepage] : searchProvider","storage"],"manifest_permissions":[],"scriptable_host":["hxxp://*/*","hxxps://*/*"]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["homepage","searchProvider","storage"],"manifest_permissions":[],"scriptable_host":["hxxp://*/*","hxxps://*/*"]},"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13082016372471713","location":7,"manifest":{"chrome_settings_overrides":{"homepage":"hxxp://www.safebrowsesearch.com/?affilid=sdfsdfv4egfds3253tdvf&src=oursurfing_hp&q={searchTerms}

*************************

AdwCleaner[R0].txt - [7856 bytes] - [26/07/2015 21:05:31]
AdwCleaner[R1].txt - [2349 bytes] - [27/07/2015 16:05:23]
AdwCleaner[R2].txt - [2194 bytes] - [30/07/2015 11:05:38]
AdwCleaner[S0].txt - [7323 bytes] - [26/07/2015 21:12:01]
AdwCleaner[S1].txt - [2197 bytes] - [27/07/2015 16:07:38]
AdwCleaner[S2].txt - [1899 bytes] - [30/07/2015 11:07:18]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1958  bytes] ##########

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 31 July 2015 - 06:36 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#5 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 03 August 2015 - 01:33 PM

seems to be no change
 
 
 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by User on Mon 08/03/2015 at 11:58:23.20.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJOUS2YU\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
8/3/2015 12:01:59 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\2B6A3384-29F8-4469-8585-001604CFE056 deleted successfully
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\Black_Box deleted successfully
C:\PROGRA~2\ce7953e2-dfec-497a-8346-6cda3c53b34f deleted successfully
C:\PROGRA~2\TerminusStable deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\005 deleted successfully
C:\Program Files\Google deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\WinZip deleted successfully
C:\Users\User\AppData\Roaming\DAEMON Tools Ult deleted successfully
C:\Users\User\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\User\AppData\Roaming\My Battle for Middle-earth II Files deleted successfully
C:\Users\User\AppData\Roaming\My The Lord of the Rings, The Rise of the Witch-king Files deleted successfully
C:\Users\Administrator\AppData\Local\Comodo deleted successfully
C:\Users\Administrator\AppData\Local\Google deleted successfully
C:\Users\Guest\AppData\Local\Comodo deleted successfully
C:\Users\Guest\AppData\Local\Google deleted successfully
C:\Users\HomeGroupUser$\AppData\Local\Comodo deleted successfully
C:\Users\HomeGroupUser$\AppData\Local\Google deleted successfully
C:\Users\UpdatusUser\AppData\Local\Comodo deleted successfully
C:\Users\UpdatusUser\AppData\Local\Google deleted successfully
C:\Users\User\AppData\Local\Comodo deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{17AA52E9-9BCF-43AC-81E0-4058377713DE} deleted successfully
HKEY_USERS\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66E54283-BAB5-48D0-A9A5-92CDDF26E35} deleted successfully
HKEY_USERS\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C970722-AEBF-446B-A192-763038D4BD1} deleted successfully
HKEY_USERS\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D3280461-2254-408F-983C-455B88A0FA20} deleted successfully
HKEY_USERS\S-1-5-21-1444923616-251419135-710734028-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D47CA87A-D16D-4293-884E-CF6850C9E92E} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\2B6A3384-29F8-4469-8585-001604CFE056 not found
C:\PROGRA~2\AGEIA Technologies not found
C:\PROGRA~2\Black_Box not found


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 04 August 2015 - 06:34 AM


Sorry, I omitted to check the Addition.txt file.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

Task: {1975BA46-F967-444B-A3D3-AFAB7CD2D0E2} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {521F3114-5B3C-454C-B054-26C70EEEE588} - System32\Tasks\SYMGYHIKRALFUIDR => C:\ProgramData\Service1198\Service1198.exe <==== ATTENTION
Task: {996143AC-0FE5-4E6F-8426-74AE14BC3B42} - \Microsoft\Windows\Maintenance\OverLook Updater No Task File <==== ATTENTION
Task: {A596F2F2-4A88-4C39-AEE4-8E36F6D4EBE6} - \WordShark Auto Updater 1.10.0.20 Pending Update No Task File <==== ATTENTION
Task: {C217CE02-CB17-4A0C-9BEE-CBA5DE67A266} - \OverLook Worker No Task File <==== ATTENTION
Task: {E6F1168D-F89C-4156-9A26-5C5EF0D70D71} - \WordShark Auto Updater 1.10.0.20 Core No Task File <==== ATTENTION
Task: {F81D4E23-AB6D-41ED-836C-72E22A4523BE} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: C:\Windows\Tasks\SYMGYHIKRALFUIDR.job => C:\ProgramData\Service1198\Service1198.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
C:\ProgramData\Service1198

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

#7 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 August 2015 - 01:48 PM

Malware appears to still be present

 

Fix result of Farbar Recovery Scan Tool (x64) Version:28-07-2015
Ran by User (2015-08-05 12:43:17) Run:2
Running from C:\Users\User\Downloads
Loaded Profiles: User & UpdatusUser (Available Profiles: User & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CloseProcesses:

Task: {1975BA46-F967-444B-A3D3-AFAB7CD2D0E2} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {521F3114-5B3C-454C-B054-26C70EEEE588} - System32\Tasks\SYMGYHIKRALFUIDR => C:\ProgramData\Service1198\Service1198.exe <==== ATTENTION
Task: {996143AC-0FE5-4E6F-8426-74AE14BC3B42} - \Microsoft\Windows\Maintenance\OverLook Updater No Task File <==== ATTENTION
Task: {A596F2F2-4A88-4C39-AEE4-8E36F6D4EBE6} - \WordShark Auto Updater 1.10.0.20 Pending Update No Task File <==== ATTENTION
Task: {C217CE02-CB17-4A0C-9BEE-CBA5DE67A266} - \OverLook Worker No Task File <==== ATTENTION
Task: {E6F1168D-F89C-4156-9A26-5C5EF0D70D71} - \WordShark Auto Updater 1.10.0.20 Core No Task File <==== ATTENTION
Task: {F81D4E23-AB6D-41ED-836C-72E22A4523BE} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: C:\Windows\Tasks\SYMGYHIKRALFUIDR.job => C:\ProgramData\Service1198\Service1198.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
C:\ProgramData\Service1198

End
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1975BA46-F967-444B-A3D3-AFAB7CD2D0E2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1975BA46-F967-444B-A3D3-AFAB7CD2D0E2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Popup" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{521F3114-5B3C-454C-B054-26C70EEEE588}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{521F3114-5B3C-454C-B054-26C70EEEE588}" => key removed successfully
C:\Windows\System32\Tasks\SYMGYHIKRALFUIDR not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SYMGYHIKRALFUIDR" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{996143AC-0FE5-4E6F-8426-74AE14BC3B42}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{996143AC-0FE5-4E6F-8426-74AE14BC3B42}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\OverLook Updater" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A596F2F2-4A88-4C39-AEE4-8E36F6D4EBE6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A596F2F2-4A88-4C39-AEE4-8E36F6D4EBE6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WordShark Auto Updater 1.10.0.20 Pending Update" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C217CE02-CB17-4A0C-9BEE-CBA5DE67A266}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C217CE02-CB17-4A0C-9BEE-CBA5DE67A266}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OverLook Worker" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E6F1168D-F89C-4156-9A26-5C5EF0D70D71}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6F1168D-F89C-4156-9A26-5C5EF0D70D71}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WordShark Auto Updater 1.10.0.20 Core" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F81D4E23-AB6D-41ED-836C-72E22A4523BE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F81D4E23-AB6D-41ED-836C-72E22A4523BE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start" => key removed successfully
C:\Windows\Tasks\SYMGYHIKRALFUIDR.job => moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
"C:\ProgramData\Service1198" => File/Folder not found.

The system needed a reboot..

==== End of Fixlog 12:43:17 ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 06 August 2015 - 06:52 AM


Do this for now.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.
<<<>>>

How is it now?

#9 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 10 August 2015 - 01:26 AM

Still present using internet explorer, Safari and steam.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 10 August 2015 - 08:24 AM

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

#11 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 12 August 2015 - 01:09 AM

No change.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 12 August 2015 - 09:02 AM

I do not use Kijiji or Steam so I suggest you see what help you can get on their forums.

I did found this Kijiji article. It may help.
http://help.kijiji.ca/helpdesk/technical-issue/how-do-i-report-an-ad

#13 nco31

nco31
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 12 August 2015 - 10:15 AM

I don't believe this a browser specific issue, but thanks for your help anyways.  Guess we'll have to do a format and re-install.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 18 August 2015 - 07:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users