Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safesearch problem. Can't use any internet programs.


  • This topic is locked This topic is locked
36 replies to this topic

#1 Sevenel

Sevenel

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 08 October 2015 - 09:12 PM

Hello!

My niece wanted me to look at her PC as it wasn't working for her. From what I notice, I can't get Chrome, Firefox, or IE to load any page. I'm currently in Safemode and it seems to be ok. Her default homepage in Chrome is "http://www.safesear.ch/?type=20150219-150-ch-fr". with a "It's Dead, Jim" page. Before, it was playing audio in the background, but I seemed to have rid of it. I just can't figure out the internet programs not running. Here's my reports. I'm in no hurry, as I know you guys are busy being the awesome helpers you are. Just whenever! Thanks.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-10-2015
Ran by Jasmine (administrator) on WENDY (08-10-2015 22:00:50)
Running from C:\Users\Jasmine\Desktop
Loaded Profiles: Jasmine (Available Profiles: Jasmine)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322176 2012-02-16] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-24] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6109776 2015-07-28] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-12-18] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\...\Run: [GoogleChromeAutoLaunch_295C825EC0350AE3FF4A95F6AD2E755F] => C:\Program Files (x86)\Fast Browser\Application\chrome.exe [713728 2014-03-22] (Fast Browser)
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\...\MountPoints2: {aa17d300-a868-11e3-afc1-5404a6120164} - E:\LaunchU3.exe -a
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-07-28] (AVAST Software)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B66B52FE-0124-4283-BEE4-E7563CC2DF87}: [DhcpNameServer] 10.40.42.11 192.68.112.166
Tcpip\..\Interfaces\{F510A458-664C-4DC1-9D70-B5D949D575C3}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage=hxxp://go.microsoft.com/fwlink/p/?LinkId=255141
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-07-28] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-07-28] (AVAST Software)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
 
FireFox:
========
FF ProfilePath: C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: hxxps://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: hxxps://www.yahoo.com/?fr=hp-avast&type=agc511
FF Keyword.URL: hxxps://search.yahoo.com/yhs/search
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-15] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default\searchplugins\yahoo-avast.xml [2015-02-11]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safesearch.xml [2015-02-19]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-11]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Profile: C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-23]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-06-12]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-06-12]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-28] (AVAST Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-07-28] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-07-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-28] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-07-28] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1048344 2015-08-15] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [447944 2015-07-28] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150672 2015-07-28] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-07-28] (AVAST Software)
S1 ATKWMIACPIIO_; C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-07] (ASUS)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-02-12] ()
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-10-08] (Malwarebytes Corporation)
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-08 22:00 - 2015-10-08 22:01 - 00011025 _____ C:\Users\Jasmine\Desktop\FRST.txt
2015-10-08 22:00 - 2015-10-08 22:00 - 02194944 _____ (Farbar) C:\Users\Jasmine\Desktop\FRST64.exe
2015-10-08 22:00 - 2015-10-08 22:00 - 00000000 ____D C:\FRST
2015-10-08 21:41 - 2015-10-08 21:41 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\litorhjp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-08 21:40 - 2015-02-19 22:20 - 00002351 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-08 21:26 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-08 21:26 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-08 21:20 - 2015-02-11 12:49 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-08 21:16 - 2014-03-10 11:37 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-08 21:12 - 2014-03-10 11:39 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-09-15 16:55 - 2015-02-09 21:21 - 00001342 _____ C:\Windows\Tasks\CVML.job
2015-09-15 16:55 - 2015-02-09 21:20 - 00001346 _____ C:\Windows\Tasks\KGUWDP.job
2015-09-11 18:46 - 2014-03-10 11:37 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-11 18:42 - 2014-03-09 23:35 - 01907184 _____ C:\Windows\WindowsUpdate.log
2015-09-11 18:39 - 2014-12-22 15:46 - 00001346 _____ C:\Windows\Tasks\OVGFXV.job
2015-09-11 18:39 - 2014-12-22 15:45 - 00001344 _____ C:\Windows\Tasks\HJPJR.job
2015-09-11 18:39 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-11 18:39 - 2009-07-14 00:51 - 00072449 _____ C:\Windows\setupact.log
2015-09-11 09:34 - 2014-03-09 23:35 - 00000000 ____D C:\Users\Jasmine
 
==================== Files in the root of some directories =======
 
2015-01-25 12:12 - 2015-01-25 12:12 - 0002086 _____ () C:\Users\Jasmine\AppData\Roaming\CVML
2014-09-01 04:18 - 2014-09-01 04:18 - 0001248 _____ () C:\Users\Jasmine\AppData\Roaming\HJPJR
2015-01-25 12:12 - 2015-01-25 12:12 - 0001248 _____ () C:\Users\Jasmine\AppData\Roaming\KGUWDP
2014-09-01 04:18 - 2014-09-01 04:18 - 0002086 _____ () C:\Users\Jasmine\AppData\Roaming\OVGFXV
2015-08-15 13:40 - 2015-08-15 13:40 - 0000000 _____ () C:\Users\Jasmine\AppData\Local\{3061A7A9-8C6A-4081-9AF1-F3F00CB4326A}
 
Some files in TEMP:
====================
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{07321CB2-D25A-4FB7-B9E3-7D0398B92F34}-44.0.2403.157_44.0.2403.155_chrome_updater.exe
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-10-08 21:12
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 09 October 2015 - 09:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold using the Add/Remove Programs applet.

tricomfi (HKLM-x32\...\{74f1e872-8d6f-4cc7-58d6-c60d8dfe43ed}) (Version: 1.0.0 - estdemin) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
FF DefaultSearchEngine: Yahoo! (Avast)
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default\searchplugins\yahoo-avast.xml [2015-02-11]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safesearch.xml [2015-02-19]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-06-12]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-06-12]
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{07321CB2-D25A-4FB7-B9E3-7D0398B92F34}-44.0.2403.157_44.0.2403.155_chrome_updater.exe
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe
CustomCLSID: HKU\S-1-5-21-61570077-3675250410-2980569018-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\Jasmine\AppData\Roaming\tricomfi\tivesen.dll () <==== ATTENTION
Task: {052B608D-F718-49AF-BBDE-3D3B31C50CAC} - \Microsoft\Windows\Maintenance\Update IC -> No File <==== ATTENTION
Task: {09148608-2022-4896-8021-650E553980A0} - System32\Tasks\BBQLeads => C:\Program Files (x86)\bbqleads\ScheduledTask.exe
Task: {3A89A8FA-E107-423D-9E47-51FB7DBC9161} - \Runner IC -> No File <==== ATTENTION
Task: {6C248656-524A-4322-A6AD-E8E6D2646718} - System32\Tasks\CVML => C:\Users\Jasmine\AppData\Roaming\CVML.exe <==== ATTENTION
Task: {90378B32-51BC-42F4-86B0-FD8BBD80D766} - System32\Tasks\{1E1CBCA8-54FB-4300-9A08-5E09429FD97A} => Chrome.exe
Task: {A77263A2-2CB3-4E63-A0AF-447213B71D61} - System32\Tasks\{C5EAA089-71BB-48F0-97D3-5C3E1D365FA3} => Chrome.exe
Task: {C5C1265C-C245-4207-8AFC-EAC86F831DDA} - System32\Tasks\HJPJR => C:\Users\Jasmine\AppData\Roaming\HJPJR.exe <==== ATTENTION
Task: {C657DCA1-FD47-4BD8-B306-6B4B4C5D7237} - System32\Tasks\{9C11D69C-1F90-4525-A582-5CD5C80C5198} => Chrome.exe
Task: {EF1F0258-A749-4146-A377-7074CD6DA5E2} - System32\Tasks\OVGFXV => C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe <==== ATTENTION
Task: {F8D635FC-EDBC-4106-A73E-43BED73BFEA1} - System32\Tasks\KGUWDP => C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe <==== ATTENTION
Task: C:\Windows\Tasks\CVML.job => C:\Users\Jasmine\AppData\Roaming\CVML.exe <==== ATTENTION
Task: C:\Windows\Tasks\HJPJR.job => C:\Users\Jasmine\AppData\Roaming\HJPJR.exe <==== ATTENTION
Task: C:\Windows\Tasks\KGUWDP.job => C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe <==== ATTENTION
Task: C:\Windows\Tasks\OVGFXV.job => C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe <==== ATTENTION
C:\Users\Jasmine\AppData\Roaming\tricomfi
C:\Program Files (x86)\bbqleads
C:\Users\Jasmine\AppData\Roaming\CVML.exe
C:\Users\Jasmine\AppData\Roaming\HJPJR.exe
C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe
C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe
C:\Users\Jasmine\AppData\Roaming\CVML.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart the computer normally.

What problem persists?

#3 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 09 October 2015 - 10:20 PM

Hi nasdaq. Thanks for helping me!

 

So I completed all steps and restarted the computer regularly. Internet Explorer and Firefox won't even open after double clicking on them. They will, however, open in Safe Mode. Chrome is the only one that opens out of Safe Mode, and it's went from a "It's broken, Jim" error to "Aw Snap! Something went wrong while displaying this webpage....". It doesn't matter what page I go to. I can even try to open "Settings" and it gives the same page. Safe Mode now takes me (Chrome) to Google.com, however, out of Safe Mode still (trys) to open to the safesear.ch link (but of course gets the "Aw Snap" page). Here's my reports:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:08-10-2015
Ran by Jasmine (2015-10-09 22:21:30) Run:1
Running from C:\Users\Jasmine\Desktop
Loaded Profiles: Jasmine (Available Profiles: Jasmine)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
FF DefaultSearchEngine: Yahoo! (Avast)
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default\searchplugins\yahoo-avast.xml [2015-02-11]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safesearch.xml [2015-02-19]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-06-12]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-06-12]
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{07321CB2-D25A-4FB7-B9E3-7D0398B92F34}-44.0.2403.157_44.0.2403.155_chrome_updater.exe
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe
CustomCLSID: HKU\S-1-5-21-61570077-3675250410-2980569018-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\Jasmine\AppData\Roaming\tricomfi\tivesen.dll () <==== ATTENTION
Task: {052B608D-F718-49AF-BBDE-3D3B31C50CAC} - \Microsoft\Windows\Maintenance\Update IC -> No File <==== ATTENTION
Task: {09148608-2022-4896-8021-650E553980A0} - System32\Tasks\BBQLeads => C:\Program Files (x86)\bbqleads\ScheduledTask.exe
Task: {3A89A8FA-E107-423D-9E47-51FB7DBC9161} - \Runner IC -> No File <==== ATTENTION
Task: {6C248656-524A-4322-A6AD-E8E6D2646718} - System32\Tasks\CVML => C:\Users\Jasmine\AppData\Roaming\CVML.exe <==== ATTENTION
Task: {90378B32-51BC-42F4-86B0-FD8BBD80D766} - System32\Tasks\{1E1CBCA8-54FB-4300-9A08-5E09429FD97A} => Chrome.exe
Task: {A77263A2-2CB3-4E63-A0AF-447213B71D61} - System32\Tasks\{C5EAA089-71BB-48F0-97D3-5C3E1D365FA3} => Chrome.exe
Task: {C5C1265C-C245-4207-8AFC-EAC86F831DDA} - System32\Tasks\HJPJR => C:\Users\Jasmine\AppData\Roaming\HJPJR.exe <==== ATTENTION
Task: {C657DCA1-FD47-4BD8-B306-6B4B4C5D7237} - System32\Tasks\{9C11D69C-1F90-4525-A582-5CD5C80C5198} => Chrome.exe
Task: {EF1F0258-A749-4146-A377-7074CD6DA5E2} - System32\Tasks\OVGFXV => C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe <==== ATTENTION
Task: {F8D635FC-EDBC-4106-A73E-43BED73BFEA1} - System32\Tasks\KGUWDP => C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe <==== ATTENTION
Task: C:\Windows\Tasks\CVML.job => C:\Users\Jasmine\AppData\Roaming\CVML.exe <==== ATTENTION
Task: C:\Windows\Tasks\HJPJR.job => C:\Users\Jasmine\AppData\Roaming\HJPJR.exe <==== ATTENTION
Task: C:\Windows\Tasks\KGUWDP.job => C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe <==== ATTENTION
Task: C:\Windows\Tasks\OVGFXV.job => C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe <==== ATTENTION
C:\Users\Jasmine\AppData\Roaming\tricomfi
C:\Program Files (x86)\bbqleads
C:\Users\Jasmine\AppData\Roaming\CVML.exe
C:\Users\Jasmine\AppData\Roaming\HJPJR.exe
C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe
C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe
C:\Users\Jasmine\AppData\Roaming\CVML.exe
 
End
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-61570077-3675250410-2980569018-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
Firefox DefaultSearchEngine removed successfully
Firefox SearchEngineOrder.1 removed successfully
Firefox SelectedSearchEngine removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default\searchplugins\yahoo-avast.xml => moved successfully
C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safesearch.xml => moved successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx => moved successfully
cpuz134 => service removed successfully
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\{07321CB2-D25A-4FB7-B9E3-7D0398B92F34}-44.0.2403.157_44.0.2403.155_chrome_updater.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe => moved successfully
"HKU\S-1-5-21-61570077-3675250410-2980569018-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{052B608D-F718-49AF-BBDE-3D3B31C50CAC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{052B608D-F718-49AF-BBDE-3D3B31C50CAC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\Update IC" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09148608-2022-4896-8021-650E553980A0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09148608-2022-4896-8021-650E553980A0}" => key removed successfully
C:\Windows\System32\Tasks\BBQLeads => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BBQLeads" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3A89A8FA-E107-423D-9E47-51FB7DBC9161}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A89A8FA-E107-423D-9E47-51FB7DBC9161}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Runner IC" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6C248656-524A-4322-A6AD-E8E6D2646718}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C248656-524A-4322-A6AD-E8E6D2646718}" => key removed successfully
C:\Windows\System32\Tasks\CVML => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CVML" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{90378B32-51BC-42F4-86B0-FD8BBD80D766}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90378B32-51BC-42F4-86B0-FD8BBD80D766}" => key removed successfully
C:\Windows\System32\Tasks\{1E1CBCA8-54FB-4300-9A08-5E09429FD97A} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1E1CBCA8-54FB-4300-9A08-5E09429FD97A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A77263A2-2CB3-4E63-A0AF-447213B71D61}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A77263A2-2CB3-4E63-A0AF-447213B71D61}" => key removed successfully
C:\Windows\System32\Tasks\{C5EAA089-71BB-48F0-97D3-5C3E1D365FA3} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C5EAA089-71BB-48F0-97D3-5C3E1D365FA3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C5C1265C-C245-4207-8AFC-EAC86F831DDA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5C1265C-C245-4207-8AFC-EAC86F831DDA}" => key removed successfully
C:\Windows\System32\Tasks\HJPJR => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HJPJR" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C657DCA1-FD47-4BD8-B306-6B4B4C5D7237}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C657DCA1-FD47-4BD8-B306-6B4B4C5D7237}" => key removed successfully
C:\Windows\System32\Tasks\{9C11D69C-1F90-4525-A582-5CD5C80C5198} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{9C11D69C-1F90-4525-A582-5CD5C80C5198}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EF1F0258-A749-4146-A377-7074CD6DA5E2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF1F0258-A749-4146-A377-7074CD6DA5E2}" => key removed successfully
C:\Windows\System32\Tasks\OVGFXV => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OVGFXV" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F8D635FC-EDBC-4106-A73E-43BED73BFEA1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F8D635FC-EDBC-4106-A73E-43BED73BFEA1}" => key removed successfully
C:\Windows\System32\Tasks\KGUWDP => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KGUWDP" => key removed successfully
C:\Windows\Tasks\CVML.job => moved successfully
C:\Windows\Tasks\HJPJR.job => moved successfully
C:\Windows\Tasks\KGUWDP.job => moved successfully
C:\Windows\Tasks\OVGFXV.job => moved successfully
C:\Users\Jasmine\AppData\Roaming\tricomfi => moved successfully
"C:\Program Files (x86)\bbqleads" => File/Folder not found.
"C:\Users\Jasmine\AppData\Roaming\CVML.exe" => File/Folder not found.
"C:\Users\Jasmine\AppData\Roaming\HJPJR.exe" => File/Folder not found.
"C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe" => File/Folder not found.
"C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe" => File/Folder not found.
"C:\Users\Jasmine\AppData\Roaming\CVML.exe" => File/Folder not found.
EmptyTemp: => 3.1 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 22:30:05 ====
 
 
 
# AdwCleaner v5.013 - Logfile created 09/10/2015 at 22:42:15
# Updated 09/10/2015 by Xplode
# Database : 2015-10-09.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Jasmine - WENDY
# Running from : C:\Users\Jasmine\Desktop\adwcleaner_5.013.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\ProgramData\{b3a8d408-ddde-7a14-b3a8-8d408ddd5023}
[-] Folder Deleted : C:\Users\Jasmine\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FastPlayer
 
***** [ Files ] *****
 
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Facebook.lnk
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Youtube.lnk
[-] File Deleted : C:\Users\Public\Desktop\eBay.lnk
[-] File Deleted : C:\Users\Public\Desktop\Facebook.lnk
[-] File Deleted : C:\Users\Public\Desktop\Youtube.lnk
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
[-] Shortcut Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
[-] Shortcut Disinfected : C:\Users\Public\Desktop\Search.lnk
[-] Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Google Chrome.lnk
[-] Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Search.lnk
[-] Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
[-] Shortcut Disinfected : C:\Users\Jasmine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[-] Shortcut Disinfected : C:\Users\Jasmine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[-] Shortcut Disinfected : C:\Users\Jasmine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
[-] Shortcut Disinfected : C:\Users\Jasmine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
[-] Shortcut Disinfected : C:\Users\Jasmine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk
 
***** [ Scheduled tasks ] *****
 
[-] Task Deleted : amiupdaterExd
[-] Task Deleted : amiupdaterExi
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
[-] Key Deleted : HKLM\SOFTWARE\3db9356b-fcad-48d6-8d73-82e05971c8f7
[-] Key Deleted : HKLM\SOFTWARE\5dc37793-792b-8451-f9f5-0f0d908ce4d5
[-] Key Deleted : HKLM\SOFTWARE\5EBD4EFD-456F-7A4F-B8D6-35AF8F7E6907
[-] Key Deleted : HKLM\SOFTWARE\5f2d1c43-beb7-467b-b4a3-43b381c8481f
[-] Key Deleted : HKLM\SOFTWARE\e5e4bd6d-db48-4764-b8e0-f91658d45e8c
[-] Key Deleted : HKLM\SOFTWARE\eb92595b-0c44-4ef1-980a-61001d1088d6
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKCU\Software\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A6D54287-7939-466A-8579-92546D946C8C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fa1626d6-5910-477d-ab12-fd2908b86758}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fa1626d6-5910-477d-ab12-fd2908b86758}
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKCU\Software\estdemin
[-] Key Deleted : HKCU\Software\reimagerepair
[-] Key Deleted : HKCU\Software\Corez
[-] Key Deleted : HKCU\Software\OB
[-] Key Deleted : HKCU\Software\AppDataLow\Software\CheckMeUp
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\Crossrider
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74f1e872-8d6f-4cc7-58d6-c60d8dfe43ed}
[!] Key Not Deleted : [x64] HKCU\Software\estdemin
[!] Key Not Deleted : [x64] HKCU\Software\reimagerepair
[!] Key Not Deleted : [x64] HKCU\Software\Corez
[!] Key Not Deleted : [x64] HKCU\Software\OB
[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[!] Key Not Deleted : HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\AppDataLow\Software\CheckMeUp
[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]
[-] Data Restored : HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
[-] Data Restored : HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
[-] Data Restored : HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\SearchUrl [Default]
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : www.safesear.ch
[-] [C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [7785 bytes] ##########
 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 10 October 2015 - 08:27 AM

Restore your Windows 7 to the Last good configuration
Follow the instructions on this page.

http://windows.microsoft.com/en-ca/windows/using-last-known-good-configuration#1TC=windows-7
<<<>>>

What problem persists?

Edited by nasdaq, 10 October 2015 - 08:30 AM.


#5 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 11 October 2015 - 10:26 AM

Nothing changed in Last Config. Mode. Firefox and IE won't open, Chrome still gives the Oops error. Some additional info though, upon starting the computer, Chrome automatically opens up with the safesear.ch URL. Also, when I went to shut down the computer, it was waiting for a "Untitled - Fast Browser" program to close, which I'm not sure of.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 17 October 2015 - 08:23 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#7 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 19 October 2015 - 05:48 PM

Log is attached. No improvement with any browsers,can only still access browsers in Safe Mode.  I should add "straight mode" is very unstable. This last time, in addition to the safesear.ch being opened upon Startup, Windows Explorer crashed and removed everything but the desktop picture. It never loaded back up. After attempting to restart, it just froze at "Logging Out...".

 

I also want to add whenever I try and open Chrome, a popup box with "Do you want to allow the following program to make changes to this computer?" before ultimately opening up with "Oops, something went wrong". I just find that strange.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 20 October 2015 - 07:01 AM

These are the Restore points available to you.

==================== Restore Points =========================

25-07-2015 17:44:17 Windows Update
28-07-2015 19:15:09 avast! antivirus system restore point
29-07-2015 04:10:55 Windows Update
30-07-2015 03:00:12 Windows Update
04-08-2015 06:00:34 Windows Update
15-08-2015 03:59:05 Windows Update
15-08-2015 04:34:29 Windows Update
22-08-2015 17:28:23 Scheduled Checkpoint
31-08-2015 03:23:44 Scheduled Checkpoint
11-09-2015 09:21:58 Removed Google Chrome
08-10-2015 21:12:27 Scheduled Checkpoint


Please restore you system to a date prior to the start of your problems.

Check the system with it if all is well then install windows updates that are now missing.
Keep me posted.

#9 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 21 October 2015 - 04:53 PM

I restored it back to a date in August and the browsers didn't improve. I tried going all the way back to July and it said the restore was unsuccessful as a file was corrupt. The system does, however, seem a little more stable.

 

I uninstalled "Fast Browser", as it was causing Chrome to open upon Startup automatically.

-Chrome still loads with the safesear.ch link. When i try to go to another site (yahoo.com), it does nothing and says "Resolving Host..." on the bottom bar.

-Firefox now won't open, saying "Couldn't load XPCOM" (both regular and Safe mode)

-IE opens at the safesear.ch link as well. (both regular and Safe mode)

 

For what it's worth, in task manager, there are 4 chrome.exe's open. (regular mode only)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 22 October 2015 - 08:33 AM

Please run the Farbar tool and post a fresh FRSt log for my review.

#11 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 October 2015 - 07:13 PM

This is, again, in Safe Mode. I try to run it in regular mode, and FRST stalls at "Checking for updates..." upon starting it, and stops responding.
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:21-10-2015 01
Ran by Jasmine (administrator) on JASMINE-PC (22-10-2015 19:50:17)
Running from C:\Users\Jasmine\Desktop
Loaded Profiles: Jasmine (Available Profiles: Jasmine)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322176 2012-02-16] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-24] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6109776 2015-07-28] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-12-18] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\...\MountPoints2: {aa17d300-a868-11e3-afc1-5404a6120164} - E:\LaunchU3.exe -a
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-07-28] (AVAST Software)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B66B52FE-0124-4283-BEE4-E7563CC2DF87}: [DhcpNameServer] 10.40.42.11 192.68.112.166
Tcpip\..\Interfaces\{F510A458-664C-4DC1-9D70-B5D949D575C3}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage=hxxp://go.microsoft.com/fwlink/p/?LinkId=255141
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-07-28] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-07-28] (AVAST Software)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
 
FireFox:
========
FF ProfilePath: C:\Users\Jasmine\AppData\Roaming\Mozilla\Firefox\Profiles\blmohxm6.default
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: hxxps://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: hxxps://www.yahoo.com/?fr=hp-avast&type=agc511
FF Keyword.URL: hxxps://search.yahoo.com/yhs/search
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-15] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-21] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-07-28] [not signed]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Profile: C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jasmine\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-04]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-28] (AVAST Software)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-07-28] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-07-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-28] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-07-28] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1048344 2015-08-15] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [447944 2015-07-28] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150672 2015-07-28] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-07-28] (AVAST Software)
S1 ATKWMIACPIIO_; C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-07] (ASUS)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-02-12] ()
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-22 19:33 - 2015-10-22 19:33 - 02196480 _____ (Farbar) C:\Users\Jasmine\Desktop\FRST64.exe
2015-10-21 17:04 - 2015-10-21 17:04 - 06420480 _____ C:\Program Files (x86)\GUT2E70.tmp
2015-10-21 17:04 - 2015-10-21 17:04 - 00000000 ____D C:\Program Files (x86)\GUM2E6F.tmp
2015-10-19 18:41 - 2015-10-19 18:41 - 00037050 _____ C:\Users\Jasmine\Desktop\zoek-results.log
2015-10-19 16:07 - 2015-10-19 16:26 - 00037050 _____ C:\zoek-results.log
2015-10-19 16:06 - 2015-10-21 17:00 - 00000000 ____D C:\zoek_backup
2015-10-09 22:49 - 2015-10-09 22:49 - 00007888 _____ C:\Users\Jasmine\Desktop\AdwCleaner[C2].txt
2015-10-08 22:02 - 2015-10-08 22:02 - 00021589 _____ C:\Users\Jasmine\Desktop\Addition.txt
2015-10-08 22:00 - 2015-10-22 19:50 - 00005247 _____ C:\Users\Jasmine\Desktop\FRST.txt
2015-10-08 22:00 - 2015-10-22 19:50 - 00000000 ____D C:\FRST
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-22 19:39 - 2014-03-09 23:35 - 01888130 _____ C:\Windows\WindowsUpdate.log
2015-10-22 19:39 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-22 19:39 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-22 19:38 - 2015-02-11 18:21 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-10-22 19:36 - 2014-03-10 11:39 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-22 19:34 - 2015-02-09 21:21 - 00001342 _____ C:\Windows\Tasks\CVML.job
2015-10-22 19:34 - 2015-02-09 21:20 - 00001346 _____ C:\Windows\Tasks\KGUWDP.job
2015-10-22 19:34 - 2014-12-22 15:46 - 00001346 _____ C:\Windows\Tasks\OVGFXV.job
2015-10-22 19:34 - 2014-12-22 15:45 - 00001344 _____ C:\Windows\Tasks\HJPJR.job
2015-10-22 19:34 - 2014-03-10 11:37 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-22 19:34 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-22 19:34 - 2009-07-14 00:51 - 00072393 _____ C:\Windows\setupact.log
2015-10-21 17:15 - 2014-03-10 11:37 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-21 17:14 - 2015-02-19 22:19 - 00000000 ____D C:\Users\Jasmine\AppData\Local\Fast Browser
2015-10-21 17:07 - 2014-03-10 11:37 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-10-21 17:07 - 2014-03-10 11:37 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-10-21 17:02 - 2015-02-11 13:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-21 17:02 - 2014-03-09 23:35 - 00000000 ____D C:\Users\Jasmine
2015-10-21 17:01 - 2015-06-29 00:10 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\rywedmru
2015-10-21 17:01 - 2015-04-17 18:24 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\vaikgrny
2015-10-21 17:01 - 2015-04-05 18:25 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\jcdpjnvu
2015-10-21 17:01 - 2015-04-05 12:57 - 00000000 ___SD C:\Windows\system32\GWX
2015-10-21 17:01 - 2015-02-26 09:43 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\nlguttej
2015-10-21 17:01 - 2015-02-10 13:53 - 00000000 ____D C:\Users\Jasmine\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
2015-10-21 17:01 - 2014-12-22 15:46 - 00000000 ____D C:\Users\Jasmine\AppData\Roaming\tricomfi
2015-10-21 17:01 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-10-21 17:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2015-10-21 17:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2015-10-21 17:00 - 2015-02-11 12:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-21 17:00 - 2015-02-11 12:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-21 17:00 - 2015-02-09 21:20 - 00000000 ____D C:\Program Files (x86)\c54f5251-6071-4efb-a614-284a77e29447
2015-10-21 17:00 - 2014-12-22 15:52 - 00000000 ____D C:\Users\Jasmine\AppData\Local\5EBD4EFD-456F-7A4F-B8D6-35AF8F7E6907
2015-10-21 17:00 - 2014-12-22 15:47 - 00000000 ____D C:\ProgramData\TWUlhUP
2015-10-21 17:00 - 2014-03-10 11:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-10-21 17:00 - 2014-03-10 11:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-21 17:00 - 2009-07-14 01:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-10-21 17:00 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2015-10-09 22:42 - 2015-02-12 11:17 - 00000000 ____D C:\AdwCleaner
 
==================== Files in the root of some directories =======
 
2015-10-21 17:04 - 2015-10-21 17:04 - 6420480 _____ () C:\Program Files (x86)\GUT2E70.tmp
 
Some files in TEMP:
====================
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-10-19 16:44
 
==================== End of FRST.txt ============================


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 23 October 2015 - 08:52 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: hxxps://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Keyword.URL: hxxps://search.yahoo.com/yhs/search
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
C:\Program Files (x86)\GUT2E70.tmp
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

How is the computer running now?

#13 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 23 October 2015 - 12:20 PM

The only change I noticed now is Internet Explorer now opens to "go.microsoft.com" instead of safesear.ch
Firefox still says "Couldn't open XPCOM"
Chrome still opens at safesear.ch.
 
Should be noted that IE says "Waiting for go.microsoft.com" and Chrome says "Resolving host..." at the bottom, but I can't get any page to load on either browser (yahoo.com, facebook.com, etc). The internet says its connected, and I can browse just fine in Safe Mode.
 
 
 
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:21-10-2015 01
Ran by Jasmine (2015-10-23 12:41:59) Run:2
Running from C:\Users\Jasmine\Desktop
Loaded Profiles: Jasmine (Available Profiles: Jasmine)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.safesear.ch/?type=20150219-150-ie
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-61570077-3675250410-2980569018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.safesear.ch/web/?type=20150219-150-sshome-ie-df&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.safesear.ch/?type=20150219-150-ie-sm
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: hxxps://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Keyword.URL: hxxps://search.yahoo.com/yhs/search
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.safesear.ch/?type=20150219-150-ff-sm
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 cpuz134; \??\C:\Users\Jasmine\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
C:\Program Files (x86)\GUT2E70.tmp
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe
 
End
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-61570077-3675250410-2980569018-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-61570077-3675250410-2980569018-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
Firefox DefaultSearchEngine removed successfully
Firefox DefaultSearchUrl removed successfully
Firefox SearchEngineOrder.1 removed successfully
Firefox SelectedSearchEngine removed successfully
Firefox "Keyword.URL" removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
cpuz134 => service removed successfully
C:\Program Files (x86)\GUT2E70.tmp => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\144CC280-B594-EA99-C7D1-886ECFA425DA.dll => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\bcbicabedgcaa.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\insHv21.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\Quarantine.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\ReimagePackage.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\{39BC20EF-A14E-4AFF-9A77-2772DDDB60D1}-43.0.2357.130_chrome_installer.exe => moved successfully
C:\Users\Jasmine\AppData\Local\Temp\{8B821C20-3175-4F40-8584-52F4E37E3143}.exe => moved successfully
EmptyTemp: => 500.8 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 12:42:19 ====
 
 
 
RogueKiller V10.11.2.0 [Oct 20 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Jasmine [Administrator]
Started from : C:\Users\Jasmine\Desktop\RogueKiller.exe
Mode : Scan -- Date : 10/23/2015 12:52:03
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 3 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B66B52FE-0124-4283-BEE4-E7563CC2DF87} | DhcpNameServer : 10.40.42.11 192.68.112.166 ([(Private Address) (XX)][UNITED STATES (US)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B66B52FE-0124-4283-BEE4-E7563CC2DF87} | DhcpNameServer : 10.40.42.11 192.68.112.166 ([(Private Address) (XX)][UNITED STATES (US)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B66B52FE-0124-4283-BEE4-E7563CC2DF87} | DhcpNameServer : 10.40.42.11 192.68.112.166 ([(Private Address) (XX)][UNITED STATES (US)])  -> Found
 
¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\CVML.job -- C:\Users\Jasmine\AppData\Roaming\CVML.exe (/infocmdline=H3vBYCDUTk1Qemqn041GAq5ytLZRZYYLg5EsmsUfEyPGK9oV9zF4DnuKVCJNXCK1nVcZRkN+YI+x5TTOAPzw+D18kGF8+9b1lOFRqZSmyoLDRjPAjoLAmMvInL1uU02wNpUiHGOL9FB+QHIWPsOBjVlaYeY6PT1IimeBb/jp82VXC+4yPQosLs7r/aQMZvE4sfYgekFEQlcYMSEq9LAGjHzxbQKhMEgcZQC/v5vM7LKwMPOg2lz7mS5OdreJRWbEaWn+GA/99E9eFsLfi8iIiY80ywXqVXwQ4eQcryg3Lwn8ONge0no8V2iy9dxjnRPCdOHqj1Q60RFgqwn5MDBfepFA6x+BdNWwtmAv0J6foz2fahp2tCSFULrceGWwnAlUfcilTjqTxpxaXv2llDOkETVm0kRquf6pOFmYr1BzEg+BMAHifeZq5gCTi5RL0Y4h85Gd3BIw+COpChTeix3LOmucQQjUjqCQUoHxrL2NcLVuKFKhg0NivolHcZKpGZ0q) -> Found
[Suspicious.Path] %WINDIR%\Tasks\HJPJR.job -- C:\Users\Jasmine\AppData\Roaming\HJPJR.exe (/infocmdline=DRvvYkKupU0xrKi0dgZj04rJ95fwwwlVqHNrtU5WZa2opXSfG+mTaXGzfX/yxzDsZIbUrAyBD9D1/oY40Np4zt2uAzb9RJbgbp/58DbpdT8CuU3EvpsPMJ607doZjk8MczgWvqEYDmdDZwVCVLVhlU9cDqByV34Z85DaxXe88d55FEpOWHbdnR2yKrpFdAIGPuiox4ZsAhFgI8XAdSBbfYtNTvUc01pQFsPbcI0oIa/ZpLJAcE+RrqVz93fJYif6xNnwC6gXAZ8xBYXcM8ve2w+nKubV0FC4wDyWOa5u/zx/ikBJWQMY5C4zRT0Yjb+/XARTkWpUpGgG5YJcpAKB0wIriFdctF5l4Q2yLHGWujhze4DlnOpLv3ueiucnvGakE/IuCRT3hfIE6yNYMa1CbJ0GMsahB5sLIdOEGC7MBj3mWtvTSgGT6TWupCsp65HSUVp1N8nM+Yz110mOjfeWGiyn5MR/+Sw7aTjixXMGt1LEtCeA8sAOCfPxKvtbkfBk) -> Found
[Suspicious.Path] %WINDIR%\Tasks\KGUWDP.job -- C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe (/infocmdline=D/hO+XXGauNhGVfywow7/dklbuEP6mFm7j1+KhSclluagW3hVQgUU/Cg/xH8stlQTwM68xu+OZDfZkMzucWF9jfjKvjssw45j3Zq89tCHR+tmYxwVsBJ1SeqvoHNZ/w2LHNu0GyBnLm8F+wLEx12FYPZTVNqipr8VLs98lSzQS6ipf4gmzqkj1kLjrCQFilsqDSNOc0HNIjfGt1+6cYzqrwB0jhPalJ291PQ4oo67473/5u5xBwqXMUhMX9CBCY0KV4rpL87xCvSwwE717/e+5vXJ3MFCmSTODjfkY5Y2a93pQIg2iLBxfiABC4s4J8GPoJPLmZe+E0DAzEunFzfpjvsJLKYEXvHiei1eazY3lTK1LCZW1srhc2Bl4rDmi8/vwgZBEw/d9cs096WxaMD28Zvb0I5kWdrg0BUhoIBAL6Z4L1pcs1fVRw7fPkiNEivevUp6iOVzKJzR7uNXCJtGcH4P8MdZ3A/QMtsfjdXNiCDRF8tlt5zazISBV7bJ3Fg) -> Found
[Suspicious.Path] %WINDIR%\Tasks\OVGFXV.job -- C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe (/infocmdline=GKr6FUf9iew4MOlQ7M2QVffZAfdzK4f03+DoHezsBiRLUB+Ur5txKvbMX3fruV8Y9a23u+W4J/a2r+aC8o2ZWqy4AnlTk/IurfNNHPQMDMbRB3JBW0XDRelzKzK/aw7ljvTOtQNOHIw/qrbrmOqoSNPpzNQwJ9e2FVryATuAjVKRTM70AfXMn1pZM/7ntaYEs7XxBjW6a7Bs6MKWWFqTB9ZYNpRoIqwVYfqbQ8wX7bBC93n40YTedDkS7zmosyqy6bpvErHqjrX+ZcLINEJQ6dpv33kHpTtkoxitFCKTFCyI+ogFdxl3EhrwLI31gGjPzX50D13A4V91+dErFQB6B8aaFOIB//hD0SWxGNvNnOIjp0oRRLwZqKuOcOpgiheh2pENqym+uyK4tFUpfNXuzfqyHU/heHxUE+tVXkXgN5GYF+2Jl+uOFp8K4iUs1Jt6hJ9pdcO4Cjv/RtZzwqIsJhbMydi2Hh7IN7XzHtwp2f1FqZTjNaj4E8uyMtG1aHMl) -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9320325AS ATA Device +++++
--- User ---
[MBR] 7fe50de72bef19557dca05af52a56c58
[BSP] 2ee18edf56eb573bfe8fc4993312b762 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:34 PM

Posted 23 October 2015 - 12:57 PM


Please run the RogueKiller tool and fix/delete these items.

¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\CVML.job -- C:\Users\Jasmine\AppData\Roaming\CVML.exe (/infocmdline=H3vBYCDUTk1Qemqn041GAq5ytLZRZYYLg5EsmsUfEyPGK9oV9zF4DnuKVCJNXCK1nVcZRkN+YI+x5TTOAPzw+D18kGF8+9b1lOFRqZSmyoLDRjPAjoLAmMvInL1uU02wNpUiHGOL9FB+QHIWPsOBjVlaYeY6PT1IimeBb/jp82VXC+4yPQosLs7r/aQMZvE4sfYgekFEQlcYMSEq9LAGjHzxbQKhMEgcZQC/v5vM7LKwMPOg2lz7mS5OdreJRWbEaWn+GA/99E9eFsLfi8iIiY80ywXqVXwQ4eQcryg3Lwn8ONge0no8V2iy9dxjnRPCdOHqj1Q60RFgqwn5MDBfepFA6x+BdNWwtmAv0J6foz2fahp2tCSFULrceGWwnAlUfcilTjqTxpxaXv2llDOkETVm0kRquf6pOFmYr1BzEg+BMAHifeZq5gCTi5RL0Y4h85Gd3BIw+COpChTeix3LOmucQQjUjqCQUoHxrL2NcLVuKFKhg0NivolHcZKpGZ0q) -> Found
[Suspicious.Path] %WINDIR%\Tasks\HJPJR.job -- C:\Users\Jasmine\AppData\Roaming\HJPJR.exe (/infocmdline=DRvvYkKupU0xrKi0dgZj04rJ95fwwwlVqHNrtU5WZa2opXSfG+mTaXGzfX/yxzDsZIbUrAyBD9D1/oY40Np4zt2uAzb9RJbgbp/58DbpdT8CuU3EvpsPMJ607doZjk8MczgWvqEYDmdDZwVCVLVhlU9cDqByV34Z85DaxXe88d55FEpOWHbdnR2yKrpFdAIGPuiox4ZsAhFgI8XAdSBbfYtNTvUc01pQFsPbcI0oIa/ZpLJAcE+RrqVz93fJYif6xNnwC6gXAZ8xBYXcM8ve2w+nKubV0FC4wDyWOa5u/zx/ikBJWQMY5C4zRT0Yjb+/XARTkWpUpGgG5YJcpAKB0wIriFdctF5l4Q2yLHGWujhze4DlnOpLv3ueiucnvGakE/IuCRT3hfIE6yNYMa1CbJ0GMsahB5sLIdOEGC7MBj3mWtvTSgGT6TWupCsp65HSUVp1N8nM+Yz110mOjfeWGiyn5MR/+Sw7aTjixXMGt1LEtCeA8sAOCfPxKvtbkfBk) -> Found
[Suspicious.Path] %WINDIR%\Tasks\KGUWDP.job -- C:\Users\Jasmine\AppData\Roaming\KGUWDP.exe (/infocmdline=D/hO+XXGauNhGVfywow7/dklbuEP6mFm7j1+KhSclluagW3hVQgUU/Cg/xH8stlQTwM68xu+OZDfZkMzucWF9jfjKvjssw45j3Zq89tCHR+tmYxwVsBJ1SeqvoHNZ/w2LHNu0GyBnLm8F+wLEx12FYPZTVNqipr8VLs98lSzQS6ipf4gmzqkj1kLjrCQFilsqDSNOc0HNIjfGt1+6cYzqrwB0jhPalJ291PQ4oo67473/5u5xBwqXMUhMX9CBCY0KV4rpL87xCvSwwE717/e+5vXJ3MFCmSTODjfkY5Y2a93pQIg2iLBxfiABC4s4J8GPoJPLmZe+E0DAzEunFzfpjvsJLKYEXvHiei1eazY3lTK1LCZW1srhc2Bl4rDmi8/vwgZBEw/d9cs096WxaMD28Zvb0I5kWdrg0BUhoIBAL6Z4L1pcs1fVRw7fPkiNEivevUp6iOVzKJzR7uNXCJtGcH4P8MdZ3A/QMtsfjdXNiCDRF8tlt5zazISBV7bJ3Fg) -> Found
[Suspicious.Path] %WINDIR%\Tasks\OVGFXV.job -- C:\Users\Jasmine\AppData\Roaming\OVGFXV.exe (/infocmdline=GKr6FUf9iew4MOlQ7M2QVffZAfdzK4f03+DoHezsBiRLUB+Ur5txKvbMX3fruV8Y9a23u+W4J/a2r+aC8o2ZWqy4AnlTk/IurfNNHPQMDMbRB3JBW0XDRelzKzK/aw7ljvTOtQNOHIw/qrbrmOqoSNPpzNQwJ9e2FVryATuAjVKRTM70AfXMn1pZM/7ntaYEs7XxBjW6a7Bs6MKWWFqTB9ZYNpRoIqwVYfqbQ8wX7bBC93n40YTedDkS7zmosyqy6bpvErHqjrX+ZcLINEJQ6dpv33kHpTtkoxitFCKTFCyI+ogFdxl3EhrwLI31gGjPzX50D13A4V91+dErFQB6B8aaFOIB//hD0SWxGNvNnOIjp0oRRLwZqKuOcOpgiheh2pENqym+uyK4tFUpfNXuzfqyHU/heHxUE+tVXkXgN5GYF+2Jl+uOFp8K4iUs1Jt6hJ9pdcO4Cjv/RtZzwqIsJhbMydi2Hh7IN7XzHtwp2f1FqZTjNaj4E8uyMtG1aHMl) -> Found

Restart the computer normally.

How is it now?

#15 Sevenel

Sevenel
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 24 October 2015 - 11:50 PM

Deleted the above files. No changes to any of the 3 browsers in regular mode.

I tried to run RogueKiller in regular mode to see if it would work and it loads up with "Initialization" in the Status box and just freezes.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users