Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All browsers infected with newpoptab


  • Please log in to reply
16 replies to this topic

#1 dilaaaa

dilaaaa

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 12 March 2016 - 06:09 AM

Hello everyone, I have problem with all of my browsers, Chrome, Mozilla, Edge. When I opened a website, redirects me to newpoptab often. I look for a way everywhere and followed some tutorials before but still can't get rid it. I tried extension such as adblock but it didn't help.

 

I have attached the files as requested in the tutorial.

Any help would be appreciated.

 

Regards, Dila

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 12 March 2016 - 06:50 AM

Hello dilaaaa and Welcome to the BleepingComputer. :welcome:  
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
   ======================================================================================
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 12 March 2016 - 10:14 AM

Kaspersky Internet Security (Enabled)
Windows Firewall is enabled.

please do Windows Firewall disable.

 Multiple Firewall Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
========================================================================================
Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   5.93KB   11 downloads  and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:
Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step 5:

  • Temporarily disable your Antivirus protection - if you don't know how to do that, please consult the article below.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Please download ZOEK and save it to your desktop (preferred version is the *.exe one - upper left corner).

http://hijackthis.nl/smeenk/

  • Attached to this message you will find a file called zoekscript

txt.gif  zoekscript.txt   188bytes   19 downloads

  • Download it too and save to your desktop - _it needs to be in the same location as the ZOEK tool
  • Drag zoekscript file and drop it onto ZOEK icon - this should launch the program:
  • The scan may take a while and may need a reboot.
  • Upon completion a file zoek-results should appear.
  • Attach it for my review.

Edited by olgun52, 12 March 2016 - 10:22 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 13 March 2016 - 05:55 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by dilaaaaaaa (2016-03-13 15:23:37) Run:2
Running from C:\Users\dilaaaaaaa\Desktop\FASTBAR
Loaded Profiles: dilaaaaaaa & .NET v4.5 & DefaultAppPool & .NET v4.5 Classic (Available Profiles: dilaaaaaaa & .NET v4.5 & DefaultAppPool & .NET v4.5 Classic)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {CDEF7E19-C8C3-445D-8248-B19DA15A0B6B} - System32\Tasks\R@1n-KMS\Office16ProPlus => wmic
Task: {EEBF0582-2A95-40A9-9E23-019CAFC68E9B} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
IFEO\OSppSvc.exe: [Debugger] KMS-R@1nhook.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
AutoConfigURL: [S-1-5-21-4256373668-756927198-2690470952-1001] => hxxp://stopblock.me/wpad.dat?138e20a26d1637258d606db5d87f7edf85771
ManualProxies: 0hxxp://stopblock.me/wpad.dat?138e20a26d1637258d606db5d87f7edf85771
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4256373668-756927198-2690470952-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: No Name -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> No File
FF ProfilePath: C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default
FF user.js: detected! => C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\user.js
FF Extension: No Name - C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com [not found]
FF Extension: IDM CC - C:\Users\dilaaaaaaa\AppData\Roaming\IDM\idmmzcc5
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM-x32\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
S2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2015-10-12] () [File not signed]
R1 {a5f532f8-3151-480d-b78a-7f5f31792e46}Gw64; C:\Windows\System32\drivers\{a5f532f8-3151-480d-b78a-7f5f31792e46}Gw64.sys [48784 2015-09-18] (StdLib)
C:\Users\dilaaaaaaa\Desktop\Windows 10 Chrome recurring popup www.newpoptab.com - Virus, Trojan, Spyware, and Malware Removal Logs.html
2016-03-08 09:13 - 2016-03-08 09:13 - 00000000 ____D C:\Users\dilaaaaaaa\Desktop\Windows 10 Chrome recurring popup www.newpoptab.com - Virus, Trojan, Spyware, and Malware Removal Logs_files
2016-03-08 09:12 - 2016-03-08 09:12 - 00110587 _____ C:\Users\dilaaaaaaa\Desktop\infected with newpoptab (so far only on firefox) - Virus, Trojan, Spyware, and Malware Removal Logs.html
2016-03-08 09:12 - 2016-03-08 09:12 - 00000000 ____D C:\Users\dilaaaaaaa\Desktop\infected with newpoptab (so far only on firefox) - Virus, Trojan, Spyware, and Malware Removal Logs_files
2016-03-08 09:11 - 2016-03-08 09:11 - 00391092 _____ C:\Users\dilaaaaaaa\Desktop\Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software.html
2016-03-08 09:11 - 2016-03-08 09:11 - 00000000 ____D C:\Users\dilaaaaaaa\Desktop\Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software_files
2016-03-08 09:06 - 2016-03-08 09:06 - 00083811 _____ C:\Users\dilaaaaaaa\Desktop\Remove Newpoptab.com pop-up ads (Virus Removal Guide).html
2016-03-08 09:06 - 2016-03-08 09:06 - 00000000 ____D C:\Users\dilaaaaaaa\Desktop\Remove Newpoptab.com pop-up ads (Virus Removal Guide)_files
2016-03-08 09:04 - 2016-03-08 09:04 - 00102500 _____ C:\Users\dilaaaaaaa\Desktop\Newpoptab Virus Removal From Chrome_Firefox - HowToRemove.Guide.html
2016-03-08 09:04 - 2016-03-08 09:04 - 00000000 ____D C:\Users\dilaaaaaaa\Desktop\Newpoptab Virus Removal From Chrome_Firefox - HowToRemove.Guide_files
2016-03-07 11:05 - 2016-03-07 11:07 - 00090774 _____ C:\TDSSKiller.3.1.0.9_07.03.2016_11.05.41_log.txt
C:\Users\dilaaaaaaa\AppData\Roaming\MAGIX
C:\ProgramData\Package Cache
2016-02-26 20:20 - 2016-03-12 17:12 - 00000091 _____ C:\HaxLogs.txt
2016-02-26 20:20 - 2016-02-26 20:20 - 00000000 ____D C:\Users\dilaaaaaaa\.AndroidStudio1.5
C:\ProgramData\DP45977C.lfl
2016-02-14 15:43 - 2016-02-14 15:43 - 00000000 ____D C:\Users\dilaaaaaaa\.idea-build
2016-02-14 10:51 - 2016-02-14 11:13 - 00000000 ____D C:\Users\dilaaaaaaa\.ivy2
2016-02-14 10:51 - 2016-02-14 11:06 - 00000000 ____D C:\Users\dilaaaaaaa\.sbt
2016-02-12 06:49 - 2016-02-12 06:49 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\HMYGSetting
2016-02-12 06:47 - 2016-02-12 06:47 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\Wondershare
2016-02-12 06:46 - 2016-02-12 06:46 - 00000000 ____D C:\Users\dilaaaaaaa\.IdeaIC15
2016-02-11 10:14 - 2016-03-02 10:54 - 00000000 ____D C:\Users\dilaaaaaaa\.android
2016-03-09 10:32 - 2015-09-13 07:58 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\DMCache
2016-03-09 09:52 - 2015-09-25 06:41 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\vlc
2016-03-08 09:05 - 2015-12-30 14:02 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\MiniLyrics
2016-02-28 22:20 - 2015-11-23 13:27 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Local\TSVNCache
2016-02-28 06:01 - 2016-01-17 09:58 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\Code
2016-02-12 06:41 - 2015-10-11 20:36 - 00000000 ____D C:\Users\dilaaaaaaa\AppData\Roaming\JetBrains
2015-10-26 15:40 - 2015-10-26 15:41 - 0064116 _____ () C:\Users\dilaaaaaaa\AppData\Local\rational_state.log
2015-10-09 08:47 - 2015-10-09 08:47 - 0007605 _____ () C:\Users\dilaaaaaaa\AppData\Local\Resmon.ResmonCfg
2016-02-15 21:04 - 2016-02-15 21:04 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\dilaaaaaaa\AppData\Local\Temp\9ae6-bd3d-d34f-db40.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\e5bc-21e5-051c-849d.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\e955-b07c-a8af-d353.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\hib1DF1.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\hib79E0.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\hibCA4B.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\KMP_Au_Uninstaller.exe
C:\Users\dilaaaaaaa\AppData\Local\Temp\sqlite3.dll
C:\Users\dilaaaaaaa\AppData\Local\Temp\{AC6BDF1F-2093-4D46-B4DF-3D72950F2149}.dll
C:\Users\dilaaaaaaa\AppData\Local\Temp\{BDE73365-FDFE-45A0-B46A-0848135E7792}.dll
Hosts:
EmptyTemp:
Reboot:
 
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDEF7E19-C8C3-445D-8248-B19DA15A0B6B} => key not found. 
C:\WINDOWS\System32\Tasks\R@1n-KMS\Office16ProPlus => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Office16ProPlus => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EEBF0582-2A95-40A9-9E23-019CAFC68E9B} => key not found. 
C:\WINDOWS\System32\Tasks\AutoPico Daily Restart => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart => key not found. 
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\OSppSvc.exe => key not found. 
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Google => key not found. 
HKU\S-1-5-21-4256373668-756927198-2690470952-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-4256373668-756927198-2690470952-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} => key not found. 
HKCR\Wow6432Node\CLSID\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} => key not found. 
FF ProfilePath: C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default => FRST is scripted not to move this directory.
FF user.js: detected! => C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\user.js => not found.
C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com => not found.
FF Extension: IDM CC - C:\Users\dilaaaaaaa\AppData\Roaming\IDM\idmmzcc5 => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\eahebamiopdhefndnmappcihfajigkka" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eahebamiopdhefndnmappcihfajigkka" => key removed successfully
KMS-R@1n => service not found.
{a5f532f8-3151-480d-b78a-7f5f31792e46}Gw64 => service not found.
"C:\Users\dilaaaaaaa\Desktop\Windows 10 Chrome recurring popup www.newpoptab.com - Virus, Trojan, Spyware, and Malware Removal Logs.html" => not found.
"C:\Users\dilaaaaaaa\Desktop\Windows 10 Chrome recurring popup www.newpoptab.com - Virus, Trojan, Spyware, and Malware Removal Logs_files" => not found.
"C:\Users\dilaaaaaaa\Desktop\infected with newpoptab (so far only on firefox) - Virus, Trojan, Spyware, and Malware Removal Logs.html" => not found.
"C:\Users\dilaaaaaaa\Desktop\infected with newpoptab (so far only on firefox) - Virus, Trojan, Spyware, and Malware Removal Logs_files" => not found.
"C:\Users\dilaaaaaaa\Desktop\Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software.html" => not found.
"C:\Users\dilaaaaaaa\Desktop\Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software_files" => not found.
"C:\Users\dilaaaaaaa\Desktop\Remove Newpoptab.com pop-up ads (Virus Removal Guide).html" => not found.
"C:\Users\dilaaaaaaa\Desktop\Remove Newpoptab.com pop-up ads (Virus Removal Guide)_files" => not found.
"C:\Users\dilaaaaaaa\Desktop\Newpoptab Virus Removal From Chrome_Firefox - HowToRemove.Guide.html" => not found.
"C:\Users\dilaaaaaaa\Desktop\Newpoptab Virus Removal From Chrome_Firefox - HowToRemove.Guide_files" => not found.
"C:\TDSSKiller.3.1.0.9_07.03.2016_11.05.41_log.txt" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\MAGIX" => not found.
"C:\ProgramData\Package Cache" => not found.
Could not move "C:\HaxLogs.txt" => Scheduled to move on reboot.
"C:\Users\dilaaaaaaa\.AndroidStudio1.5" => not found.
"C:\ProgramData\DP45977C.lfl" => not found.
"C:\Users\dilaaaaaaa\.idea-build" => not found.
"C:\Users\dilaaaaaaa\.ivy2" => not found.
"C:\Users\dilaaaaaaa\.sbt" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\HMYGSetting" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\Wondershare" => not found.
"C:\Users\dilaaaaaaa\.IdeaIC15" => not found.
"C:\Users\dilaaaaaaa\.android" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\DMCache" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\vlc" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\MiniLyrics" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\TSVNCache" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\Code" => not found.
"C:\Users\dilaaaaaaa\AppData\Roaming\JetBrains" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\rational_state.log" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Resmon.ResmonCfg" => not found.
"C:\ProgramData\DP45977C.lfl" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\9ae6-bd3d-d34f-db40.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\e5bc-21e5-051c-849d.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\e955-b07c-a8af-d353.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\hib1DF1.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\hib79E0.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\hibCA4B.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\KMP_Au_Uninstaller.exe" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\sqlite3.dll" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\{AC6BDF1F-2093-4D46-B4DF-3D72950F2149}.dll" => not found.
"C:\Users\dilaaaaaaa\AppData\Local\Temp\{BDE73365-FDFE-45A0-B46A-0848135E7792}.dll" => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 21 MB temporary data Removed.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-03-13 15:29:41)
 
"C:\HaxLogs.txt" => Could not move
 
==== End of Fixlog 15:29:41 ====
 
 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

 
 
# AdwCleaner v5.101 - Logfile created 13/03/2016 at 15:33:37
# Updated 07/03/2016 by Xplode
# Database : 2016-03-06.3 [Local]
# Operating system : Windows 10 Pro  (x64)
# Username : dilaaaaaaa - ANG
# Running from : C:\Users\dilaaaaaaa\Desktop\adwcleaner_5.101.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
*************************
 
C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [10450 bytes] - [12/03/2016 17:10:19]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [10215 bytes] - [12/03/2016 17:05:41]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S2].txt - [789 bytes] - [13/03/2016 15:33:37]
 
########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[S2].txt - [881 bytes] ##########
 
 
 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 10 Pro x64 
Ran by dilaaaaaaa (Administrator) on 13/03/2016 at 15.43.27,90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 9 
 
Successfully deleted: C:\Program Files (x86)\MiniLyrics (Folder)
Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\user.js (File) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
Successfully deleted: C:\WINDOWS\prefetch\DRIVERAGENT-SETUP.TMP-E664F7B4.pf (File) 
Successfully deleted: C:\WINDOWS\prefetch\DRIVERAGENT-SETUP.TMP-E823A833.pf (File) 
Successfully deleted: C:\WINDOWS\prefetch\DRIVERAGENT.EXE-11A76ADB.pf (File) 
Successfully deleted: C:\WINDOWS\prefetch\MINILYRICS.EXE-2D6AE254.pf (File) 
Successfully deleted: C:\WINDOWS\system32\Drivers\{a5f532f8-3151-480d-b78a-7f5f31792e46}Gw64.sys (File) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/03/2016 at 15.46.32,36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 

~ ZHPCleaner v2016.3.10.39 by Nicolas Coolman (2016/03/08)
~ Run by dilaaaaaaa (Administrator)  (13/03/2016 16:03:49)
~ State version : 
~ Type : Repair
~ Report : C:\Users\dilaaaaaaa\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\dilaaaaaaa\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 10 Pro, 64-bit  (Build 10586)
 
 
---\\  Services (0)
~ No malicious or unnecessary items found.
 
 
---\\  Browser internet (0)
 
 
---\\  Hosts file (1)
~ The hosts file is legitimate (1)
 
 
---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.
 
 
---\\  Explorer ( File, Folder) (4)
MOVED file: C:\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\searchplugins\yahoo.xml    =>PUP.Optional.BDYahoo
MOVED file: C:\Windows\KMS-R@1n.exe    =>HackTool.WinActivator
MOVED file: C:\Windows\SECOH-QAD.exe    =>HackTool.KMSpico
MOVED folder: C:\Program Files\KMSpico  =>HackTool.KMSpico
 
 
---\\  Registry ( Key, Value, Data) (8)
DELETED key*: HKEY_USERS\S-1-5-21-4256373668-756927198-2690470952-1001\SOFTWARE\SpringFiles []  =>.Superfluous.SpringFiles
DELETED key: HKCU\Software\SpringFiles []  =>.Superfluous.SpringFiles
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Prod.cap []  =>PUP.Optional.ClaroSearch
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\SpringFiles []  =>.Superfluous.SpringFiles
DELETED value: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\firewallRules\\{A328CFCC-D19A-461E-AB99-FFC156B62123} [C:\Program Files (x86)\SpringFiles\downloader.exe]  =>.Superfluous.SpringFiles
DELETED value: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\firewallRules\\{F7B13B47-A175-4F51-815A-43655704E8F4} [C:\Program Files (x86)\SpringFiles\downloader.exe]  =>.Superfluous.SpringFiles
DELETED value: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\firewallRules\\{9BC6534E-91BA-4137-8DC0-3DAC9696F639} [C:\Program Files (x86)\SpringFiles\SpringFiles.exe]  =>.Superfluous.SpringFiles
DELETED value: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\firewallRules\\{EBC3364E-97E9-4E99-8047-C6DFFF7555D6} [C:\Program Files (x86)\SpringFiles\SpringFiles.exe]  =>.Superfluous.SpringFiles
 
 
---\\  Summary of the elements found (5)
http://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.BDYahoo
http://www.nicolascoolman.fr/?p=1053  =>HackTool.WinActivator
http://www.nicolascoolman.fr/?p=5145  =>.Superfluous.SpringFiles
http://www.nicolascoolman.fr/?p=356  =>PUP.Optional.ClaroSearch
 
 
---\\  Other deletions. (9)
~ Registry Keys Tracing deleted (9)
~ Remove the old reports ZHPCleaner. (0)
 
 
---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Opera Software)
 
 
---\\ Statistics
~ Items scanned : 690
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 12
 
 
~ End of clean in 00h00mn17s
===================
ZHPCleaner-[R]-13032016-16_04_06.txt
ZHPCleaner-[S]-13032016-16_02_37.txt
 
 
 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
 
And this is the result from the 5th step : 
Attached File  zoek-results.log   7.7KB   2 downloads


#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 13 March 2016 - 01:13 PM

Thanks for the Logs.

 

Please download MiniToolBox and save it to your Desktop.

  • Right click MiniToolBox and select "Run as administrator " to run it ( if running Windows XP, just double click it to run it )
  • Checkmark following boxes:
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • Flush DNS
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices (Do NOT change any settings here)
    • List Users, Partitions and Memory size
    • List Restore Points
  • Now click Go.
  • A file name Result.txt will be created in the same location where you downloaded MiniToolBox.exe
  • Please attach the Result.txt log to your next Reply.

=======================================================================

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 13 March 2016 - 07:00 PM

Thanks for your guidance

 

this is the result from minitoolbox :

Attached File  MTB.txt   31.1KB   1 downloads

 

 

==========================================================================================

This is the report from Zemana. 

 

Zemana AntiMalware 2.20.2.8 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/3/14
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i5-3317U CPU @ 1.70GHz
BIOS Mode              : Legacy
CUID                   : 008F28DADEBA0D43BB4D7A
Scan Type              : Smart Scan
Duration               : 1m 36s
Scanned Objects        : 9392
Detected Objects       : 0
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
There are no detected objects
=================================================================================


#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 15 March 2016 - 11:39 AM

Hi again,

 

Step 1:
 Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 3:

RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 16 March 2016 - 12:37 AM

=====================================================================================================

This is the result from MalwareBytes :

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 16/03/2016
Scan Time: 05.24
Logfile: MalwareBytes.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.15.07
Rootkit Database: v2016.03.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: dilaaaaaaa
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 490884
Time Elapsed: 18 min, 15 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 9
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{8a4a8b42-a270-4ad4-95c3-815ded6433fc}, Quarantined, [ab682d5b7128de5867bdf9ccf80a9769], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{8A4A8B42-A270-4AD4-95C3-815DED6433FC}, Quarantined, [ab682d5b7128de5867bdf9ccf80a9769], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{8A4A8B42-A270-4AD4-95C3-815DED6433FC}, Quarantined, [ab682d5b7128de5867bdf9ccf80a9769], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{906d7e81-6355-4069-b02d-bcfdfe2885e7}, Quarantined, [6fa413754356ff3775b0497ca55d3cc4], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{906D7E81-6355-4069-B02D-BCFDFE2885E7}, Quarantined, [6fa413754356ff3775b0497ca55d3cc4], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{906D7E81-6355-4069-B02D-BCFDFE2885E7}, Quarantined, [6fa413754356ff3775b0497ca55d3cc4], 
PUP.Optional.TweakBit, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATPopups, Quarantined, [1bf87315fd9cfa3c99825dd4c1438d73], 
PUP.Optional.TweakBit, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATUpdaters, Quarantined, [cb48d7b14e4bac8a17043df4f70d11ef], 
PUP.Optional.TweakBit, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\Google Analytics Package, Quarantined, [b3603c4c5b3ebf77839a3001ca3ae719], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 2
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\databases\http_charmsavings.com_0, Quarantined, [779c02869504b6808e84b85657ac3cc4], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb, Quarantined, [19fa72160198e551100362ac1ae960a0], 
 
Files: 9
CrackTool.Agent, C:\Program Files\WinRAR\Keygen.exe, Quarantined, [e92a8305badf043215129acf1ae8ce32], 
HackTool.Agent.KMS, C:\Windows\KMS-QADhook.dll, Quarantined, [9b789ceccccd063077705c2c1ce6f907], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\databases\http_charmsavings.com_0\2, Quarantined, [779c02869504b6808e84b85657ac3cc4], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\000003.log, Quarantined, [19fa72160198e551100362ac1ae960a0], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\CURRENT, Quarantined, [19fa72160198e551100362ac1ae960a0], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\LOCK, Quarantined, [19fa72160198e551100362ac1ae960a0], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\LOG, Quarantined, [19fa72160198e551100362ac1ae960a0], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\LOG.old, Quarantined, [19fa72160198e551100362ac1ae960a0], 
PUP.Optional.CharmSavings, C:\Users\dilaaaaaaa\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\http_charmsavings.com_0.indexeddb.leveldb\MANIFEST-000001, Quarantined, [19fa72160198e551100362ac1ae960a0], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
=================================================================================================
 
 
This is the result from Rogue Killer Scan
 
 
 
RogueKiller V12.0.2.0 [Mar 14 2016] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : dilaaaaaaa [Administrator]
Started from : C:\Users\dilaaaaaaa\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/16/2016 11:40:42
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{107d4ce3-88ae-4de8-ae74-8c5509329494} | NameServer : 192.168.4.28 0.0.0.0 ([-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98f238a2-cc85-4b97-b2e4-1f059a0c50af} | DhcpNameServer : 192.168.12.1 202.152.50.103 202.152.50.99 8.8.8.8 107.170.254.221 ([-][X][X][-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9415bd1-0b35-4c94-8b30-111ceab15881} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc6d7bc1-7299-4891-966c-919927430f43} | DhcpNameServer : 172.16.12.33 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ecfa23e8-fdaa-422f-8f84-0a1f22d4e395} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f8190542-74ef-4065-a015-03addfa72b8d} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{107d4ce3-88ae-4de8-ae74-8c5509329494} | NameServer : 192.168.4.28 0.0.0.0 ([-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{98f238a2-cc85-4b97-b2e4-1f059a0c50af} | DhcpNameServer : 192.168.12.1 202.152.50.103 202.152.50.99 8.8.8.8 107.170.254.221 ([-][X][X][-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a9415bd1-0b35-4c94-8b30-111ceab15881} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bc6d7bc1-7299-4891-966c-919927430f43} | DhcpNameServer : 172.16.12.33 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ecfa23e8-fdaa-422f-8f84-0a1f22d4e395} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f8190542-74ef-4065-a015-03addfa72b8d} | NameServer : 112.215.71.242 112.215.71.243 ([X][X])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi Hitachi +++++
--- User ---
[MBR] 2cb3fa6d24b28595c38465731b51fbb2
[BSP] 8bb2589e3c797a30b3ca4dd11b773497 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13683 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 28024832 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 28741632 | Size: 150902 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 337788928 | Size: 312000 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!
 
+++++ PhysicalDrive1: SAMSUNG SAMSUNG +++++
--- User ---
[MBR] d1dc4c1423a9fa345ee549a1ebed6d8f
[BSP] e42a334ec857216cc59e4cd84a7e0d70 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] OS/2-HIBER (0x84) [HIDDEN!] Offset (sectors): 2048 | Size: 11483 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!
 
 
================================================================================================
 
 
And this is the attachment from the MBAR result:
Attached File  mbar-log-2016-03-16 (10-55-24).txt   2.06KB   2 downloads

Attached File  system-log.txt   113.65KB   1 downloads



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 16 March 2016 - 05:16 PM

Reset TCP/IP using NetShell utility

You can reset Reset Internet Protocol to its default state using the NetShell or netsh utility.

To do so, open command prompt, type the following and hit Enter:

    netsh int ip reset resettcpip.txt

=============================

You can take the easy way out. Use this Microsoft Fix It 50199 to easily and automatically reset Internet Protocol.

Do note that the Fix It works on Windows 7 and Windows Vista

====================================================================================

 

Internet Explorer 9, 10 and 11 (Win) - Clearing Cache and Cookies
https://kb.wisc.edu/page.php?id=15141
Next >>
How to reset Internet Explorer settings
https://support.microsoft.com/en-us/kb/923737

 

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141

 

For Chrome:
Delete your cache, history, and other browser data
https://support.google.com/chrome/answer/95582?hl=en
Next >>
Reset Chrome browser settings

https://support.google.com/chrome/answer/3296214?hl=en

 

=======================================================================================

 Java update:
Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

  • Download the latest version of Java Runtime Environment (JRE) 8
  • Recommended Version is 8 Update 73
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows Offline (64-bit)  and save the file.
  • Close any programs you may have running - especially your web browser.
  • Please ,in the process uninstalled the older version.

java-1.jpg
See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 17 March 2016 - 05:51 PM

Is it done already with the process? Because it looks like the popup didn't show up anymore   :)



#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 17 March 2016 - 06:25 PM

You must do all, please.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 18 March 2016 - 05:43 PM

Yes, I did it all as you're told me to do 



#13 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 19 March 2016 - 12:22 PM

Thank you.

Please do the following.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

===================================================

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

=========================================================================

How is the machine running now and any issues ? Please let me know.

----------------------------------------------------------------
Things I would like to see in your next reply. :thumbup2:

  • Eset report
  • Emsisoft report

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 dilaaaa

dilaaaa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 20 March 2016 - 07:47 AM

So far, the pop up didn't show up anymore and not directed me to another page as well  :thumbup2:

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------

The result of Emisoft

 

Emsisoft Emergency Kit - Version 11.0
Last update: 20/03/2016 06.25.32
User account: ANG\dilaaaaaaa
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, E:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 20/03/2016 06.30.08
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hib1DF1.exe.xBAD detected: Gen:Variant.Adware.Razy.7762 ( B )
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hib79E0.exe.xBAD detected: Gen:Variant.Adware.Razy.7762 ( B )
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hibCA4B.exe.xBAD detected: Gen:Variant.Adware.Razy.7762 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\13d76ce9fa581a76.klq -> (Quarantine-6) detected: Trojan.GenericKD.3066104 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\1b855d3af9dd933c.klq -> (Quarantine-6) detected: Trojan.GenericKD.3066104 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\6c947d76181b0546.klq -> (Quarantine-6) detected: Gen:Variant.Zusy.117642 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\79dc2181a2035b19.klq -> (Quarantine-6) detected: Trojan.GenericKD.3066104 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\9f69a38b3c4aeec6.klq -> (Quarantine-6) detected: Gen:Variant.Zusy.117642 ( B )
C:\ProgramData\Kaspersky Lab\AVP16.0.0\QB\88bc1bb52be428b0.klq -> (Quarantine-6) detected: Gen:Variant.Symmi.59843 ( B )
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\9a4e6Osgq1.tmp detected: Gen:Variant.Application.Bundler.ExpressDownloader.3 ( B )
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\KMP_4.0.1.5.exe detected: Gen:Variant.Application.Bundler.DownloadAdmin.4 ( B )
C:\Windows\KMS-R@1nhook.exe detected: Application.Patcher.T ( B )
C:\Windows\SECOH-QAD.dll detected: Riskware.NetTool (A)
D:\data dila\ALL ABOUT KULIAH\semester I\APK\ProActive.Belajar.Excel_By.Antin0da\Antin0da.exe detected: Gen:Trojan.Heur.VP.gmKfaSGGOXei ( B )
D:\master\CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe detected: Application.Win32.InstallFree (A)
D:\master\Unlocker1.9.2.exe detected: Application.Win32.InstallTool (A)
 
Scanned 657959
Found 16
 
Scan end: 20/03/2016 09.09.10
Scan time: 2:39:02
 
D:\master\Unlocker1.9.2.exe Application.Win32.InstallTool (A)
D:\master\CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe Application.Win32.InstallFree (A)
D:\data dila\ALL ABOUT KULIAH\semester I\APK\ProActive.Belajar.Excel_By.Antin0da\Antin0da.exe Gen:Trojan.Heur.VP.gmKfaSGGOXei ( B )
C:\Windows\SECOH-QAD.dll Riskware.NetTool (A)
C:\Windows\KMS-R@1nhook.exe Application.Patcher.T ( B )
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\KMP_4.0.1.5.exe Gen:Variant.Application.Bundler.DownloadAdmin.4 ( B )
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\9a4e6Osgq1.tmp Gen:Variant.Application.Bundler.ExpressDownloader.3 ( B )
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hibCA4B.exe.xBAD Gen:Variant.Adware.Razy.7762 ( B )
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hib79E0.exe.xBAD Gen:Variant.Adware.Razy.7762 ( B )
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\hib1DF1.exe.xBAD Gen:Variant.Adware.Razy.7762 ( B )
 
Quarantined 10
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\9ae6-bd3d-d34f-db40.exe.xBAD a variant of Win32/ELEX.FK potentially unwanted application
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\{AC6BDF1F-2093-4D46-B4DF-3D72950F2149}.dll.xBAD a variant of Win32/BrowseFox.CN potentially unwanted application
C:\FRST\Quarantine\C\Users\dilaaaaaaa\AppData\Local\Temp\{BDE73365-FDFE-45A0-B46A-0848135E7792}.dll.xBAD a variant of Win32/BrowseFox.CN potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Program Files (x86)\RayDld\ihpmServer.exe.vir a variant of Win32/ELEX.FZ potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Program Files (x86)\RayDld\Raydld.exe.vir a variant of Win32/ELEX.GJ potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com\chrome\content\index.html.vir JS/Lightning.A potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com\chrome\content\js\lib\jquery-2.1.0.min.js.vir JS/Lightning.A potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com\chrome\content\js\module\mostgrid.js.vir JS/Lightning.A potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com\chrome\content\js\pack\common.js.vir JS/Lightning.A potentially unwanted application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Users\dilaaaaaaa\AppData\Roaming\Mozilla\Firefox\Profiles\3r93j3hg.default\extensions\deskCutv2@gmail.com\chrome\content\js\pack\xagainit.js.vir JS/Lightning.A potentially unwanted application
C:\Users\dilaaaaaaa\AppData\Roaming\ZHP\Quarantine\SECOH-QAD.exe Win64/HackKMS.C potentially unsafe application
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\DeltaTB.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\Rjzs0cunPX.exe Win32/BrowseFox.CC potentially unwanted application
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\0FF79EE5-BAB0-7891-BB42-059432E63A58\Latest\BExternal.dll a variant of Win32/Toolbar.Babylon.C potentially unwanted application
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\0FF79EE5-BAB0-7891-BB42-059432E63A58\Latest\IEHelper.dll Win32/Toolbar.Babylon.E potentially unwanted application
C:\Windows.old\Users\dilaaaaaaa\AppData\Local\Temp\klmbBef24xQog52cegS\299\setup.exe a variant of Win32/BrowseFox.CS potentially unwanted application
D:\back up data C\Programs\rcsetup152.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
 

 



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 20 March 2016 - 08:57 AM

Now any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users