Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trovis malware


  • Please log in to reply
12 replies to this topic

#1 giraffasus

giraffasus

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 07 March 2016 - 08:00 PM

I use firefox. Recently I discovered that when I open a new tab I am brought to some address with trovis~. I was unsure as to why this was happening for I haven't changed my browsing habits. The only thing that I can think of is when my daughter(3 years old) accidentally clicked some ads while I was away from the computer. But I am not sure if this is a possible reason to how I have this problem now.

 

Anyway I ran adwcleaner and it found something that I had removed. On reboot everything ran fine. This morning however when I opened up firefox to check the weather I was redirected to the same trovis page. I ran the cleaner again and it found the same thing. This time I followed up with junkware removal. Here are the logs of both of those scans. Does anyone know if this issue has been removed? Also, as I assume this is because of the clicked ads, is Ad Block Plus worth installing as an extension to prevent any such mistakes from occurring again, (my daughter and I play point and click games on Kongregate.com occasionally). I am off to work in about 30 minutes and will not be able do anything until tonight at around 10, Japan time. Thanks.

 

Adwcleaner log

 

A# AdwCleaner v5.101 - Logfile created 08/03/2016 at 07:59:47
# Updated 07/03/2016 by Xplode
# Database : 2016-03-06.3 [Server]
# Operating system : Windows 10 Pro  (x64)
# Username : Studio Something - GIRAFFASUS
# Running from : C:\Users\Chihiro and Jeffrey\Downloads\adwcleaner_5.101.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : CltMngSvc

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\SearchProtect
[-] Folder Deleted : C:\Users\Chihiro and Jeffrey\AppData\Local\SearchProtect

***** [ Files ] *****

[-] File Deleted : C:\Users\Chihiro and Jeffrey\AppData\Roaming\Mozilla\Firefox\Profiles\8oftypzd.default\searchplugins\trovi.xml
[-] File Deleted : C:\WINDOWS\apppatch\apppatch64\vcldr64.dll
[-] File Deleted : C:\WINDOWS\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
[-] File Deleted : C:\WINDOWS\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
[-] File Deleted : C:\WINDOWS\AppPatch\nbin\VC32Loader.dll

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\SearchProtect
[-] Key Deleted : HKLM\SOFTWARE\SearchProtect
[-] Key Deleted : HKLM\SOFTWARE\SPPDCOM
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]

***** [ Web browsers ] *****

[-] [C:\Users\Chihiro and Jeffrey\AppData\Roaming\Mozilla\Firefox\Profiles\8oftypzd.default\prefs.js] [Preference] Deleted : user_pref("browser.newtab.url", "hxxp://www.trovi.com/?gd=&ctid=CT3333673&octid=EB_ORIGINAL_CTID&ISID=E0CE57CF-A193-49D1-AAD3-A4E18EC1C925&SearchSource=69&CUI=&SSPV=&Lay=1&UM=8&UP=SPE9A98D80-DB2C-4546[...]
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : nhk.or.jp
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : resepinbox.com
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.conduit.com
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Users\Chihiro and Jeffrey\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : flpcjncodpafbgdpnkljologafpionhb

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [3237 bytes] - [08/03/2016 07:59:47]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [3510 bytes] - [08/03/2016 07:58:13]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [3423 bytes] ##########
 

JRT log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 10 Pro x64
Ran by Studio Something (Administrator) on Tue 03/08/2016 at  8:09:47.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\Chihiro and Jeffrey\AppData\Roaming\media freeware (Folder)

Deleted the following from C:\Users\Chihiro and Jeffrey\AppData\Roaming\Mozilla\Firefox\Profiles\8oftypzd.default\prefs.js
user_pref(browser.search.selectedEngine, Trovi);



Registry: 0
 

 

Thanks again for any help.



BC AdBot (Login to Remove)

 


#2 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 07 March 2016 - 08:28 PM

After closing firefox and opening it up again, then opening a new tab the same issue. here is the link it sends me to.

 

www.trovi.com/?gd=&ctid=CT3333673&octid=EB_ORIGINAL_CTID&ISID=E0CE57CF-A193-49D1-AAD3-A4E18EC1C925&SearchSource=69&CUI=&SSPV=&Lay=1&UM=8&UP=SPE9A98D80-DB2C-4546-9CD9-C74D24A11E32&D=030616

 

Only happens in firefox, not chrome. I will check back from time to time as the day goes by.



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 PM

Posted 07 March 2016 - 09:58 PM

Hi giraffasus :)

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 07 March 2016 - 10:58 PM

Thanks. I will start this tonight after I get home at 10. I am not sure what your time will be. But I will begin the process.



#5 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 08 March 2016 - 09:22 AM

Here is the log for the Minitoolbox

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Studio Something (administrator) on 08-03-2016 at 23:21:22
Running from "C:\Users\Chihiro and Jeffrey\Downloads"
Microsoft Windows 10 Pro  (X64)
Model: MS-7635 Manufacturer: MSI
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1                activate.adobe.com
========================= IP Configuration: ================================

NEC AtermWL300NU-GS(PA-WL300NU/GS) Wireless Network Adapter = Wireless Network Connection 2 (Connected)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global
set interface interface="Local Area Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wireless Network Connection 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 10" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wireless Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Giraffasus
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 40-61-86-8F-D1-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 10:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : 1C-B1-7F-50-94-DB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NEC AtermWL300NU-GS(PA-WL300NU/GS) Wireless Network Adapter
   Physical Address. . . . . . . . . : 1C-B1-7F-50-94-DB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::610a:a458:a6f6:4559%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 08, 2016 8:00:42 AM
   Lease Expires . . . . . . . . . . : Wednesday, March 09, 2016 10:03:22 PM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 354201983
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-67-A6-5E-40-61-86-8F-D1-DF
   DNS Servers . . . . . . . . . . . : 192.168.10.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Server:  aterm.me
Address:  192.168.10.1

Name:    google.com
Addresses:  2404:6800:400a:807::200e
      216.58.197.14


Pinging google.com [216.58.197.14] with 32 bytes of data:
Reply from 216.58.197.14: bytes=32 time=29ms TTL=54
Reply from 216.58.197.14: bytes=32 time=24ms TTL=54

Ping statistics for 216.58.197.14:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 29ms, Average = 26ms
Server:  aterm.me
Address:  192.168.10.1

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=172ms TTL=45
Reply from 206.190.36.45: bytes=32 time=164ms TTL=45

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 164ms, Maximum = 172ms, Average = 168ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...40 61 86 8f d1 df ......Realtek PCIe GBE Family Controller
 10...1c b1 7f 50 94 db ......Microsoft Hosted Network Virtual Adapter
  5...1c b1 7f 50 94 db ......NEC AtermWL300NU-GS(PA-WL300NU/GS) Wireless Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.101     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.10.0    255.255.255.0         On-link    192.168.10.101    281
   192.168.10.101  255.255.255.255         On-link    192.168.10.101    281
   192.168.10.255  255.255.255.255         On-link    192.168.10.101    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.10.101    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.10.101    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  5    281 fe80::/64                On-link
  5    281 fe80::610a:a458:a6f6:4559/128
                                    On-link
  1    306 ff00::/8                 On-link
  5    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/08/2016 08:10:00 AM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 44.0.2.5884, time stamp: 0x56bbf417
Faulting module name: mozglue.dll, version: 44.0.2.5884, time stamp: 0x56bbe58e
Exception code: 0x80000003
Fault offset: 0x0000ed3b
Faulting process id: 0x194c
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (03/08/2016 08:09:52 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/08/2016 07:59:47 AM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 44.0.2.5884, time stamp: 0x56bbf417
Faulting module name: mozglue.dll, version: 44.0.2.5884, time stamp: 0x56bbe58e
Exception code: 0x80000003
Fault offset: 0x0000ed3b
Faulting process id: 0x32c
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (03/07/2016 10:18:46 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (03/07/2016 10:18:22 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (03/06/2016 07:27:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/06/2016 07:06:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/06/2016 07:06:07 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/06/2016 07:06:01 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/06/2016 07:00:08 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.


System errors:
=============
Error: (03/08/2016 08:09:59 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/08/2016 08:00:41 AM) (Source: Service Control Manager) (User: )
Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
%%1058

Error: (03/08/2016 08:00:12 AM) (Source: Service Control Manager) (User: )
Description: The User Data Access_2bbdbd5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (03/08/2016 08:00:12 AM) (Source: Service Control Manager) (User: )
Description: The User Data Storage_2bbdbd5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (03/08/2016 08:00:12 AM) (Source: Service Control Manager) (User: )
Description: The Contact Data_2bbdbd5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (03/08/2016 08:00:12 AM) (Source: Service Control Manager) (User: )
Description: The Sync Host_2bbdbd5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (03/08/2016 07:59:47 AM) (Source: Service Control Manager) (User: )
Description: The Malwarebytes Anti-Exploit Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (03/08/2016 07:59:46 AM) (Source: Service Control Manager) (User: )
Description: The Search Protect Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 20000 milliseconds: Restart the service.

Error: (03/08/2016 07:59:46 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/08/2016 07:59:46 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Streamer Service service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (03/08/2016 08:10:00 AM) (Source: Application Error)(User: )
Description: plugin-container.exe44.0.2.588456bbf417mozglue.dll44.0.2.588456bbe58e800000030000ed3b194c01d178c53ff1ad9cC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozglue.dll154acdd8-b645-4c3a-999b-719c623b65be

Error: (03/08/2016 08:09:52 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/08/2016 07:59:47 AM) (Source: Application Error)(User: )
Description: plugin-container.exe44.0.2.588456bbf417mozglue.dll44.0.2.588456bbe58e800000030000ed3b32c01d178c4e1cfceb5C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozglue.dllcbaee575-9b1b-4b86-8aff-451e449f9757

Error: (03/07/2016 10:18:46 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (03/07/2016 10:18:22 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (03/06/2016 07:27:00 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/06/2016 07:06:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/06/2016 07:06:07 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/06/2016 07:06:01 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/06/2016 07:00:08 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.


CodeIntegrity Errors:
===================================
  Date: 2016-03-07 10:19:28.847
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.835
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.824
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.811
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.722
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.612
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.602
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.590
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.549
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-07 10:19:28.538
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


=========================== Installed Programs ============================

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.1.0.5790 - Adobe Systems Inc.)
Adobe Anchor Service x64 CS4 (HKLM\...\{887797BF-37A5-4199-B0C9-0D38D6196E9A}) (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe CMaps x64 CS4 (HKLM\...\{90BA8112-80B3-4617-A3C1-BD2771B60F74}) (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe Creative Suite 4 Master Collection (HKLM-x32\...\Adobe_b2d6abde968e6f277ddbfd501383e02) (Version: 4.0 - Adobe Systems Incorporated)
Adobe CSI CS4 x64 (HKLM\...\{8DAA31EB-6830-4006-A99F-4DF8AB24714F}) (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Drive CS4 x64 (HKLM\...\{A3454894-144A-4D80-B605-C128FE0D7329}) (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Fonts All x64 (HKLM\...\{6631325A-9B1B-4EE7-8E64-8CC4A6F10643}) (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe InDesign CS4 Icon Handler x64 (HKLM\...\{B37A99DD-88E2-4ED0-80B4-1E054AB354BF}) (Version: 6.0 - Adobe Systems Incorporated) Hidden
Adobe Linguistics CS4 x64 (HKLM\...\{8875A1C0-6308-4790-8CF6-D34E89880052}) (Version: 4.0.0 - Adobe Systems Incorporated) Hidden
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe PDF Library Files x64 CS4 (HKLM\...\{DFFABE78-8173-4E97-9C5C-22FB26192FC5}) (Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe Photoshop CS4 (64 Bit) (HKLM\...\{D40172D6-CE2D-4B72-BF5F-26A04A900B7B}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
Adobe Type Support x64 CS4 (HKLM\...\{8C8D673B-20FB-43E6-BCB7-9B3F78F2E762}) (Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe WinSoft Linguistics Plugin x64 (HKLM\...\{295CFB7C-A57E-4313-93E7-68E7CE1D0332}) (Version: 1.1 - Adobe Systems Incorporated) Hidden
Artha 1.0.3.0 (HKLM-x32\...\{DA9B11CD-46C8-40AD-BC88-8507C64FA8B7}_is1) (Version: 1.0.3.0 - Sundaram Ramaswamy)
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Connect (HKLM-x32\...\{B29AD377-CC12-490A-A480-1452337C618D}) (Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
Dropbox (HKCU\...\Dropbox) (Version: 3.14.7 - Dropbox, Inc.)
eReg (HKLM-x32\...\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}) (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 48.0.2564.116 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
kuler (HKLM-x32\...\{098727E1-775A-4450-B573-3F441F1CA243}) (Version: 2.0 - Adobe Systems Incorporated) Hidden
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Logitech SetPoint 6.61 (HKLM\...\sp6) (Version: 6.61.15 - Logitech)
Malwarebytes Anti-Exploit version 1.8.1.1189 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.8.1.1189 - Malwarebytes)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 44.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 44.0.2 (x86 en-US)) (Version: 44.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 44.0.2.5884 - Mozilla)
NVIDIA 3D Vision Controller Driver 352.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 352.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 355.60 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 355.60 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.5.12.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.5.12.11 - NVIDIA Corporation)
NVIDIA Graphics Driver 355.60 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 355.60 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.3 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
PDF Settings CS4 (HKLM-x32\...\{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}) (Version: 9.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw (HKLM-x32\...\{CC75AB5C-2110-4A7F-AF52-708680D22FE8}) (Version: 5.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw_x64 (HKLM\...\{2D74E972-5A85-44DC-9193-8A302BA8C181}) (Version: 5.0 - Adobe Systems Incorporated) Hidden
Pixel Bender Toolkit (HKLM-x32\...\{43509E18-076E-40FE-AF38-CA5ED400A5A9}) (Version: 1.0 - Adobe Systems Incorporated) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
Ruby 2.1.7-p400 (HKCU\...\{64763A89-6347-43AF-833F-3840615C62AE}_is1) (Version: 2.1.7-p400 - RubyInstaller Team)
Search Protect (HKLM-x32\...\SearchProtect) (Version: 3.0.400.27 - Client Connect LTD)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 4.1.3000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.5.12.11 - NVIDIA Corporation) Hidden
Suite Shared Configuration CS4 (HKLM-x32\...\{842B4B72-9E8F-4962-B3C1-1C422A5C4434}) (Version: 1.0 - Adobe Systems Incorporated) Hidden
Unity Web Player (HKCU\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Widevine Media Optimizer Chrome 6.0.0 (HKCU\...\optimizer_chrome) (Version: 6.0.0.12757 - Widevine Technologies)
WinRAR 5.10 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.10.0 - win.rar GmbH)
WinSCP 5.5.5 (HKLM-x32\...\winscp3_is1) (Version: 5.5.5 - Martin Prikryl)
WPS Office (9.1.0.4746) (HKCU\...\WPS Office) (Version: 9.1.0.4746 - Kingsoft Corp.)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 62%
Total physical RAM: 2999.11 MB
Available physical RAM: 1137.46 MB
Total Virtual: 3703.11 MB
Available Virtual: 958.27 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:232.35 GB) (Free:114.65 GB) NTFS
3 Drive f: (HD-LSU2) (Fixed) (Total:931.51 GB) (Free:159.15 GB) NTFS

========================= Users: ========================================

User accounts for \\GIRAFFASUS

Administrator            DefaultAccount           Guest                    
Studio Something         


**** End of log ****
 



#6 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 08 March 2016 - 10:31 AM

I am off to bed now. I will be back tomorrow morning at around 7ish or so.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 PM

Posted 08 March 2016 - 12:00 PM

Uninstall the following programs:
  • Adobe AIR - Outdated and vulnerable;
  • Search Protect - Browser hijacker;
Once done, follow the instructions below.

aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 08 March 2016 - 07:24 PM

Forgive the delay.

 

Here is the log

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/03/09 08:20:57 +0900</date>
<logfile>mbam-log-2016-03-09 (08-20-55).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.0.1024</version>
<malware-database>v2016.03.08.08</malware-database>
<rootkit-database>v2016.02.27.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>GIRAFFASUS</hostname>
<ip>192.168.10.101</ip>
<osversion>Windows 10</osversion>
<arch>x64</arch>
<username>Studio Something</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>405765</objects>
<time>984</time>
<processes>0</processes>
<modules>0</modules>
<keys>20</keys>
<values>3</values>
<datas>0</datas>
<folders>2</folders>
<files>15</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK.1</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK.1</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK.1</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></key>
<key><path>HKU\S-1-5-21-2743054709-3552564822-1254010762-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}</path><vendor>PUP.Optional.Trovi</vendor><action>success</action><hash>2830b6cffd9c8caa09b0c4629b6956aa</hash></key>
<value><path>HKU\S-1-5-21-2743054709-3552564822-1254010762-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}</path><valuename>URL</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>http://www.trovi.com/Results.aspx?gd=&amp;ctid=CT3333673&amp;octid=EB_ORIGINAL_CTID&amp;ISID=E0CE57CF-A193-49D1-AAD3-A4E18EC1C925&amp;SearchSource=58&amp;CUI=&amp;UM=8&amp;UP=SPE9A98D80-DB2C-4546-9CD9-C74D24A11E32&amp;D=030616&amp;q={searchTerms}&amp;SSPV=</valuedata><hash>e7718302fc9d4ee8e0d83aec659faa56</hash></value>
<value><path>HKU\S-1-5-21-2743054709-3552564822-1254010762-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}</path><valuename>SuggestionsURL_JSON</valuename><vendor>PUP.Optional.Conduit</vendor><action>success</action><valuedata>http://suggest.seccint.com/CSuggestJson.ashx?prefix={searchTerms}&amp;SSPV=</valuedata><hash>aeaa8500aaefbe78afe149ad55ae26da</hash></value>
<value><path>HKU\S-1-5-21-2743054709-3552564822-1254010762-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}</path><valuename>DisplayName</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>Trovi</valuedata><hash>57011471881178befbbd2303a1639c64</hash></value>
<folder><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\39fdaae5-8e0e-493c-88ec-e05c3be06e42</path><vendor>PUP.Optional.Managera</vendor><action>success</action><hash>de7af4918a0f181e6c67fc089370ae52</hash></folder>
<folder><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\D8ADFCCA-EE7E-442C-9999-C4D14FEF360B</path><vendor>PUP.Optional.ExTutil</vendor><action>success</action><hash>4f0999ec92074ee800ebba4a27dc1fe1</hash></folder>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\spstub.exe</path><vendor>PUP.Optional.Conduit</vendor><action>success</action><hash>50088401a2f7ff37365f5c836a966d93</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\offer-9F0FCA0F-30BD-4459-A275-9DF040FC7441.exe</path><vendor>PUP.Optional.Conduit</vendor><action>success</action><hash>90c8eb9a653433034f4602ddae527987</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\dlLogic.exe</path><vendor>PUP.Optional.Conduit</vendor><action>success</action><hash>1741b6cf62374fe737df5cd0f30db14f</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\~nsu.tmp\Au_.exe</path><vendor>PUP.Optional.SearchProtect.AppFlsh</vendor><action>success</action><hash>ee6afe878910ae884879ab103fc220e0</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\HYD4222.tmp.1457264184\HTA\install.1457264184.zip</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>89cffb8ad1c8ee483dcbce3225e041bf</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\HYD4222.tmp.1457264184\HTA\3rdparty\OCComSDK.dll</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>c197c9bcb4e5999dbf491de3da2b5aa6</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\HYD4D63.tmp.1457264973\HTA\install.1457264973.zip</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>7bdddfa68613e15565a368987a8b669a</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\HYD4D63.tmp.1457264973\HTA\3rdparty\OCComSDK.dll</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>f167afd6d0c9cb6b46c2f50bd23307f9</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\HYD4D63.tmp.1457264973\HTA\3rdparty\OCSetupHlp.dll</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>1246285d50499b9bf4be4dd432d3b54b</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\nstC053.tmp\SPTool.dll</path><vendor>PUP.Optional.SearchProtect.AppFlsh</vendor><action>success</action><hash>c6926520524777bf447dd8e3c8398878</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\39fdaae5-8e0e-493c-88ec-e05c3be06e42\cs.js</path><vendor>PUP.Optional.Managera</vendor><action>success</action><hash>de7af4918a0f181e6c67fc089370ae52</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\39fdaae5-8e0e-493c-88ec-e05c3be06e42\manifest.json</path><vendor>PUP.Optional.Managera</vendor><action>success</action><hash>de7af4918a0f181e6c67fc089370ae52</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\D8ADFCCA-EE7E-442C-9999-C4D14FEF360B\bk.js</path><vendor>PUP.Optional.ExTutil</vendor><action>success</action><hash>4f0999ec92074ee800ebba4a27dc1fe1</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\D8ADFCCA-EE7E-442C-9999-C4D14FEF360B\cs.js</path><vendor>PUP.Optional.ExTutil</vendor><action>success</action><hash>4f0999ec92074ee800ebba4a27dc1fe1</hash></file>
<file><path>C:\Users\Chihiro and Jeffrey\AppData\Local\Temp\D8ADFCCA-EE7E-442C-9999-C4D14FEF360B\manifest.json</path><vendor>PUP.Optional.ExTutil</vendor><action>success</action><hash>4f0999ec92074ee800ebba4a27dc1fe1</hash></file>
</items>
</mbam-log>
 



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 PM

Posted 08 March 2016 - 08:00 PM

Good :) Follow the instructions below now please.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 08 March 2016 - 08:20 PM

Tool finished. No restart was necessary. 913.00 mb were cleaned.


Edited by giraffasus, 08 March 2016 - 08:21 PM.


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 PM

Posted 08 March 2016 - 08:29 PM

Awesome :) Back-up your profile in Mozilla Firefox, then reset its settings to default.

Back-up: https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles
Reset: https://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

After that, let me know if Trovi is still there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 giraffasus

giraffasus
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 08 March 2016 - 08:58 PM

Did so. Trovi seems to be gone as it doesn't redirect me to its page when I open a new tab. Thanks.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 PM

Posted 08 March 2016 - 09:10 PM

No problem, you're welcome :) Glad to see that your issue has been solved!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users