Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

eBay search engine redirect - needtofeed


  • This topic is locked This topic is locked
4 replies to this topic

#1 amoled1

amoled1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 December 2015 - 12:42 AM

Earlier today I clicked on an ebay link on google for some rose gold nike air max's (be careful) and got the following page: http://i.imgur.com/xmAELCt.png <- screen shot of when i tried it in opera after chrome

 

 

When you click on "I do not wish to view this page" it goes to this teal green page with a giant picture of a hubcap in the middle, and the name "Yardley Cardozo" on the side, and "search the engine now!!!" all over the page (I didn't get a screen shot and didn't want to risk going back). It's not an ebay store. The URL stayed the same, "ebay" but without the https, just http. 

 

I deleted internet files/cookies and ran Malware Bytes; it found nothing. I tried a different browser (opera) and it does the same thing, so it's probably not Chrome. Restarted computer, then tried to go to eBay again to change my password, since you can't do it on your cell phone. It sent me to Google. The exact URL it redirected to is "https://www.google.com/?gws_rd=ssl". No more "needtofeed" but I can't get into my eBay and I'm wondering if it's been hacked.

 

Here is my FRST log, thank you for reading and trying to help me:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:28-12-2015
Ran by Me (administrator) on LAPTOP (29-12-2015 00:07:36)
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me)
Platform: Windows 8 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnCfg.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.1\GoogleCrashHandler.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.1\GoogleCrashHandler64.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe
(Akamai Technologies, Inc.) C:\Users\Me\AppData\Local\Akamai\netsession_win.exe
(Comfort Software Group) C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe
(Polenter - Software Solutions) C:\Program Files (x86)\Desktop-Reminder 2\DesktopReminder2.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Akamai Technologies, Inc.) C:\Users\Me\AppData\Local\Akamai\netsession_win.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Me\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13192848 2012-08-20] (Realtek Semiconductor)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [462712 2012-03-09] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-01-27] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\AsusWSPanel.exe [3417984 2012-08-27] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\...\Run: [Google Update] => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-27] (Google Inc.)
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\...\Run: [AmazonMP3DownloaderHelper] => C:\Users\Me\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [397632 2013-04-05] ()
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Me\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\...\Run: [FreeAC] => C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe [1553688 2014-02-20] (Comfort Software Group)
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\...\Run: [DesktopReminder2ByPolenter] => C:\Program Files (x86)\Desktop-Reminder 2\DesktopReminder2.exe [2826256 2014-05-19] (Polenter - Software Solutions)
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [241664 2012-07-25] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2015-10-21] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 207.69.188.186 207.69.188.187
Tcpip\..\Interfaces\{D33A7879-A3FD-41D4-B517-230FC9882D8B}: [DhcpNameServer] 192.168.1.1 207.69.188.186 207.69.188.187
Tcpip\..\Interfaces\{DE6546A5-E0BD-4C01-B634-07E28082D144}: [DhcpNameServer] 40.54.1.201 40.54.1.203
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-3400933972-4142425231-113131321-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com
SearchScopes: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=IDSS&chn=retail&geo=US&ver=2014&locale=en_US&gct=kwd&qsrc=2869
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-11-22] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-11-22] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
 
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll [2013-04-03] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-22] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3400933972-4142425231-113131321-1001: @kcp.co.kr/plugin_hub;version=1 -> C:\Program Files (x86)\KCP\Plugin\npKCPHubPlugin.dll [2013-10-25] (KCP CO.,LTD)
FF Plugin HKU\S-1-5-21-3400933972-4142425231-113131321-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Me\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-3400933972-4142425231-113131321-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Me\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-3400933972-4142425231-113131321-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Users\Me\AppData\Local\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll [2013-04-15] (Amazon.com, Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://asus13.msn.com/
CHR Session Restore: Default -> is enabled.
CHR Plugin: (Shockwave Flash) - C:\Users\Me\AppData\Local\Google\Chrome\Application\47.0.2526.106\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Native Client) - C:\Users\Me\AppData\Local\Google\Chrome\Application\47.0.2526.106\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Me\AppData\Local\Google\Chrome\Application\47.0.2526.106\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Google Update) - C:\Users\Me\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll => No File
CHR Plugin: (McAfee SecurityCenter) - c:\progra~2\mcafee\msc\npmcsn~1.dll => No File
CHR Profile: C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Dewey Bookmarks) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahpfefkmihhdabllidnlipghcjgpkdm [2015-10-31]
CHR Extension: (Google Translate) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2015-11-23]
CHR Extension: (YouTube) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Pushbullet) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\chlffgpmiacpedhhbkiomidkjlcfhogd [2015-12-28]
CHR Extension: (Google Search) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Panda Poet) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\daicmhhkdcccfobnkidlhnieapcikadf [2013-10-14]
CHR Extension: (Pixlr-o-matic) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehcibdjmpjlekgjhepbfmenfppliikcj [2014-03-02]
CHR Extension: (Block site) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2015-07-22]
CHR Extension: (Search YouTube) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\ekiijecongnkbcikpkkoalboflbhoiap [2012-12-14]
CHR Extension: (The Camelizer) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghnomdcacenbmilgjigehppbamfndblo [2015-08-30]
CHR Extension: (Pin It Button) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2015-12-05]
CHR Extension: (Protect My Choices) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgloanjhdcenjgiafkpbehddcnonlic [2015-11-23]
CHR Extension: (Windows Media Player Extension for HTML5) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak [2014-05-12] [UpdateUrl: hxxp://www.interoperabilitybridges.com/ChromeWMP/wmpChromeupdates.xml] <==== ATTENTION
CHR Extension: (Image Properties Context Menu) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\khagclindddokccfbmfmckaflngbmpon [2013-07-03]
CHR Extension: (View Background Image) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\knnjokagadbonknppgkjgjpiolcijbmg [2012-12-14]
CHR Extension: (Enable Copy) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmnganadkecefnhncokdlaohlkneihio [2013-10-13]
CHR Extension: (Lazarus: Form Recovery) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\loljledaigphbcpfhfmgopdkppkifgno [2014-10-11]
CHR Extension: (Lightshot (screenshot tool)) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbniclmhobmnbdlbpiphghaielnnpgdp [2014-10-29]
CHR Extension: (Ghostery) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2015-09-20]
CHR Extension: (Convert Case Menu) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\neineehhbgjpcmlokkckgcengmgngnii [2014-10-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-30]
CHR Extension: (Auto-Translate) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\obgoiaeapddkeekbocomnjlckbbfapmk [2015-12-28]
CHR Extension: (Gmail) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-13] (ASUS)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-12-30] (DEVGURU Co., LTD.)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2014-03-29] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [62848 2012-11-20] (ASUS Corporation)
S3 DFX11_1; C:\Windows\system32\drivers\dfx11_1x64.sys [28008 2012-12-13] (Windows ® Win 7 DDK provider)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-20] (Broadcom Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [35856 2014-03-28] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [269592 2014-03-23] (Microsoft Corporation)
U0 msahci; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-29 00:07 - 2015-12-29 00:08 - 00021444 _____ C:\Users\Me\Desktop\FRST.txt
2015-12-29 00:07 - 2015-12-29 00:07 - 00000000 ____D C:\FRST
2015-12-29 00:06 - 2015-12-29 00:06 - 02370560 _____ (Farbar) C:\Users\Me\Desktop\FRST64.exe
2015-12-19 08:42 - 2015-12-29 00:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-19 08:42 - 2015-12-26 19:32 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2015-12-19 08:42 - 2015-12-19 08:42 - 00003846 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2015-12-19 08:42 - 2015-12-19 08:42 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-19 08:33 - 2015-12-19 08:33 - 00003826 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1450531892
2015-12-19 08:33 - 2015-12-19 08:33 - 00000000 ____D C:\Users\Me\AppData\Roaming\Opera Software
2015-12-19 08:33 - 2015-12-19 08:33 - 00000000 ____D C:\Users\Me\AppData\Local\Opera Software
2015-12-19 08:31 - 2015-12-19 08:31 - 00001137 _____ C:\Users\Public\Desktop\Opera.lnk
2015-12-19 08:31 - 2015-12-19 08:31 - 00001137 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-12-19 08:30 - 2015-12-19 08:34 - 00000000 ____D C:\Program Files (x86)\Opera
2015-12-19 08:30 - 2015-12-19 08:30 - 00720336 _____ (Opera Software) C:\Users\Me\Desktop\Opera_NI_stable.exe
2015-12-18 20:53 - 2015-12-18 20:53 - 02728204 _____ C:\Users\Me\Desktop\U1271600_HiddenGems_Guide.pdf
2015-12-04 16:58 - 2015-12-04 16:58 - 00000858 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3400933972-4142425231-113131321-1001Core1d12eded99b73bd.job
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-29 00:07 - 2012-07-26 00:37 - 00000000 ____D C:\Windows
2015-12-28 23:51 - 2013-05-04 10:13 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-28 22:51 - 2013-05-04 10:13 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-28 22:28 - 2012-12-14 21:09 - 00503918 _____ C:\Windows\system32\perfh012.dat
2015-12-28 22:28 - 2012-12-14 21:09 - 00132686 _____ C:\Windows\system32\perfc012.dat
2015-12-28 22:28 - 2012-08-02 02:09 - 00797120 _____ C:\Windows\system32\perfh00A.dat
2015-12-28 22:28 - 2012-08-02 02:09 - 00162488 _____ C:\Windows\system32\perfc00A.dat
2015-12-28 22:28 - 2012-08-02 02:04 - 00799196 _____ C:\Windows\system32\perfh00C.dat
2015-12-28 22:28 - 2012-08-02 02:04 - 00155218 _____ C:\Windows\system32\perfc00C.dat
2015-12-28 22:28 - 2012-07-26 02:28 - 03371010 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-28 22:28 - 2012-07-26 00:37 - 00000000 ____D C:\Windows\Inf
2015-12-28 22:23 - 2012-10-05 18:14 - 00000868 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-12-28 22:23 - 2012-07-26 02:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-28 22:23 - 2012-07-26 00:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-12-28 21:59 - 2014-07-03 16:06 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-28 21:51 - 2013-03-23 03:20 - 01800704 ___SH C:\Users\Me\Desktop\Thumbs.db
2015-12-28 18:08 - 2012-10-05 18:14 - 00000870 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-12-24 09:49 - 2012-12-15 07:29 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3400933972-4142425231-113131321-1001
2015-12-19 08:42 - 2012-12-14 20:51 - 00000000 ____D C:\Users\Me\AppData\Local\Adobe
2015-12-16 17:22 - 2012-12-15 07:37 - 00002351 _____ C:\Users\Me\Desktop\Google Chrome.lnk
2015-12-08 22:39 - 2012-12-17 18:53 - 00301728 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-12-04 16:58 - 2015-09-15 15:08 - 00000858 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3400933972-4142425231-113131321-1001Core1d0eff241f92e1b.job
2015-12-03 22:46 - 2013-05-04 10:13 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-03 22:46 - 2013-05-04 10:13 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
 
==================== Files in the root of some directories =======
 
2013-08-16 20:42 - 2013-10-18 18:22 - 0004608 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-04 21:25 - 2012-07-30 01:03 - 0000217 _____ () C:\ProgramData\SetStretch.cmd
2012-08-04 21:25 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
 
Files to move or delete:
====================
C:\Users\Me\openAviToGif_settings.dat
 
 
Some files in TEMP:
====================
C:\Users\Me\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Me\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\Me\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\Me\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Me\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Me\AppData\Local\Temp\mpam-525b251.exe
C:\Users\Me\AppData\Local\Temp\mpam-a441a0be.exe
C:\Users\Me\AppData\Local\Temp\mpam-e29c440a.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-27 15:35
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:02 PM

Posted 29 December 2015 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=IDSS&chn=retail&geo=US&ver=2014&locale=en_US&gct=kwd&qsrc=2869
Toolbar: HKU\S-1-5-21-3400933972-4142425231-113131321-1001 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
CHR Plugin: (Native Client) - C:\Users\Me\AppData\Local\Google\Chrome\Application\47.0.2526.106\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Me\AppData\Local\Google\Chrome\Application\47.0.2526.106\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Users\Me\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll => No File
CHR Plugin: (McAfee SecurityCenter) - c:\progra~2\mcafee\msc\npmcsn~1.dll => No File
CHR Extension: (Lightshot (screenshot tool)) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbniclmhobmnbdlbpiphghaielnnpgdp [2014-10-29]
U0 msahci; no ImagePath
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3400933972-4142425231-113131321-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbniclmhobmnbdlbpiphghaielnnpgdp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.
===

P.S.
A reminder...

Your version of Platform: Windows 8 (X64) Language: English (United States)

Windows 8 support ends.
https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=Windows%208&Filter=FilterNO
Customers on Windows 8 have until January 12, 2016, to move to Windows 8.1 in order to remain supported.
<<<>>>

#3 amoled1

amoled1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 December 2015 - 04:11 PM

Thank you for your help, that AdwCleaner program seems to have fixed it! Have a happy new year!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:02 PM

Posted 30 December 2015 - 09:44 AM

Glad we could help.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:02 PM

Posted 05 January 2016 - 09:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users