Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ColorMedia and unable to use WiFi


  • This topic is locked This topic is locked
14 replies to this topic

#1 Infecteduser05784956

Infecteduser05784956

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 17 January 2016 - 02:13 PM

I have recently been infected with ColorMedia and I am currently unable to use WiFi , After posting in the Am I Infected? Section I was able to get some help and the ColorMedia problem has been fixed. Currently I am still unable to access the internet through WiFi but I can access it through Bluetooth. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-01-2015

Ran by blandine andre (administrator) on BLANDINEANDRE (17-01-2016 13:03:20)
Running from C:\Users\blandine andre\Desktop
Loaded Profiles: blandine andre (Available Profiles: blandine andre & DefaultAppPool)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe
(Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\windows\System32\CISVC.EXE
(Microsoft Corporation) C:\windows\System32\mqsvc.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psia.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Microsoft Corporation) C:\windows\System32\snmp.exe
(Microsoft Corporation) C:\windows\System32\tlntsvr.exe
(Microsoft Corporation) C:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Intel Corporation) C:\windows\System32\hkcmd.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Microsoft Corporation) C:\windows\System32\dllhost.exe
(ESET) C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
() C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
(Microsoft Corporation) C:\windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2195824 2012-02-01] ()
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [627360 2011-05-20] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe [379552 2011-05-20] (Atheros Commnucations)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe /boot
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [AppleIEDAV] => C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31087200 2015-01-23] (Skype Technologies S.A.)
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe [695808 2014-09-10] (FileHippo.com)
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [41200 2015-06-21] (Overwolf LTD)
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [explorertask] => C:\PROGRAM FILES (X86)\MS-TASKER\MS-TASKER.EXE
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\MountPoints2: {b09e0fc7-7c2b-11e4-90ad-08edb90ffa08} - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\start.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\MountPoints2: {f75407b1-10cf-11e3-950a-08edb90ffa08} - E:\WIN\setup.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Secunia PSI Tray.lnk [2014-11-04]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{31403B2C-BF52-4C44-80ED-2B14FA3290F3}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{8F393956-E925-44EC-9E6D-41E44AF6EF98}: [DhcpNameServer] 168.94.0.14 168.94.0.15
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
URLSearchHook: HKU\S-1-5-21-3911025799-2270268569-1992172917-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM -> {2F1E335A-858A-4BE9-8F6B-D0AF1D018B53} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {2F1E335A-858A-4BE9-8F6B-D0AF1D018B53} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2014-08-06] (Google Inc.)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2011-05-20] (Atheros Commnucations)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2014-08-06] (Google Inc.)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2014-08-06] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2014-08-06] (Google Inc.)
Toolbar: HKU\S-1-5-21-3911025799-2270268569-1992172917-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2014-08-06] (Google Inc.)
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
 
FireFox:
========
FF ProfilePath: C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default
FF DefaultSearchEngine: Google
FF SearchEngineOrder.3: Bing 
FF SelectedSearchEngine: Bing 
FF Homepage: hxxp://www.msn.com/en-us/?pc=UP97&ocid=UP97DHP
FF Keyword.URL: hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2014-07-22] (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [2014-10-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [2014-10-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2014-07-22] (Adobe Systems)
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\14fef81ee28d4335a493c2d@6383fd42ff9b4872bccb5b.com [not found]
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\OIBMBKA115048682@HYKFIU97176590.com [not found]
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com [not found]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-12-19] <==== ATTENTION
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\pdf.dll ()
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (AdobeAAMDetect) - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll ( Microsoft Corporation)
CHR Profile: C:\Users\blandine andre\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\blandine andre\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2016-01-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\blandine andre\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-01-17]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [146592 2011-05-20] (Atheros) [File not signed]
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [80032 2011-05-20] (Atheros Commnucations) [File not signed]
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1000688 2015-06-21] (Overwolf LTD)
R2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1229528 2013-12-06] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [662232 2013-12-06] (Secunia)
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Corporation)
R2 SNMP; C:\windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
R2 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-13] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 IntcDAud; C:\Windows\System32\DRIVERS\IntcDAud.sys [317440 2010-10-15] (Intel® Corporation) [File not signed]
S3 Leapfrog-USBLAN; C:\Windows\System32\DRIVERS\btblan.sys [40320 2012-07-05] (Belcarra Technologies) [File not signed]
S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-12-06] (Secunia)
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-17 13:03 - 2016-01-17 13:03 - 00016723 _____ C:\Users\blandine andre\Desktop\FRST.txt
2016-01-17 12:27 - 2016-01-17 13:03 - 00000000 ____D C:\FRST
2016-01-17 12:26 - 2016-01-17 13:25 - 02370560 _____ (Farbar) C:\Users\blandine andre\Desktop\FRST64.exe
2016-01-17 11:03 - 2016-01-17 11:03 - 00000000 ___RD C:\Users\blandine andre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-01-17 10:55 - 2016-01-17 10:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2016-01-17 10:03 - 2016-01-17 10:55 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2016-01-17 10:01 - 2016-01-17 10:58 - 19709440 _____ (Luis Cobian, CobianSoft) C:\Users\blandine andre\Desktop\cbSetup.exe
2016-01-16 19:35 - 2016-01-16 19:35 - 00000000 _____ C:\Users\blandine andre\Desktop\New Text Document.txt
2016-01-15 21:01 - 2016-01-17 11:20 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-15 20:59 - 2016-01-16 01:08 - 00005132 _____ C:\Users\blandine andre\Desktop\FSS.txt
2016-01-15 20:59 - 2016-01-15 21:54 - 00899584 _____ (Farbar) C:\Users\blandine andre\Desktop\FSS.exe
2016-01-15 13:28 - 2016-01-15 14:27 - 02870984 _____ (ESET) C:\Users\blandine andre\Desktop\esetsmartinstaller_enu.exe
2016-01-14 23:59 - 2016-01-16 11:02 - 00000571 _____ C:\Users\blandine andre\Desktop\JRT.txt
2016-01-14 23:47 - 2016-01-14 23:47 - 00001108 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-14 23:47 - 2016-01-14 23:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-14 23:47 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2016-01-14 23:47 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2016-01-14 23:43 - 2016-01-16 19:24 - 00025361 _____ C:\Users\blandine andre\Desktop\MTB.txt
2016-01-14 23:42 - 2016-01-15 00:47 - 22908888 _____ (Malwarebytes ) C:\Users\blandine andre\Desktop\mbam-setup-2.2.0.1024.exe
2016-01-14 23:42 - 2016-01-15 00:44 - 01754112 _____ C:\Users\blandine andre\Desktop\AdwCleaner.exe
2016-01-14 23:42 - 2016-01-15 00:44 - 01600184 _____ (Malwarebytes) C:\Users\blandine andre\Desktop\JRT.exe
2016-01-14 23:42 - 2016-01-15 00:43 - 00891392 _____ (Farbar) C:\Users\blandine andre\Desktop\MiniToolBox.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-17 12:35 - 2013-06-16 00:10 - 00000000 ____D C:\ProgramData\Apple
2016-01-17 12:34 - 2015-02-18 16:19 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2016-01-17 12:33 - 2009-07-13 22:45 - 00020928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-17 12:33 - 2009-07-13 22:45 - 00020928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-17 12:29 - 2014-03-07 23:12 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-17 12:29 - 2014-03-07 23:11 - 00000910 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-17 12:27 - 2009-07-13 21:20 - 00000000 ____D C:\windows
2016-01-17 11:07 - 2009-07-13 21:20 - 00000000 ____D C:\windows\system32\NDF
2016-01-17 09:57 - 2009-07-13 23:13 - 00891598 _____ C:\windows\system32\PerfStringBackup.INI
2016-01-17 09:57 - 2009-07-13 21:20 - 00000000 ____D C:\windows\inf
2016-01-16 19:22 - 2014-11-05 16:48 - 00000000 ____D C:\Users\blandine andre\AppData\Local\Overwolf
2016-01-16 01:11 - 2009-07-13 23:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-01-16 01:10 - 2014-11-03 23:59 - 00000000 ____D C:\AdwCleaner
2016-01-16 01:10 - 2014-11-03 23:11 - 01172996 _____ C:\windows\ntbtlog.txt
2016-01-15 21:40 - 2012-07-31 00:22 - 00000000 ____D C:\Users\blandine andre\AppData\Roaming\Skype
2016-01-15 21:38 - 2011-02-23 07:08 - 00000000 ____D C:\windows\Panther
2016-01-15 12:37 - 2012-07-31 10:25 - 00000000 ____D C:\Users\blandine andre\AppData\Local\CrashDumps
2016-01-14 23:47 - 2015-07-20 01:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-12 15:46 - 2015-04-17 19:11 - 00000000 ___SD C:\windows\SysWOW64\GWX
2016-01-12 15:46 - 2015-04-17 19:11 - 00000000 ___SD C:\windows\system32\GWX
2016-01-12 15:46 - 2015-04-17 19:11 - 00000000 ___SD C:\windows\system32\CompatTel
2016-01-12 15:46 - 2015-04-17 19:11 - 00000000 ____D C:\windows\system32\appraiser
2016-01-12 15:46 - 2014-10-22 18:20 - 00000000 ____D C:\Users\blandine andre\AppData\Roaming\vlc
2016-01-12 15:46 - 2013-07-01 08:12 - 00000000 ____D C:\ProgramData\Microsoft Help
2016-01-12 15:46 - 2012-07-28 21:11 - 00000000 ____D C:\Users\blandine andre
2016-01-12 15:46 - 2012-04-08 17:25 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-01-12 15:46 - 2009-07-13 21:20 - 00000000 ____D C:\windows\rescache
2016-01-12 15:46 - 2009-07-13 21:20 - 00000000 ____D C:\windows\PolicyDefinitions
2016-01-12 15:46 - 2009-07-13 21:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-01-12 15:45 - 2009-07-13 21:20 - 00000000 ____D C:\windows\registration
 
==================== Files in the root of some directories =======
 
2012-08-07 20:41 - 2013-01-21 20:48 - 0011264 _____ () C:\Users\blandine andre\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-06 21:06 - 2015-09-06 21:06 - 0007597 _____ () C:\Users\blandine andre\AppData\Local\Resmon.ResmonCfg
2014-07-24 22:30 - 2014-07-24 22:30 - 0013934 _____ () C:\Users\blandine andre\AppData\Local\WiDiSetupLog.20140724.233027.wdl
2015-02-16 00:50 - 2015-02-16 00:50 - 0001353 _____ () C:\ProgramData\tempimage.bmp
 
Some files in TEMP:
====================
C:\Users\blandine andre\AppData\Local\Temp\50 shades grey__10924_i1468419793_il19333.exe
C:\Users\blandine andre\AppData\Local\Temp\cbgcabfcebhg.exe
C:\Users\blandine andre\AppData\Local\Temp\CloudBackup7856.exe
C:\Users\blandine andre\AppData\Local\Temp\ConsumerInputSetup.exe
C:\Users\blandine andre\AppData\Local\Temp\DRHelper_installFinish.exe
C:\Users\blandine andre\AppData\Local\Temp\DRHelper_installStart.exe
C:\Users\blandine andre\AppData\Local\Temp\DRHelper_uninstallComplete.exe
C:\Users\blandine andre\AppData\Local\Temp\mpam-20ceb90d.exe
C:\Users\blandine andre\AppData\Local\Temp\optprosetup.exe
C:\Users\blandine andre\AppData\Local\Temp\Quarantine.exe
C:\Users\blandine andre\AppData\Local\Temp\setup.exe
C:\Users\blandine andre\AppData\Local\Temp\Setup_33955.exe
C:\Users\blandine andre\AppData\Local\Temp\setup_515.exe
C:\Users\blandine andre\AppData\Local\Temp\SkypeSetup.exe
C:\Users\blandine andre\AppData\Local\Temp\SpOrder.dll
C:\Users\blandine andre\AppData\Local\Temp\sqlite3.dll
C:\Users\blandine andre\AppData\Local\Temp\tu17p84.exe
C:\Users\blandine andre\AppData\Local\Temp\vcredist_x64.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-13 23:25
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 20 January 2016 - 10:00 AM

Hi Infecteduser05784956 :)

My name is Aura and I'll be assisting you with your issue. Please give me a few hours to go over your logs and prepare a reply.

Thank you!

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 22 January 2016 - 11:43 AM

Hi InfectedUser :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • Finally, in the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

I saw traces of Norton Antivirus and iolo System Mechanics on your system, were these programs ever installed? If so, did you uninstall them?

warning.gifOutdated Programs Warning!

I noticed that you have outdated vulnerable programs installed on your system. I'll ask you to uninstall them since keeping outdated software installed on a system puts it more at risk of being infected. Otherwise, you can update them right now, and make sure that their outdated version is uninstalled after. We will reinstall these programs at the end of the clean-up if you decide to uninstall them now, and need them after.
  • Adobe Flash Player 17 ActiveX;
  • Mozilla Firefox 35.0.1 (x86 en-US)
If you have an issue when uninstalling a program, please let me know.

Once done, we'll clean-up remnants from past infections on your system using FRST. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


Your next reply should include:
  • Answer to my question about Norton and System Mechanics;
  • If you uninstalled Adobe Flash Player and Mozilla Firefox or not;
  • Copy/pasted content of the FRST fix log;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Infecteduser05784956

Infecteduser05784956
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 23 January 2016 - 12:56 PM

Going through the steps now will update when completed.



#5 Infecteduser05784956

Infecteduser05784956
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 23 January 2016 - 01:09 PM

Update* Please combine threads.

 

Mozilla Firefox and Internet Explorer are about the only two tools that I can't really open. It gives me a security warning for both applications saying that it is from an unknown publisher and also Firefox give me a could not load XPCOM error. I have tried to uninstall Mozilla Firefox from Programs and Feature and nothing would even pop up. Also I have gone into the Mozilla folder and tried to run the uninstaller from there and it doesn't not even let me run the programs for both Firefox and Explorer.

 

Adobe has been updated to ActiveX 20.

 

Please let me know how to continue.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 24 January 2016 - 10:22 AM

Even though Mozilla Firefox and Internet Explorer doesn't work, you are still able to use Google Chrome, correct? Can you download FRST with it, and follow the instructions in my last post to run the FRST fix? We'll uninstall Mozilla Firefox later on if you can't do it right now.

Also, can you answer the question I asked in my previous post?

I saw traces of Norton Antivirus and iolo System Mechanics on your system, were these programs ever installed? If so, did you uninstall them?


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Infecteduser05784956

Infecteduser05784956
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 24 January 2016 - 05:39 PM

I do recall installing both programs. as far as uninstalling I do not remember , I do not see it in my programs list to uninstall.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:17-01-2015
Ran by blandine andre (2016-01-24 15:32:19) Run:1
Running from C:\Users\blandine andre\Desktop
Loaded Profiles: blandine andre (Available Profiles: blandine andre & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
 
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\Run: [explorertask] => C:\PROGRAM FILES (X86)\MS-TASKER\MS-TASKER.EXE
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\MountPoints2: {b09e0fc7-7c2b-11e4-90ad-08edb90ffa08} - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\start.exe
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\...\MountPoints2: {f75407b1-10cf-11e3-950a-08edb90ffa08} - E:\WIN\setup.exe
 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
URLSearchHook: HKU\S-1-5-21-3911025799-2270268569-1992172917-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
 
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\14fef81ee28d4335a493c2d@6383fd42ff9b4872bccb5b.com [not found]
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\OIBMBKA115048682@HYKFIU97176590.com [not found]
FF Extension: No Name - C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com [not found]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-12-19] <==== ATTENTION
 
Task: {14298588-B4B1-4B32-96EC-789FA196E21E} - System32\Tasks\CXFYCNE => C:\ProgramData\2abfacb28a86414db67072195669c416\2abfacb28a86414db67072195669c416.exe <==== ATTENTION
Task: {20DF6493-BE84-4629-A932-2F360D70AF29} - \Microsoft\Windows\Maintenance\Advanced IC Updating -> No File <==== ATTENTION
Task: {4763DF12-9BE9-45E7-9921-3F5D4F852E3B} - System32\Tasks\{484DEEE6-9FA8-45F4-BED6-CF25959A7A38} => Firefox.exe
Task: {85DB2318-978C-4FDE-8159-86C999A28656} - \Microsoft\Windows\Maintenance\SMupdate2 -> No File <==== ATTENTION
Task: {E4BCD81B-C53D-40AF-A7A8-56E82664DC47} - \Microsoft\Windows\Multimedia\SMupdate3 -> No File <==== ATTENTION
Task: {B396BD06-7E35-4E8D-A870-968964DE4835} - System32\Tasks\{4AF21A64-CA2A-48BD-AF8D-036955C9B5DE} => pcalua.exe -a "C:\Program Files (x86)\Plus-HD-9.5\Uninstall.exe" -c /fromcontrolpanel=1
Task: {EB6E4C59-EB39-4533-BA14-AB36A7513E33} - \PastaLeads -> No File <==== ATTENTION
 
AlternateDataStreams: C:\ProgramData\Temp:373E1720
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\N1Service => ""="service"
 
REG: REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pcreg"
REG: REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt"
 
FirewallRules: [{2E767F0A-15BD-432A-B899-F21B58847709}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{2463DA0E-DCC2-4C4C-A143-35003AB4AE4B}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{7F447D10-E073-4187-83E2-0399768AB187}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{A1A07909-4CF3-40F1-B718-4D26AFFBFA3B}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{013ACCCA-46DD-4F1C-80C8-C8E1D8639D32}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{BD4D2192-DCB8-43A3-8876-B64C34F56BC3}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{EA3C3DD3-74E2-4DC0-8CA4-8CE990D3EA81}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{CB275A57-4086-4879-9D5D-1CAD94618748}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{3969CE59-20CD-4203-B6CC-7CD9A19DE342}] => (Allow) C:\Users\blandine andre\AppData\Local\CrossBrowser\Application\crossbrowser.exe
FirewallRules: [{A3B9B193-203F-42E7-8C7A-E04388AAAED4}] => (Allow) C:\Users\blandine andre\AppData\Roaming\OAS\oas.exe
FirewallRules: [{D83E3A50-A74D-44F3-995B-DEF9AD4E91C2}] => (Allow) C:\Users\blandine andre\AppData\Roaming\OAS\oasupd.exe
 
C:\ProgramData\2abfacb28a86414db67072195669c416
C:\PROGRAM FILES (X86)\MS-TASKER
C:\Program Files (x86)\Plus-HD-9.5
c:\program files\pcreg
C:\Users\blandine andre\AppData\Local\CrossBrowser
C:\Users\blandine andre\AppData\Roaming\OAS
 
EmptyTemp:
*****************
 
Processes closed successfully.
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\Software\Microsoft\Windows\CurrentVersion\Run\\explorertask => value removed successfully
"HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b09e0fc7-7c2b-11e4-90ad-08edb90ffa08}" => key removed successfully
HKCR\CLSID\{b09e0fc7-7c2b-11e4-90ad-08edb90ffa08} => key not found. 
"HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f75407b1-10cf-11e3-950a-08edb90ffa08}" => key removed successfully
HKCR\CLSID\{f75407b1-10cf-11e3-950a-08edb90ffa08} => key not found. 
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-3911025799-2270268569-1992172917-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => value removed successfully
C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\14fef81ee28d4335a493c2d@6383fd42ff9b4872bccb5b.com => path removed successfully
C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\OIBMBKA115048682@HYKFIU97176590.com => path removed successfully
C:\Users\blandine andre\AppData\Roaming\Mozilla\Firefox\Profiles\nwoe6ptd.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com => path removed successfully
C:\Program Files (x86)\mozilla firefox\firefox.cfg => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{14298588-B4B1-4B32-96EC-789FA196E21E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{14298588-B4B1-4B32-96EC-789FA196E21E}" => key removed successfully
C:\windows\System32\Tasks\CXFYCNE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CXFYCNE" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{20DF6493-BE84-4629-A932-2F360D70AF29}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20DF6493-BE84-4629-A932-2F360D70AF29}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\Advanced IC Updating" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4763DF12-9BE9-45E7-9921-3F5D4F852E3B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4763DF12-9BE9-45E7-9921-3F5D4F852E3B}" => key removed successfully
C:\windows\System32\Tasks\{484DEEE6-9FA8-45F4-BED6-CF25959A7A38} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{484DEEE6-9FA8-45F4-BED6-CF25959A7A38}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{85DB2318-978C-4FDE-8159-86C999A28656}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{85DB2318-978C-4FDE-8159-86C999A28656}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\SMupdate2" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E4BCD81B-C53D-40AF-A7A8-56E82664DC47}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4BCD81B-C53D-40AF-A7A8-56E82664DC47}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SMupdate3" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B396BD06-7E35-4E8D-A870-968964DE4835}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B396BD06-7E35-4E8D-A870-968964DE4835}" => key removed successfully
C:\windows\System32\Tasks\{4AF21A64-CA2A-48BD-AF8D-036955C9B5DE} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{4AF21A64-CA2A-48BD-AF8D-036955C9B5DE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB6E4C59-EB39-4533-BA14-AB36A7513E33}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB6E4C59-EB39-4533-BA14-AB36A7513E33}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PastaLeads => key not found. 
C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\N1Service" => key removed successfully
 
========= REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pcreg" =========
 
Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pcreg (Yes/No)? The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt" =========
 
Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt (Yes/No)? The operation completed successfully.
 
 
 
========= End of Reg: =========
 
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2E767F0A-15BD-432A-B899-F21B58847709} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2463DA0E-DCC2-4C4C-A143-35003AB4AE4B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7F447D10-E073-4187-83E2-0399768AB187} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A1A07909-4CF3-40F1-B718-4D26AFFBFA3B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{013ACCCA-46DD-4F1C-80C8-C8E1D8639D32} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BD4D2192-DCB8-43A3-8876-B64C34F56BC3} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EA3C3DD3-74E2-4DC0-8CA4-8CE990D3EA81} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CB275A57-4086-4879-9D5D-1CAD94618748} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3969CE59-20CD-4203-B6CC-7CD9A19DE342} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A3B9B193-203F-42E7-8C7A-E04388AAAED4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D83E3A50-A74D-44F3-995B-DEF9AD4E91C2} => value removed successfully
"C:\ProgramData\2abfacb28a86414db67072195669c416" => not found.
"C:\PROGRAM FILES (X86)\MS-TASKER" => not found.
"C:\Program Files (x86)\Plus-HD-9.5" => not found.
"c:\program files\pcreg" => not found.
"C:\Users\blandine andre\AppData\Local\CrossBrowser" => not found.
C:\Users\blandine andre\AppData\Roaming\OAS => moved successfully
EmptyTemp: => 2.9 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 15:34:05 ====


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 25 January 2016 - 12:24 PM

Good, the FRST fix went through as intended :) Now, we'll do a sweep on your system using JRT, AdwCleaner and Malwarebytes to catch the remnants that aren't showing up in FRST. Follow the instructions below please.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 28 January 2016 - 09:25 AM

Hi Infecteduser,

Are you still with me? Can you follow the instructions in my previous post? :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Infecteduser05784956

Infecteduser05784956
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 28 January 2016 - 10:42 AM

Hi Infecteduser,

Are you still with me? Can you follow the instructions in my previous post? :)

 

Sorry I have been pretty busy with work since I have been working late. I will get to it tonight.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 02 February 2016 - 10:42 AM

Hi Infecteduser,

Are you still with me? Can you follow the instructions in my previous post? :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Infecteduser05784956

Infecteduser05784956
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 03 February 2016 - 10:25 AM

Hi Infecteduser,

Are you still with me? Can you follow the instructions in my previous post? :)

 

Sorry Aura for the late reply we where having problems with the computer at hand as it was recently updated to windows 10. During that time the computer needed to be reset to manufacturer settings and have all files and apps removed. In this case do you still need me to follow the instructions?



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 03 February 2016 - 11:47 AM

It's all good :) If you had to reset the system to the manufacturer settings, I doubt that there'll be anything malicious left on it. However, just to be sure, I would like you to run FRST and get me the FRST.txt and Addition.txt logs. Once I confirm they are clean, we'll be done here :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 06 February 2016 - 03:27 PM

Hi Infecteduser,

 

Are you still with me? Can you follow the instructions in my previous post? :)


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:47 PM

Posted 10 February 2016 - 03:12 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users