Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijack?


  • This topic is locked This topic is locked
15 replies to this topic

#1 svds

svds

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 14 January 2016 - 01:14 AM

I believe I picked up a virus or at least malware with browser hijack.

 

I've downloaded and ran malwarebytes anti-malware. It found 142 items 1st run,  continues to find some and http://home.searchtp.com/ continues to be default browser location even after setting google and others as default.

 

Find my FRST logs attached. Thanks in advance.

 

PS; Malwarebytes scan came back with 0 threat items.

PSS; Microsoft Security Essentials found Trojan:Win32/Tulim.B!plock

Attached Files


Edited by svds, 14 January 2016 - 03:11 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 15 January 2016 - 02:31 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-899633667-1377354469-2499806448-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
Toolbar: HKU\S-1-5-21-899633667-1377354469-2499806448-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bcOfaTx1UmcQrOudH07I_9BL868ktwSDKOJDwie2z7DYoiW5ysVrToFkApOfiO1imKGX5vBf1zMfiIfcgiwCbWErr4lg1VChmbPY5rgc8dFNJq03uEkx_yF0Jqr0imZEwzl2TczmvUJM0z8r9qeV18yt3x3rS8,
CHR NewTab: Default -> "chrome-extension://pmpnpoimcedejhfgmocpekpmifcjajjb/newtab/newtab.html"
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bcOfaTx1UmcQrOudH07I_9BL868ktwSDKOJDwie2z7DYoiW5ysVrToFkApOfiO1imKKRFC8HWQe2zuGNp6eywAmIigfFXkZ3ddmthi2a2NJMCmB_S_OObpJYItjJ4mYT9svyCJVBTV5grIWgST0aofYqUpLqdg,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\scott\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx <not found>
S2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe -f "C:\ProgramData\\Airtostrong\\Airtostrong.dat" -l -a
S4 vToolbarUpdater18.1.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [X]
C:\ProgramData\\Airtostrong
Task: {C229E24A-73BC-4B5E-A596-F58057721B11} - System32\Tasks\55zlb4dm => C:\Program Files\Common Files\e2cd4pfd\e64d5z4k0yzgz.exe [2016-01-12] () <==== ATTENTION
C:\Program Files\Common Files\e2cd4pfd

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

Please post the logs and let me know if the problem persists.

#3 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 17 January 2016 - 01:45 AM

Thank you Nasdaq, I am Scott.

 

Find the Fixlog.txt below. I followed instructions and attempted to run Adwcleaner a couple of times, but it would not run a scan. Please advise on this. I have uninstalled java from machine.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01

Ran by scott (2016-01-16 18:21:54) Run:1
Running from C:\Users\scott\Downloads
Loaded Profiles: scott (Available Profiles: scott)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-899633667-1377354469-2499806448-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
Toolbar: HKU\S-1-5-21-899633667-1377354469-2499806448-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bcOfaTx1UmcQrOudH07I_9BL868ktwSDKOJDwie2z7DYoiW5ysVrToFkApOfiO1imKGX5vBf1zMfiIfcgiwCbWErr4lg1VChmbPY5rgc8dFNJq03uEkx_yF0Jqr0imZEwzl2TczmvUJM0z8r9qeV18yt3x3rS8,
CHR NewTab: Default -> "chrome-extension://pmpnpoimcedejhfgmocpekpmifcjajjb/newtab/newtab.html"
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bcOfaTx1UmcQrOudH07I_9BL868ktwSDKOJDwie2z7DYoiW5ysVrToFkApOfiO1imKKRFC8HWQe2zuGNp6eywAmIigfFXkZ3ddmthi2a2NJMCmB_S_OObpJYItjJ4mYT9svyCJVBTV5grIWgST0aofYqUpLqdg,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\scott\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx <not found>
S2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe -f "C:\ProgramData\\Airtostrong\\Airtostrong.dat" -l -a
S4 vToolbarUpdater18.1.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [X]
C:\ProgramData\\Airtostrong
Task: {C229E24A-73BC-4B5E-A596-F58057721B11} - System32\Tasks\55zlb4dm => C:\Program Files\Common Files\e2cd4pfd\e64d5z4k0yzgz.exe [2016-01-12] () <==== ATTENTION
C:\Program Files\Common Files\e2cd4pfd
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-899633667-1377354469-2499806448-1000\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully.
HKU\S-1-5-21-899633667-1377354469-2499806448-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully.
Chrome HomePage => removed successfully.
Chrome NewTab => removed successfully.
Chrome DefaultSearchURL => removed successfully.
Chrome DefaultSearchKeyword => removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo" => key removed successfully.
Airtostrong => service removed successfully.
vToolbarUpdater18.1.0 => service not found.
C:\ProgramData\\Airtostrong => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C229E24A-73BC-4B5E-A596-F58057721B11}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C229E24A-73BC-4B5E-A596-F58057721B11}" => key removed successfully.
C:\Windows\System32\Tasks\55zlb4dm => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\55zlb4dm" => key removed successfully.
C:\Program Files\Common Files\e2cd4pfd => moved successfully
EmptyTemp: => 422.4 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 18:22:33 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 17 January 2016 - 08:57 AM

Please run the Farbar Recovery Scan Tool. Enter AdwCleaner.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

Post the log and let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 17 January 2016 - 08:59 AM

Please run the Farbar Recovery Scan Tool. Enter AdwCleaner.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

Post the log and let me know what problem persists.

#6 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 17 January 2016 - 10:04 PM

this is all I get with Search File

 

Farbar Recovery Scan Tool (x86) Version:10-01-2015 01

Ran by scott (2016-01-17 21:01:17)
Running from C:\Users\scott\Downloads
Boot Mode: Normal
 
================== Search Files: "AdwCleaner.exe" =============
 
====== End of Search ======


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 18 January 2016 - 09:20 AM

Strange we cannot find the AdwCleaner tool.

Please download it again. Run it as previously instructed.

p.s.
Make sure you save it to your Desktop.

#8 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 18 January 2016 - 10:40 PM

Ok this is what I get now..
 
Also when I open adwcleaner, it goes through the same "do you want to install this program from an unknown publisher make changes to this computer"
 
Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
Ran by scott (2016-01-18 21:31:19)
Running from C:\Users\scott\Downloads
Boot Mode: Normal
 
================== Search Files: "AdwCleaner.exe" =============
 
C:\Users\scott\Desktop\AdwCleaner.exe
[2016-01-18 21:23][2016-01-18 21:23] 1505280 ____A () 08985310E76BAC6BE0439A67234E90C7 [File not signed]
 
====== End of Search ======


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 19 January 2016 - 09:41 AM


Right click on the AdwCleaner.exe file and select Run as an Administrator.

If you still get the protection message select Yes. The file is safe.

#10 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 20 January 2016 - 04:26 PM

Ok I ran it as administrator, same results: "loading data base, generic elements searching for folders, waiting for action - uncheck the elements you want to keep."

Nothing shows up.

 

You do want me scanning services, right? I ran "Folders" and got Browsers/ programs file Elex-tech/ Roaming /Elex-tech



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 21 January 2016 - 09:47 AM


[b ]I ran "Folders" and got Browsers/ programs file Elex-tech/ Roaming /Elex-tech
This is stopping the running of AdwCleaner tool


Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#12 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 21 January 2016 - 09:11 PM

Great, here is the combofix.txt[this is the 2nd run, 1st one was accidently closed]

 

 

ComboFix 16-01-19.01 - scott 01/21/2016  19:53:02.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1993.1087 [GMT -6:00]
Running from: c:\users\scott\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2015-12-22 to 2016-01-22  )))))))))))))))))))))))))))))))
.
.
2016-01-22 01:57 . 2016-01-22 01:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2016-01-22 01:57 . 2016-01-22 01:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-01-22 01:57 . 2016-01-22 01:57 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2016-01-22 01:50 . 2016-01-22 01:50 39168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1FCC8F7-8D02-4A62-AEF0-0EE332CECC35}\MpKsl373acb10.sys
2016-01-22 01:39 . 2015-11-25 10:43 9014120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1FCC8F7-8D02-4A62-AEF0-0EE332CECC35}\mpengine.dll
2016-01-22 00:52 . 2015-07-01 05:59 912000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3E07A872-5551-4F43-A57E-902CBC107724}\gapaengine.dll
2016-01-21 02:13 . 2016-01-21 02:13 -------- d-----w- c:\users\scott\AppData\Local\Nico Mak Computing
2016-01-21 02:13 . 2016-01-21 02:20 -------- d-----w- c:\programdata\WinZip
2016-01-21 02:09 . 2016-01-21 02:09 -------- d-----w- c:\programdata\UniqueId
2016-01-20 07:05 . 2015-11-25 10:43 9014120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-01-17 00:58 . 2016-01-22 01:44 -------- d-----w- C:\AdwCleaner
2016-01-14 08:04 . 2016-01-14 08:04 -------- d-----w- c:\program files\browser
2016-01-14 05:53 . 2016-01-21 02:23 -------- d-----w- C:\FRST
2016-01-13 02:41 . 2015-12-08 21:53 641536 ----a-w- c:\windows\system32\advapi32.dll
2016-01-13 02:40 . 2015-12-08 21:54 665088 ----a-w- c:\windows\system32\WMVXENCD.DLL
2016-01-12 21:49 . 2016-01-13 05:43 -------- d-----w- c:\users\scott\AppData\Roaming\Elex-tech
2016-01-12 21:49 . 2016-01-13 05:43 -------- d-----w- c:\program files\Elex-tech
2016-01-11 10:46 . 2016-01-12 05:42 -------- d-----w- c:\users\scott\AppData\Local\Comodo
2016-01-11 10:46 . 2016-01-11 10:46 -------- d-----w- c:\programdata\Comodo Browser
2015-12-31 09:42 . 2015-12-31 09:42 -------- d-----w- c:\users\scott\AppData\Roaming\inkscape
2015-12-24 09:05 . 2015-12-24 09:05 -------- d-----w- C:\SBD files
2015-12-24 09:04 . 2016-01-20 08:20 -------- d-----w- c:\program files\SignBlazer Elements
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-01-21 02:25 . 2015-12-22 09:52 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-12-09 03:39 . 2013-03-27 22:38 247976 ------w- c:\windows\system32\MpSigStub.exe
2015-11-20 18:34 . 2015-12-09 05:58 93696 ----a-w- c:\windows\system32\wudriver.dll
2015-11-20 18:34 . 2015-12-09 05:58 2956800 ----a-w- c:\windows\system32\wucltux.dll
2015-11-20 18:34 . 2015-12-09 05:58 2062848 ----a-w- c:\windows\system32\wuaueng.dll
2015-11-20 18:34 . 2015-12-09 05:58 174080 ----a-w- c:\windows\system32\wuwebv.dll
2015-11-20 18:34 . 2015-12-09 05:58 35840 ----a-w- c:\windows\system32\wups2.dll
2015-11-20 18:34 . 2015-12-09 05:58 30208 ----a-w- c:\windows\system32\wups.dll
2015-11-20 18:34 . 2015-12-09 05:58 573440 ----a-w- c:\windows\system32\wuapi.dll
2015-11-20 18:34 . 2015-12-09 05:58 73728 ----a-w- c:\windows\system32\WinSetupUI.dll
2015-11-20 18:33 . 2015-12-09 05:58 11776 ----a-w- c:\windows\system32\wu.upgrade.ps.dll
2015-11-20 18:33 . 2015-12-09 05:58 136192 ----a-w- c:\windows\system32\wuauclt.exe
2015-11-20 18:33 . 2015-12-09 05:58 35328 ----a-w- c:\windows\system32\wuapp.exe
2015-11-11 18:39 . 2015-12-09 06:00 1242624 ----a-w- c:\windows\system32\comsvcs.dll
2015-11-11 18:39 . 2015-12-09 06:00 487936 ----a-w- c:\windows\system32\catsrvut.dll
2015-11-10 18:39 . 2015-12-09 06:00 909824 ----a-w- c:\windows\system32\FntCache.dll
2015-11-10 18:39 . 2015-12-09 06:00 1251328 ----a-w- c:\windows\system32\DWrite.dll
2015-11-10 18:39 . 2015-12-09 06:00 811520 ----a-w- c:\windows\system32\user32.dll
2015-11-05 19:02 . 2015-12-09 05:57 14848 ----a-w- c:\windows\system32\wshrm.dll
2015-11-05 19:00 . 2015-12-09 05:58 2048 ----a-w- c:\windows\system32\tzres.dll
2015-11-05 09:48 . 2015-12-09 05:57 117760 ----a-w- c:\windows\system32\drivers\rmcast.sys
2015-11-03 18:56 . 2015-12-09 05:58 627712 ----a-w- c:\windows\system32\usp10.dll
2015-11-03 18:55 . 2015-12-09 05:58 179712 ----a-w- c:\windows\system32\els.dll
2015-10-29 17:50 . 2015-11-11 00:12 5120 ----a-w- c:\windows\system32\shimeng.dll
2015-10-29 17:49 . 2015-11-11 00:12 295936 ----a-w- c:\windows\system32\apphelp.dll
2015-10-29 17:49 . 2015-11-11 00:12 562176 ----a-w- c:\windows\apppatch\AcLayers.dll
2015-10-29 17:49 . 2015-11-11 00:12 2178560 ----a-w- c:\windows\apppatch\AcGenral.dll
2015-10-29 17:49 . 2015-11-11 00:12 470528 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2015-10-29 17:49 . 2015-11-11 00:12 211968 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2015-10-29 17:49 . 2015-11-11 00:12 62464 ----a-w- c:\windows\system32\aelupsvc.dll
2015-10-29 17:49 . 2015-11-11 00:12 20992 ----a-w- c:\windows\system32\sdbinst.exe
2015-10-29 17:39 . 2015-11-11 00:12 2560 ----a-w- c:\windows\apppatch\AcRes.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Seagull Drivers"="ssdal_nc.exe startup" [X]
"RunPUTasktray"="c:\program files\Hewlett-Packard\HP Printer Utility\HPPU.exe --regkeypath=Software\Hewlett-Packard\HP Printer Utility\HPPURun --valuename=InstallTTM" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"PUStarter"="c:\program files\Common Files\Hewlett-Packard\HP Printer Utility DCS\Appinterfaces\HPPUDS.exe" [2014-02-28 73728]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-04-30 981688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 17:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-11 315496]
R3 D-Vitec;D-Vitec Driver;c:\windows\system32\DRIVERS\dvitdcnt.sys [2012-07-26 281344]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2015-12-12 102912]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2015-03-05 95408]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2015-04-30 284504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-03-28 1343400]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2014-04-28 42272]
S1 MpKsl373acb10;MpKsl373acb10;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1FCC8F7-8D02-4A62-AEF0-0EE332CECC35}\MpKsl373acb10.sys [2016-01-22 39168]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2016-01-08 1433216]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2016-01-08 1773696]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2011-05-05 266408]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL373ACB10
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
utcsvc REG_MULTI_SZ   DiagTrack
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-01-15 05:41 1006920 ----a-w- c:\program files\Google\Chrome\Application\47.0.2526.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2016-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-28 04:20]
.
2016-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-07 07:19]
.
2015-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-07 07:19]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
Trusted Zone: hp.com
TCP: DhcpNameServer = 192.168.254.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-01-21  19:58:54
ComboFix-quarantined-files.txt  2016-01-22 01:58
ComboFix2.txt  2016-01-22 01:29
.
Pre-Run: 934,980,341,760 bytes free
Post-Run: 934,934,556,672 bytes free
.
- - End Of File - - 37499EBC111901FE0A894A1C9CD6B274
A36C5E4F47E84449FF07ED3517B43A31
====================================================================
 
Here is Adwcleaner log from 'scan folders' should I uninstall the 3 folders below?
Folder Found : C:\Program Files\Browser
Folder Found : C:\Program Files\Elex-tech
Folder Found : C:\Users\scott\AppData\Roaming\Elex-tech
 
# AdwCleaner v5.030 - Logfile created 21/01/2016 at 20:01:31
# Updated 17/01/2016 by Xplode
# Database : 2016-01-19.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x86)
# Username : scott - SCOTT-PC
# Running from : C:\Users\scott\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\Program Files\Browser
Folder Found : C:\Program Files\Elex-tech
Folder Found : C:\Users\scott\AppData\Roaming\Elex-tech
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\iSafeRKScan
Key Found : HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\iSafeSvc2.exe
Key Found : HKCU\Software\Google\Chrome\Extensions\bmkckgpgekmanipelfidlhmkfcjicion
Key Found : HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found : HKLM\SOFTWARE\Elex-tech
 
***** [ Web browsers ] *****
 
[C:\Users\scott\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : bmkckgpgekmanipelfidlhmkfcjicion
 
########## EOF - C:\AdwCleaner\AdwCleaner[S18].txt - [1276 bytes] ##########
 


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 22 January 2016 - 10:38 AM

Run AdwCleaner and delete everything.

===

What are the remaining issues?

#14 svds

svds
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 23 January 2016 - 01:18 AM

That should do it. Thank you very much!



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 23 January 2016 - 09:11 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users