Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Ad-type.google Malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 mcanos

mcanos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 17 October 2015 - 06:32 AM

It's been months since I had this malware.. every time I click on search bars on any site and for some sites all what it takes is to click on some blank space to start popping up some new tab that starts with the ad-type.google link but it finally redirects me to another site that advertises for something or whatever!!

I gave up on getting rid of this malware by using any anti virus software including removal tools because they usually detect the cookies and erase it but never the source of this problem. spyhunter for an example!

I decided to format the hard drive and reinstall the OS and I did so only to find out that I still have that malware trolling me with my first click after opening Internet explorer.

As for dds.. It didn't work so I used FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:16-10-2015
Ran by Ahmed (administrator) on AHMAD (16-10-2015 17:24:39)
Running from C:\Users\Ahmed\Downloads
Loaded Profiles: Ahmed (Available Profiles: Ahmed)
Platform: Windows 8.1 Single Language (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-3796375202-56556863-2467605043-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Users\Ahmed\DOWNLO~1\dds.scr

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 31.3.252.72 37.220.8.189
Tcpip\..\Interfaces\{252D5658-A49E-4002-A44B-6B141625F3F9}: [DhcpNameServer] 31.3.252.72 37.220.8.189

Internet Explorer:
==================
HKU\S-1-5-21-3796375202-56556863-2467605043-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/ar-eg/?ocid=iehp

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2505472 2015-10-09] (ESET)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [264040 2015-07-30] (ESET)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S0 eelam; C:\Windows\System32\DRIVERS\eelam.sys [14976 2015-07-30] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [186784 2015-07-30] (ESET)
R2 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [170792 2015-07-30] (ESET)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-10-16] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-16 22:30 - 2015-10-16 17:05 - 00652659 _____ C:\Windows\WindowsUpdate.log
2015-10-16 22:29 - 2015-10-16 22:29 - 00000000 __SHD C:\Recovery
2015-10-16 17:24 - 2015-10-16 17:24 - 00004903 _____ C:\Users\Ahmed\Downloads\FRST.txt
2015-10-16 17:23 - 2015-10-16 17:24 - 00000000 ____D C:\FRST
2015-10-16 17:23 - 2015-10-16 17:23 - 02196480 _____ (Farbar) C:\Users\Ahmed\Downloads\FRST64.exe
2015-10-16 15:53 - 2015-10-16 15:53 - 00000118 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-10-16 15:27 - 2015-10-16 13:36 - 00000000 ____D C:\Windows\Panther
2015-10-16 15:26 - 2015-10-16 15:26 - 00008192 __RSH C:\BOOTSECT.BAK
2015-10-16 14:46 - 2015-10-16 14:47 - 09317168 _____ (ESET, spol. s r.o.) C:\Users\Ahmed\Downloads\eset_sysrescue_live_creator_enu.exe
2015-10-16 14:41 - 2015-10-16 14:41 - 00000401 _____ C:\Windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2015-10-16 14:22 - 2015-10-16 17:04 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-16 14:22 - 2015-10-16 14:22 - 00001114 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-16 14:22 - 2015-10-16 14:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-16 14:22 - 2015-10-16 14:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-16 14:22 - 2015-10-16 14:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-16 14:22 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-16 14:22 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-16 14:22 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-16 14:08 - 2015-10-16 14:08 - 00002647 _____ C:\Users\Ahmed\Desktop\µTorrent.lnk
2015-10-16 14:07 - 2015-10-16 14:39 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\uTorrent
2015-10-16 14:02 - 2015-10-16 14:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2015-10-16 14:02 - 2015-10-16 14:02 - 00000000 ____D C:\ProgramData\ESET
2015-10-16 14:01 - 2015-10-16 14:01 - 00000000 ____D C:\Program Files\ESET
2015-10-16 13:58 - 2015-10-16 14:42 - 00000000 ____D C:\Intel
2015-10-16 13:58 - 2015-10-16 13:58 - 00000000 ____D C:\Program Files (x86)\Intel
2015-10-16 13:57 - 2015-10-16 13:57 - 00000000 ____D C:\Windows\LastGood.Tmp
2015-10-16 13:57 - 2015-10-16 13:57 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\WinRAR
2015-10-16 13:57 - 2015-10-16 13:57 - 00000000 ____D C:\Program Files\Intel
2015-10-16 13:56 - 2015-10-16 13:56 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2015-10-16 13:56 - 2015-10-16 13:56 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-10-16 13:56 - 2015-10-16 13:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-10-16 13:56 - 2015-10-16 13:56 - 00000000 ____D C:\Program Files (x86)\WinRAR
2015-10-16 13:50 - 2015-10-16 13:50 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\Macromedia
2015-10-16 13:48 - 2015-10-16 13:48 - 02838216 _____ (ESET) C:\Users\Ahmed\Downloads\eset_nod32_antivirus_live_installer.exe
2015-10-16 13:48 - 2015-10-16 13:48 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_TeeDriverx64_01011.Wdf
2015-10-16 13:47 - 2015-10-16 13:47 - 00000000 ____D C:\AMD
2015-10-16 13:44 - 2015-10-16 13:44 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2015-10-16 13:43 - 2015-10-16 14:42 - 00003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{FAEE859F-60D3-4D6D-A79D-FC1D6F778C78}
2015-10-16 13:43 - 2015-10-16 13:43 - 00000000 __SHD C:\Users\Ahmed\AppData\LocalLow\EmieUserList
2015-10-16 13:43 - 2015-10-16 13:43 - 00000000 __SHD C:\Users\Ahmed\AppData\LocalLow\EmieSiteList
2015-10-16 13:43 - 2015-10-16 13:43 - 00000000 __SHD C:\Users\Ahmed\AppData\Local\EmieUserList
2015-10-16 13:43 - 2015-10-16 13:43 - 00000000 __SHD C:\Users\Ahmed\AppData\Local\EmieSiteList
2015-10-16 13:43 - 2015-10-16 13:43 - 00000000 ____D C:\Users\Ahmed\AppData\Local\GWX
2015-10-16 13:42 - 2015-10-16 17:09 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3796375202-56556863-2467605043-1001
2015-10-16 13:37 - 2015-10-16 13:37 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-10-16 13:36 - 2015-10-16 14:42 - 00000000 ____D C:\Users\Ahmed
2015-10-16 13:36 - 2015-10-16 13:37 - 00000000 ____D C:\Users\Ahmed\AppData\Local\Packages
2015-10-16 13:36 - 2015-10-16 13:36 - 00001442 _____ C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-10-16 13:36 - 2015-10-16 13:36 - 00000020 ___SH C:\Users\Ahmed\ntuser.ini
2015-10-16 13:36 - 2015-10-16 13:36 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\Adobe
2015-10-16 13:36 - 2015-10-16 13:36 - 00000000 ____D C:\Users\Ahmed\AppData\Local\VirtualStore
2015-10-16 13:36 - 2014-03-18 09:00 - 00000000 ___RD C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-10-16 13:36 - 2014-03-18 09:00 - 00000000 ___RD C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-10-16 13:36 - 2014-03-18 08:40 - 00000369 _____ C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-10-16 13:36 - 2014-03-18 08:40 - 00000369 _____ C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-10-16 13:36 - 2013-08-22 08:36 - 00000000 ___RD C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-10-16 13:36 - 2013-08-22 08:36 - 00000000 ____D C:\Users\Ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-10-16 13:35 - 2015-10-16 13:37 - 00000000 ___SD C:\Windows\system32\GWX
2015-10-16 13:35 - 2015-10-16 13:35 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-10-16 13:32 - 2015-08-10 19:47 - 02757072 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2015-10-16 13:32 - 2015-08-10 19:47 - 02414096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2015-10-16 13:32 - 2015-07-09 12:51 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-16 13:32 - 2015-07-09 11:48 - 00131712 _____ (Microsoft Corporation) C:\Windows\system32\RestoreOptIn.exe
2015-10-16 13:32 - 2015-07-09 11:40 - 00359936 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-16 13:32 - 2015-07-09 10:59 - 00112624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RestoreOptIn.exe
2015-10-16 13:32 - 2015-07-09 09:03 - 03701760 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-16 13:32 - 2015-07-09 08:54 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-16 13:32 - 2015-07-09 08:53 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-16 13:32 - 2015-07-09 08:50 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-10-16 13:32 - 2015-07-09 08:50 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-16 13:32 - 2015-07-09 08:48 - 00891904 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-16 13:32 - 2015-07-09 08:46 - 02229248 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-16 13:32 - 2015-07-09 08:38 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-10-16 13:32 - 2015-07-09 08:37 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-10-16 13:32 - 2015-07-09 08:35 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-10-16 13:32 - 2015-07-09 08:34 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-10-16 13:32 - 2015-06-26 20:08 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-16 13:32 - 2015-06-26 20:08 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-16 13:32 - 2015-06-26 19:14 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-10-16 13:32 - 2015-03-13 18:51 - 00015360 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-16 13:32 - 2014-10-17 23:50 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\wuaext.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-16 22:30 - 2013-08-22 07:44 - 00335784 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-16 22:29 - 2013-08-22 08:37 - 00002664 _____ C:\Windows\DtcInstall.log
2015-10-16 22:29 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\Recovery
2015-10-16 17:08 - 2014-03-18 08:32 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-16 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\sru
2015-10-16 17:03 - 2014-03-18 01:19 - 00003690 _____ C:\Windows\PFRO.log
2015-10-16 17:03 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-16 15:53 - 2013-08-22 08:43 - 00000000 ____D C:\Windows\DigitalLocker
2015-10-16 15:36 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-10-16 15:26 - 2013-08-22 08:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2015-10-16 14:48 - 2013-08-22 07:46 - 00014619 _____ C:\Windows\setupact.log
2015-10-16 14:41 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\MediaViewer
2015-10-16 14:02 - 2013-08-22 08:36 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-10-16 13:47 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2015-10-16 13:35 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\SysWOW64\en-GB
2015-10-16 13:35 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\en-GB
2015-10-16 13:33 - 2013-08-22 08:20 - 00000000 ____D C:\Windows\CbsTemp
2015-10-16 13:33 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2015-10-16 13:31 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-16 22:27

==================== End of FRST.txt ============================


Additional scan result of Farbar Recovery Scan Tool (x64) Version:16-10-2015
Ran by Ahmed (2015-10-16 17:25:01)
Running from C:\Users\Ahmed\Downloads
Windows 8.1 Single Language (X64) (2015-10-16 20:36:07)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3796375202-56556863-2467605043-500 - Administrator - Disabled)
Ahmed (S-1-5-21-3796375202-56556863-2467605043-1001 - Administrator - Enabled) => C:\Users\Ahmed
Guest (S-1-5-21-3796375202-56556863-2467605043-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 9.0.318.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 9.0.318.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3796375202-56556863-2467605043-1001\...\uTorrent) (Version: 3.4.5.41202 - BitTorrent Inc.)
ESET NOD32 Antivirus (HKLM\...\{60853F5E-E6F5-4A34-BBCD-C09D49BB5E64}) (Version: 9.0.318.0 - ESET, spol. s r.o.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
WinRAR 5.01 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3796375202-56556863-2467605043-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Restore Points =========================

16-10-2015 13:32:58 Windows Modules Installer

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2015-10-16 13:59 - 00003139 ____A C:\Windows\system32\Drivers\etc\hosts

0.0.0.0 vortex.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nsatc.net
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 telemetry.microsoft.com
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 telemetry.appex.bing.net:443
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 survey.watson.microsoft.com
0.0.0.0 watson.live.com
0.0.0.0 watson.microsoft.com
0.0.0.0 statsfe2.ws.microsoft.com
0.0.0.0 corpext.msitadfs.glbdns2.microsoft.com
0.0.0.0 compatexchange.cloudapp.net
0.0.0.0 a-0001.a-msedge.net
0.0.0.0 statsfe2.update.microsoft.com.akadns.net

There are 34 more lines.


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2015-08-09 04:50 - 2015-08-09 04:50 - 00404376 _____ () C:\Windows\system32\igfxTray.exe

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3796375202-56556863-2467605043-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 31.3.252.72 - 37.220.8.189
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{B40F22DD-5804-4C81-B83A-DC6EA30EBFA8}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{4E159EA5-2CDE-4185-8E40-CB967B8502F9}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{1A3B8B6E-1065-4D25-A7F3-671BE1C2E350}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{03FF99D2-D946-43BC-A8DF-2053BD6103B4}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{E84D3B10-770A-47FF-A94C-83396F28DAF3}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{117147DF-7A00-4DF4-B5D5-F6EA6920E845}] => (Allow) C:\Users\Ahmed\AppData\Roaming\uTorrent\uTorrent.exe

==================== Faulty Device Manager Devices =============

Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/16/2015 01:47:23 PM) (Source: ATIeRecord) (EventID: 16386) (User: )
Description: ATI EEU Client has failed to start


System errors:
=============
Error: (10/16/2015 05:11:10 PM) (Source: Schannel) (EventID: 4102) (User: NT AUTHORITY)
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

Error: (10/16/2015 05:06:35 PM) (Source: Schannel) (EventID: 4102) (User: NT AUTHORITY)
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

Error: (10/16/2015 02:02:04 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (10/16/2015 10:28:22 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
%%21

Error: (10/16/2015 10:28:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
%%1058

Error: (10/16/2015 10:27:34 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!


==================== Memory info ===========================

Processor: Intel® Core™ i7-4510U CPU @ 2.00GHz
Percentage of memory in use: 25%
Total physical RAM: 6040.36 MB
Available physical RAM: 4502.93 MB
Total Virtual: 7704.36 MB
Available Virtual: 5950.59 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:150.63 GB) (Free:133.53 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:780.53 GB) (Free:771.11 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or icon_cool.gif (Size: 931.5 GB) (Disk ID: D9FA2484)
Partition 1: (Active) - (Size=150.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=780.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:30 AM

Posted 19 October 2015 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How is the computer running now?

#3 mcanos

mcanos
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 20 October 2015 - 11:58 AM

sorry for the late reply .. actually I managed to solve the problem by changing the DNS. thank you very much for your concern and good luck!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:30 AM

Posted 21 October 2015 - 08:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users