Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes not Quarantining all detected threats


  • This topic is locked This topic is locked
20 replies to this topic

#1 azhang

azhang

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 19 April 2016 - 07:24 PM

Recently, I downloaded an application that when installed, came with many other attached applications, and from there my computer started acting strange.  MBAM keeps on alerting me of threats including something along the lines of rootkit.kamahuda.PUA or something like that. Can somebody take a look at my FRST logs? thanks!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:18-04-2016
Ran by andrew (administrator) on ANDREW-PC (19-04-2016 17:42:41)
Running from C:\Users\andrew\Desktop\chemlab
Loaded Profiles: andrew (Available Profiles: andrew)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe
(Qihu Software Co. Limited) C:\Program Files\360\Total Security\safemon\QHWatchdog.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Blue Coat Systems, Inc.) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Windows\System32\PnkBstrA.exe
() C:\Windows\System32\PnkBstrB.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Brother Industries, Ltd.) C:\Program Files\Browny02\Brother\BrStMonW.exe
(Dropbox, Inc.) C:\Program Files\Dropbox\Client\Dropbox.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Flux Software LLC) C:\Users\andrew\AppData\Local\FluxSoftware\Flux\flux.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files\Browny02\BrYNSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [ControlCenter4] => C:\Program Files\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)
HKLM\...\Run: [Dropbox] => C:\Program Files\Dropbox\Client\Dropbox.exe [23248560 2016-04-08] (Dropbox, Inc.)
HKLM\...\Run: [DelaypluginInstall] => C:\ProgramData\iSkysoft\Video Converter Ultimate\DelayPluginI.exe [1960248 2015-09-01] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-02-13] (Apple Inc.)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [Lyrify] => C:\Program Files\Lyrify\lyrify.exe [282624 2014-12-31] (Lyrify)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [f.lux] => C:\Users\andrew\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [Pritc] => C:\Users\andrew\AppData\Local\Temp\is-RUT8O.tmp\print.exe <===== ATTENTION
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [osmsg] => C:\ProgramData\WindowsMsg\osmsg.exe  /DEFAULT
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [GoogleChromeAutoLaunch_3CBE92DCCA0A34C15444B20BBB1344B9] => C:\Program Files\Google\Chrome\Application\chrome.exe [748872 2016-02-09] (Google Inc.)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\MountPoints2: {748da827-dc16-11e5-acab-0019b96c0ada} - G:\LaunchU3.exe -a
ShellExecuteHooks:  - {A5BE62CA-DE0F-4764-A0CB-4044816DB174} - C:\Program Files\tuEagles\EagleObj.dll [87416 2015-04-17] ()
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 75.75.76.76
Tcpip\..\Interfaces\{17BD128F-1C5B-44B1-B652-DEAE195C74BF}: [DhcpNameServer] 192.168.1.1 75.75.76.76
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hao.360.cn/?wd_xp1
BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-28] (Oracle Corporation)
BHO: iSkysoft iMedia Converter Deluxe 5.1.0 -> {AEAF002F-E6D8-4A21-ABD3-2B309B79A6CE} -> C:\ProgramData\iSkysoft\Video Converter Ultimate\WSBrowserAppMgr.dll [2015-09-01] (Wondershare)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-28] (Oracle Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: WSISVCUchrome - {78A543EB-3A61-4ED3 -  No File
 
FireFox:
========
FF ProfilePath: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default
FF Homepage: hxxps://www.malwarebytes.org/restorebrowser/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_194.dll [2015-06-27] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1219160.dll [2015-07-22] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-28] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-28] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1522084407-2302393789-2833657126-1000: @tools.google.com/Google Update;version=3 -> C:\Users\andrew\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-1522084407-2302393789-2833657126-1000: @tools.google.com/Google Update;version=9 -> C:\Users\andrew\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\searchplugins\blackle.xml [2014-06-02]
FF Extension: Menu Editor - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}.xpi [2014-05-14] [not signed]
FF Extension: HornTracker - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\horntracker@horntracker.com.xpi [2015-06-12]
FF Extension: Flashblock - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2015-06-12]
FF Extension: Pocket - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\isreaditlater@ideashower.com [2015-06-12]
FF Extension: Tab Scope - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\tabscope@xuldev.org.xpi [2015-06-12]
FF Extension: 360 Internet Protection - C:\Program Files\360\Total Security\safemon\webprotection_firefox [2015-09-25] [not signed]
FF Extension: iSkysoft iMedia Converter Deluxe - C:\ProgramData\iSkysoft\Video Converter Ultimate\ISVCU@iSkysoft.com [2015-10-10] [not signed]
FF Extension: Personas Plus - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\personas@christopher.beard.xpi [2015-12-16]
FF Extension: Default Theme Engine - Personas Interactive - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\btpersonas@brandthunder.com [2015-12-16]
FF Extension: Greasemonkey - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2015-12-16]
FF Extension: Dictionnaires français - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\fr-dicollecte@dictionaries.addons.mozilla.org [2015-12-16]
FF Extension: Cheevos - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\jid1-bpzDizt9E1R7nw@jetpack.xpi [2015-06-06]
FF Extension: Primary Color 1.0.1 - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\{827c2c0a-ce2d-4a63-a00a-7fc999bdedca}.xpi [2016-04-17] [not signed]
FF Extension: Adblock Plus - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-16]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-02-10] [not signed]
FF HKLM\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files\360\Total Security\safemon\webprotection_firefox
FF HKLM\...\Firefox\Extensions: [ISVCU@iSkysoft.com] - C:\ProgramData\iSkysoft\Video Converter Ultimate\ISVCU@iSkysoft.com
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-02-09]
 
Chrome: 
=======
CHR HomePage: Profile 1 -> hxxp://www-searching.com/?s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,&prd=smw
CHR DefaultSearchURL: Profile 1 -> hxxp://www-searching.com/search.aspx?s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Profile 1 -> www-searching.com
CHR DefaultSuggestURL: Profile 1 -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.824\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\48.0.2564.109\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (MouseHunt HornTracker for Chrome) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoakbimfnggbhoplpfcpeifgbigmpepl [2015-09-22]
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-22]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-22]
CHR Extension: (Adblock Plus) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-09-22]
CHR Extension: (2048) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\clgddkicplcbgjfobecebadodeggpghp [2014-07-26]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-22]
CHR Extension: (EditThisCookie) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2014-09-29]
CHR Extension: (Google Docs Offline) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-22]
CHR Extension: (iNetClean porn filter - protect your family) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlegnaceckoffhpniohgnebjpllkhkbh [2015-09-22]
CHR Extension: (Pixlr Editor) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmaknaampgiegkcjlimdiidlhopknpk [2015-09-22]
CHR Extension: (DropMail Beta) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\inhencajoaopgphhgdolhfmdlghjdplp [2014-09-25]
CHR Extension: (Cut the Rope) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfbadlndcminbkfojhlimnkgaackjmdo [2014-04-08]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-09-22]
CHR Extension: (Utility functions for main add-on) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgjbbgpdcecjcfmmlgpjedodehfeepcg [2015-09-22]
CHR Extension: (MouseHunt) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmpneefkmjllddibccefaaiammnnnkeo [2014-04-08]
CHR Extension: (MuteTab) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmkbaaijgpppbokgnhhoakihofedkgcc [2015-09-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-22]
CHR Extension: (Flow Colors) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbnmelddedlommnmllmfhoephaidddmk [2014-04-09]
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-22]
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (Last Modified) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apehpgkcgpefnlpfindggfdecmgihlaj [2015-05-28]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Adblock Plus) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-08]
CHR Extension: (Spotify - Music for every moment) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2015-09-28]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (NoFap Panic Button) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dgoanlacpjfionnlbhnecopndppgbkfo [2015-11-18]
CHR Extension: (Block site) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2016-01-18]
CHR Extension: (Google Docs Offline) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-14]
CHR Extension: (SwagButton) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm [2016-03-23]
CHR Extension: (Pixlr Editor) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\icmaknaampgiegkcjlimdiidlhopknpk [2015-10-09]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-17]
CHR Extension: (Lyrics Here by Rob W) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifkpflabnobkgbjpcmocmgcajlecbcp [2016-01-02]
CHR Extension: (MouseHunt) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lmpneefkmjllddibccefaaiammnnnkeo [2014-09-29]
CHR Extension: (Lightshot (screenshot tool)) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mbniclmhobmnbdlbpiphghaielnnpgdp [2016-04-01]
CHR Extension: (Capture Webpage Screenshot Entirely. FireShot) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2016-03-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Grooveshark Downloader) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ooblpjoncpjmbncgocjlnannofkjjhnp [2015-04-30] [UpdateUrl: hxxp://groovesharkdownload.net/Download/updates.xml] <==== ATTENTION
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Extension: (Google Slides) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-13]
CHR Extension: (Google Docs) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-13]
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-13]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-13]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-13]
CHR Extension: (Google Sheets) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-13]
CHR Extension: (Google Wallet) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-13]
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-13]
CHR Extension: (4Loot) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe [2015-01-14] [UpdateUrl: hxxp://autoupdate.chromewebtb.conduit-services.com/sb/?productId=CT3008547&extensionData=\u003Cextension_data>] <==== ATTENTION
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [1949400 2014-01-24] (Blue Coat Systems, Inc.)
R3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
S3 dbupdate; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [136048 2015-10-06] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [136048 2015-10-06] (Dropbox, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2014-05-30] ()
R2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189248 2014-05-30] ()
R2 QHActiveDefense; C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe [859768 2015-09-20] (QIHU 360 SOFTWARE CO. LIMITED)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-18] (Microsoft Corporation)
S2 Chlui; "C:\Users\andrew\AppData\Roaming\Tifro\Tifro.exe" -cms [X]
S2 Gipwerbasdyrjob Updater; C:\Program Files\Gipwerbasdyrjob\Suoioy.exe [X]
S2 Luxwefn; "C:\Users\andrew\AppData\Roaming\KhjurgBasla\Kiiif.exe" -cms [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker.sys [121936 2015-08-10] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [66128 2015-09-20] (360.cn)
R1 360Box; C:\Windows\System32\DRIVERS\360Box.sys [203856 2015-09-20] (360.cn)
S3 360Camera; C:\Windows\System32\Drivers\360Camera.sys [34888 2015-04-24] (360.cn)
R1 360SelfProtection; C:\Windows\System32\drivers\360SelfProtection.sys [178384 2015-08-10] (360安全中心)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV.sys [174672 2015-08-10] (360.cn)
R2 bckd; C:\Windows\System32\drivers\bckd.sys [106712 2014-01-24] (Blue Coat Systems, Inc.)
R0 DsArk; C:\Windows\system32\Drivers\DsArk.sys [109136 2015-09-20] (360.cn)
R1 EfiMon; C:\Windows\System32\Drivers\Efimon.sys [24296 2015-08-10] (360.cn)
R0 HookPort; C:\Windows\System32\Drivers\Hookport.sys [65872 2015-08-10] (360安全中心)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [126336 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [170200 2016-04-19] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
R3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [17160 2015-03-05] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [13064 2015-03-05] ()
R1 qutmdserv; C:\Windows\System32\DRIVERS\qutmdrv.sys [292560 2015-08-10] (360.cn)
R1 qutmipc; C:\Windows\system32\drivers\qutmipc.sys [53960 2015-08-10] (360.cn)
R3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [193696 2014-06-03] (Jungo)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 cpuz134; \??\C:\Users\andrew\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-19 17:47 - 2016-04-19 17:47 - 00052440 _____ (Malwarebytes) C:\Windows\system32\Drivers\xpexvwry.sys
2016-04-19 17:32 - 2016-04-19 17:27 - 01726464 _____ (Farbar) C:\Users\andrew\Desktop\FRST.exe
2016-04-19 17:27 - 2016-04-19 17:42 - 00000000 ____D C:\FRST
2016-04-18 20:35 - 2015-09-20 21:10 - 00109136 _____ (360.cn) C:\Windows\system32\Drivers\DsArk.sys
2016-04-18 18:46 - 2016-04-18 18:46 - 00000000 ___HD C:\ProgramData\jlb
2016-04-18 18:43 - 2016-04-18 18:43 - 00631808 _____ C:\Windows\jlb.dat
2016-04-18 18:36 - 2016-04-18 20:28 - 00000000 ____D C:\Users\andrew\AppData\Local\Setup Wizard
2016-04-18 18:26 - 2016-04-18 18:26 - 00000000 ____D C:\Windows\system32\feeh
2016-04-18 18:24 - 2016-04-18 22:01 - 00000000 ____D C:\Users\andrew\AppData\Roaming\Tifro
2016-04-18 18:24 - 2016-04-18 22:01 - 00000000 ____D C:\Program Files\Common Files\Gravetam
2016-04-18 18:24 - 2016-04-18 18:24 - 06494208 _____ C:\Users\andrew\AppData\Roaming\agent.dat
2016-04-18 18:24 - 2016-04-18 18:24 - 01626777 _____ C:\Users\andrew\AppData\Roaming\Subair.tst
2016-04-18 18:24 - 2016-04-18 18:24 - 00072717 _____ C:\Users\andrew\AppData\Roaming\PlusOzelab.tst
2016-04-18 18:24 - 2016-04-18 18:24 - 00018432 _____ C:\Users\andrew\AppData\Roaming\Main.dat
2016-04-18 18:24 - 2016-04-18 18:24 - 00000000 ____D C:\Users\andrew\AppData\Local\Tempfolder
2016-04-18 18:24 - 2016-04-18 18:17 - 00952832 _____ C:\Users\andrew\AppData\Roaming\Subair.exe
2016-04-18 18:24 - 2016-04-18 18:17 - 00952832 _____ C:\Users\andrew\AppData\Roaming\PlusOzelab.exe
2016-04-18 18:23 - 2016-04-18 20:14 - 00000000 ____D C:\Program Files\Zirw
2016-04-18 18:23 - 2016-04-17 13:54 - 00307243 _____ ( ) C:\Windows\systwin.exe
2016-04-18 18:22 - 2016-04-18 18:22 - 00000000 ____D C:\temp
2016-04-18 18:18 - 2016-04-18 20:35 - 00000000 ____D C:\ProgramData\WindowsMsg
2016-04-18 18:18 - 2016-04-18 20:16 - 00000000 ____D C:\Users\andrew\AppData\LocalLow\Company
2016-04-18 18:18 - 2016-04-18 18:18 - 00000000 ____D C:\uninst
2016-04-18 18:17 - 2016-04-18 22:01 - 00000000 ____D C:\Program Files\Gipwerbasdyrjob
2016-04-18 18:16 - 2016-04-18 22:01 - 00000000 ____D C:\Program Files\comoBoss
2016-04-18 18:16 - 2016-04-18 20:17 - 00000000 ____D C:\Program Files\sunnyday
2016-04-18 18:16 - 2016-04-18 18:16 - 00127488 _____ C:\Users\andrew\AppData\Roaming\Installer.dat
2016-04-18 18:10 - 2016-04-18 18:10 - 00000000 __RSH C:\MSDOS.SYS
2016-04-18 18:10 - 2016-04-18 18:10 - 00000000 __RSH C:\IO.SYS
2016-04-18 17:56 - 2016-04-18 17:56 - 00000000 ____D C:\Users\andrew\AppData\LocalLow\BitTorrent
2016-04-15 17:57 - 2016-04-15 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-03-27 19:55 - 2016-04-19 17:37 - 00000000 ____D C:\Users\andrew\Desktop\chemlab
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-19 16:00 - 2015-06-29 13:21 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-19 15:57 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\inf
2016-04-19 15:57 - 2006-11-02 03:33 - 00786434 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-19 15:51 - 2015-10-06 22:34 - 00000000 ___RD C:\Users\andrew\Dropbox
2016-04-19 15:49 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-19 15:49 - 2006-11-02 05:47 - 00003664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-19 15:49 - 2006-11-02 05:47 - 00003664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-18 22:58 - 2006-11-02 06:01 - 00032552 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-04-18 22:01 - 2015-10-12 20:57 - 00000000 ____D C:\Users\andrew\AppData\Local\Apps\2.0
2016-04-18 21:58 - 2015-10-10 16:40 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1522084407-2302393789-2833657126-1000UA.job
2016-04-18 21:58 - 2015-10-10 16:40 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1522084407-2302393789-2833657126-1000Core.job
2016-04-18 20:55 - 2006-11-02 03:23 - 00000321 _____ C:\Windows\win.ini
2016-04-18 20:54 - 2015-06-29 13:21 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-04-18 20:53 - 2015-06-29 13:21 - 00000899 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-18 20:53 - 2015-06-29 13:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-18 20:44 - 2015-04-26 15:11 - 00000000 ____D C:\ProgramData\360Quarant
2016-04-18 20:44 - 2014-04-17 11:46 - 00000000 __SHD C:\$360Section
2016-04-18 20:34 - 2015-04-26 15:10 - 00000000 ____D C:\Users\andrew\AppData\LocalLow\360WD
2016-04-18 20:26 - 2014-05-07 21:45 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-04-18 20:18 - 2013-07-29 19:08 - 00621748 _____ C:\Windows\ntbtlog.txt
2016-04-18 20:17 - 2014-05-23 17:47 - 00000000 ____D C:\Program Files\Steam
2016-04-18 18:42 - 2012-08-14 20:25 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-04-18 18:30 - 2014-04-08 17:16 - 00001989 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-18 18:30 - 2014-04-08 17:16 - 00001983 _____ C:\Users\andrew\Desktop\Google Chrome.lnk
2016-04-18 18:30 - 2014-03-26 20:37 - 00000858 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-04-18 18:30 - 2012-08-11 15:55 - 00000864 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-04-18 18:21 - 2015-10-10 16:43 - 00002283 _____ C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk
2016-04-18 18:21 - 2015-10-10 16:43 - 00002275 _____ C:\Users\andrew\Desktop\Google Chrome Canary.lnk
2016-04-15 17:58 - 2015-10-06 22:28 - 00000000 ____D C:\Program Files\Dropbox
2016-04-15 17:50 - 2015-10-06 22:28 - 00000000 ____D C:\Users\andrew\AppData\Local\Dropbox
2016-04-14 21:53 - 2016-02-09 23:09 - 00000000 ____D C:\Users\andrew\Desktop\English 10 Essays
2016-04-06 10:18 - 2012-08-12 02:38 - 00374944 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2016-04-18 18:24 - 2016-04-18 18:24 - 6494208 _____ () C:\Users\andrew\AppData\Roaming\agent.dat
2016-04-18 18:16 - 2016-04-18 18:16 - 0127488 _____ () C:\Users\andrew\AppData\Roaming\Installer.dat
2015-11-11 16:41 - 2015-11-11 17:18 - 0000115 _____ () C:\Users\andrew\AppData\Roaming\LogFile.txt
2016-04-18 18:24 - 2016-04-18 18:24 - 0018432 _____ () C:\Users\andrew\AppData\Roaming\Main.dat
2016-04-18 18:24 - 2016-04-18 18:17 - 0952832 _____ () C:\Users\andrew\AppData\Roaming\PlusOzelab.exe
2016-04-18 18:24 - 2016-04-18 18:24 - 0072717 _____ () C:\Users\andrew\AppData\Roaming\PlusOzelab.tst
2014-05-30 18:29 - 2014-05-30 18:29 - 0138056 _____ () C:\Users\andrew\AppData\Roaming\PnkBstrK.sys
2016-04-18 18:24 - 2016-04-18 18:17 - 0952832 _____ () C:\Users\andrew\AppData\Roaming\Subair.exe
2016-04-18 18:24 - 2016-04-18 18:24 - 1626777 _____ () C:\Users\andrew\AppData\Roaming\Subair.tst
2014-04-16 19:44 - 2014-11-12 20:59 - 0000680 _____ () C:\Users\andrew\AppData\Local\d3d9caps.dat
2013-03-14 15:03 - 2015-12-16 20:47 - 0006144 _____ () C:\Users\andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-03 12:32 - 2015-07-03 12:32 - 0001456 _____ () C:\Users\andrew\AppData\Local\recently-used.xbel
2015-10-12 20:12 - 2015-10-12 20:12 - 0000000 _____ () C:\Users\andrew\AppData\Local\{040D0B43-5852-43DD-A69C-62726486FD8B}
2015-10-19 16:00 - 2015-10-19 16:00 - 0000000 _____ () C:\Users\andrew\AppData\Local\{487C405C-4A9B-49CA-84A6-E55F27406BF0}
2015-10-06 20:27 - 2015-10-06 20:27 - 0000000 _____ () C:\Users\andrew\AppData\Local\{F1DDDD1A-4598-475D-8997-9A91DF6FB76B}
 
Some files in TEMP:
====================
C:\Users\andrew\AppData\Local\Temp\9c56f343-c79a-4923-a4e0-f3f271dee84f.dll
C:\Users\andrew\AppData\Local\Temp\GUR8F03.exe
C:\Users\andrew\AppData\Local\Temp\linker.exe
C:\Users\andrew\AppData\Local\Temp\OZNP9OVKUC.exe
C:\Users\andrew\AppData\Local\Temp\YWE8A2Z88R.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll
[2014-06-23 16:03] - [2014-06-23 16:03] - 0168448 ____A (Microsoft Corporation) C83AD1F4B238BD7B1EAB80E0039F8A5E
 
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 

Attached Files


Edited by azhang, 19 April 2016 - 07:49 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 19 April 2016 - 08:54 PM

Hi azhang :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and come up with a reply.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 21 April 2016 - 07:09 PM

Hi Yoan, I'd just like to tell you that i'm waiting for you here. :)



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 22 April 2016 - 10:44 AM

Thanks for waiting :)

You said that Malwarebytes detected threats on your system and even warns you about them, right? Is it possible to get the logs so I can take a look at them? Basically, copy/paste all the files in the C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs folder in a new one (on your desktop), then archive (.zip) it and attach it in your next reply.

Going over your logs I noticed that you have Bittorrent and uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent and Bittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

I also noticed that you might be running a pirated copy of Windows and/or Microsoft Office. BleepingComputer doesn't condone piracy, so I'll ask you to please get rid of any illegal loaders, activators, etc. you are using. If you don't know which one(s) I'm talking about, please let me know and I'll guide you.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • Linksicle
If you have an issue when uninstalling a program, please let me know.

warning.gifOutdated Programs Warning!

I noticed that you have outdated vulnerable programs installed on your system. I'll ask you to uninstall them since keeping outdated software installed on a system puts it more at risk of being infected. Otherwise, you can update them right now, and make sure that their outdated version is uninstalled after. We will reinstall these programs at the end of the clean-up if you decide to uninstall them now, and need them after.
  • Adobe Flash Player 18 ActiveX
  • Adobe Flash Player 18 NPAPI
  • Adobe Reader X (10.1.14)
If you have an issue when uninstalling a program, please let me know.

We'll start by running a FRST fix to remove the main part of the infection, and then move on with JRT and AdwCleaner. After running the FRST fix, a .zip called called Upload.zip will appear on your desktop. Please leave it be until I give you further instructions regarding it.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should include:
  • Attached .zip file containing the Malwarebytes logs I asked for;
  • Confirmation that you uninstalled the malicious and outdated program(s) listed above (if not, please let me know);
  • Copy/pasted content of the FRST fixlog;
  • Copy/pasted content of the JRT clean log;
  • Copy/pasted content of the AdwCleaner clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 01:25 AM

The 3 adobe programs have been Uninstalled.

For some reason, bittorrent and utorrent don't show up in the programs and features, and when I try to Uninstaller linksicle, Windows tells me that:
"an error occurred while trying to Uninstall linksicle. It may have already been removed. Would you like to remove it from the programs and features list?"

#6 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 01:34 AM

Here's the MBAM, FRST, and JRT logs

Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by andrew (2016-04-22 23:09:30) Run:1
Running from C:\Users\andrew\Desktop
Loaded Profiles: andrew (Available Profiles: andrew)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [Pritc] => C:\Users\andrew\AppData\Local\Temp\is-RUT8O.tmp\print.exe <===== ATTENTION
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [osmsg] => C:\ProgramData\WindowsMsg\osmsg.exe  /DEFAULT

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hao.360.cn/?wd_xp1
Handler: WSISVCUchrome - {78A543EB-3A61-4ED3 -  No File

FF Homepage: hxxps://www.malwarebytes.org/restorebrowser/
FF Extension: Primary Color 1.0.1 - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\{827c2c0a-ce2d-4a63-a00a-7fc999bdedca}.xpi [2016-04-17] [not signed]

CHR HomePage: Profile 1 -> hxxp://www-searching.com/?s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,&prd=smw
CHR DefaultSearchURL: Profile 1 -> hxxp://www-searching.com/search.aspx?s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Profile 1 -> www-searching.com
CHR DefaultSuggestURL: Profile 1 -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Extension: (SwagButton) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm [2016-03-23]
CHR Extension: (4Loot) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe [2015-01-14] [UpdateUrl: hxxp://autoupdate.chromewebtb.conduit-services.com/sb/?productId=CT3008547&extensionData=\u003Cextension_data>] <==== ATTENTION

S2 Chlui; "C:\Users\andrew\AppData\Roaming\Tifro\Tifro.exe" -cms [X]
S2 Gipwerbasdyrjob Updater; C:\Program Files\Gipwerbasdyrjob\Suoioy.exe [X]
S2 Luxwefn; "C:\Users\andrew\AppData\Roaming\KhjurgBasla\Kiiif.exe" -cms [X]

Task: {3B6295DF-9BCF-48B0-AB8B-795EEC6FDE16} - System32\Tasks\Pritc => C:\Users\andrew\AppData\Local\Temp\is-RUT8O.tmp\print.exe <==== ATTENTION
Task: {9FD137F8-DD79-42B8-A43F-4615B283EDFD} - \Osoiiwp -> No File <==== ATTENTION
Task: {58FC70FD-E4DD-40DB-B2BF-EA6E34369CA8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-10] ()

ShortcutWithArgument: C:\Users\andrew\Desktop\Google Chrome Canary.lnk -> C:\Users\andrew\AppData\Local\Google\Chrome SxS\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,
ShortcutWithArgument: C:\Users\andrew\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk -> C:\Users\andrew\AppData\Local\Google\Chrome SxS\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Chrome App Launcher.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome App Launcher.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome Canary.lnk -> C:\Users\andrew\AppData\Local\Google\Chrome SxS\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G4Jztutbl11AK,1494aeb1-b6c8-49d9-86d6-85950b4125bf,
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%

C:\temp
C:\uninst
C:\Program Files\Gipwerbasdyrjob
C:\Program Files\comoBoss
C:\Program Files\sunnyday
C:\Program Files\Common Files\Gravetam
C:\ProgramData\jlb
C:\ProgramData\WindowsMsg
C:\Program Files\Zirw
C:\Users\andrew\AppData\Local\{040D0B43-5852-43DD-A69C-62726486FD8B}
C:\Users\andrew\AppData\Local\{487C405C-4A9B-49CA-84A6-E55F27406BF0}
C:\Users\andrew\AppData\Local\{F1DDDD1A-4598-475D-8997-9A91DF6FB76B}
C:\Users\andrew\AppData\Local\Tempfolder
C:\Users\andrew\AppData\LocalLow\Company
C:\Users\andrew\AppData\Roaming\agent.dat
C:\Users\andrew\AppData\Roaming\Subair.tst
C:\Users\andrew\AppData\Roaming\PlusOzelab.tst
C:\Users\andrew\AppData\Roaming\Main.dat
C:\Users\andrew\AppData\Roaming\Tifro
C:\Users\andrew\AppData\Roaming\Subair.exe
C:\Users\andrew\AppData\Roaming\PlusOzelab.exe
C:\Users\andrew\AppData\Roaming\Installer.dat
C:\Users\andrew\AppData\Roaming\KhjurgBasla
C:\Windows\systwin.exe
C:\Windows\jlb.dat
C:\Windows\system32\feeh

Zip: C:\Users\andrew\AppData\Local\Temp\is-RUT8O.tmp\print.exe;C:\ProgramData\WindowsMsg\osmsg.exe;C:\Users\andrew\AppData\Roaming\Tifro\Tifro.exe;C:\Program Files\Gipwerbasdyrjob\Suoioy.exe;C:\Users\andrew\AppData\Roaming\KhjurgBasla\Kiiif.exe;C:\Users\andrew\AppData\Roaming\Subair.exe;C:\Users\andrew\AppData\Roaming\PlusOzelab.exe;C:\Windows\systwin.exe;

Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Pritc => value removed successfully.
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\Software\Microsoft\Windows\CurrentVersion\Run\\osmsg => value removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKCR\PROTOCOLS\Handler\WSISVCUchrome" => key removed successfully.
Firefox "homepage" removed successfully.
C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\{827c2c0a-ce2d-4a63-a00a-7fc999bdedca}.xpi => not found.
Chrome HomePage => removed successfully.
Chrome DefaultSearchURL => removed successfully.
Chrome DefaultSearchKeyword => removed successfully.
Chrome DefaultSuggestURL => removed successfully.
C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm => moved successfully
C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe <==== ATTENTION => not found.
Chlui => service removed successfully.
Gipwerbasdyrjob Updater => service removed successfully.
Luxwefn => service removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3B6295DF-9BCF-48B0-AB8B-795EEC6FDE16}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3B6295DF-9BCF-48B0-AB8B-795EEC6FDE16}" => key removed successfully.
C:\Windows\System32\Tasks\Pritc => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Pritc" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9FD137F8-DD79-42B8-A43F-4615B283EDFD}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9FD137F8-DD79-42B8-A43F-4615B283EDFD}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Osoiiwp" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{58FC70FD-E4DD-40DB-B2BF-EA6E34369CA8}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58FC70FD-E4DD-40DB-B2BF-EA6E34369CA8}" => key removed successfully.
C:\Windows\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully.
C:\Users\andrew\Desktop\Google Chrome Canary.lnk => Shortcut argument removed successfully..
C:\Users\andrew\Desktop\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Chrome App Launcher.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome App Launcher.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome Canary.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\andrew\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\temp => moved successfully
C:\uninst => moved successfully
C:\Program Files\Gipwerbasdyrjob => moved successfully
C:\Program Files\comoBoss => moved successfully
C:\Program Files\sunnyday => moved successfully
C:\Program Files\Common Files\Gravetam => moved successfully
C:\ProgramData\jlb => moved successfully
C:\ProgramData\WindowsMsg => moved successfully
C:\Program Files\Zirw => moved successfully
C:\Users\andrew\AppData\Local\{040D0B43-5852-43DD-A69C-62726486FD8B} => moved successfully
C:\Users\andrew\AppData\Local\{487C405C-4A9B-49CA-84A6-E55F27406BF0} => moved successfully
C:\Users\andrew\AppData\Local\{F1DDDD1A-4598-475D-8997-9A91DF6FB76B} => moved successfully
C:\Users\andrew\AppData\Local\Tempfolder => moved successfully
C:\Users\andrew\AppData\LocalLow\Company => moved successfully
C:\Users\andrew\AppData\Roaming\agent.dat => moved successfully
C:\Users\andrew\AppData\Roaming\Subair.tst => moved successfully
C:\Users\andrew\AppData\Roaming\PlusOzelab.tst => moved successfully
C:\Users\andrew\AppData\Roaming\Main.dat => moved successfully
C:\Users\andrew\AppData\Roaming\Tifro => moved successfully
C:\Users\andrew\AppData\Roaming\Subair.exe => moved successfully
C:\Users\andrew\AppData\Roaming\PlusOzelab.exe => moved successfully
C:\Users\andrew\AppData\Roaming\Installer.dat => moved successfully
"C:\Users\andrew\AppData\Roaming\KhjurgBasla" => not found.
C:\Windows\systwin.exe => moved successfully
C:\Windows\jlb.dat => moved successfully
C:\Windows\system32\feeh => moved successfully
================== Zip: ===================
"C:\Users\andrew\AppData\Local\Temp\is-RUT8O.tmp\print.exe" -> not found
"C:\ProgramData\WindowsMsg\osmsg.exe" -> not found
"C:\Users\andrew\AppData\Roaming\Tifro\Tifro.exe" -> not found
"C:\Program Files\Gipwerbasdyrjob\Suoioy.exe" -> not found
"C:\Users\andrew\AppData\Roaming\KhjurgBasla\Kiiif.exe" -> not found
"C:\Users\andrew\AppData\Roaming\Subair.exe" -> not found
"C:\Users\andrew\AppData\Roaming\PlusOzelab.exe" -> not found
"C:\Windows\systwin.exe" -> not found
"" -> not found
=========== Zip: End ===========
Hosts restored successfully.
EmptyTemp: => 1.2 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 23:11:58 ====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.5 (04.20.2016)
Operating System: Windows Vista (TM) Home Premium x86 
Ran by andrew (Administrator) on Fri 04/22/2016 at 23:19:00.05
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 24 

Successfully deleted: C:\Program Files\mozilla firefox\defaults\pref\itms.js (File) 
Successfully deleted: C:\ProgramData\paretologic\regcure pro (Folder) 
Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\andrew\AppData\Local\nativemessaging (Folder) 
Successfully deleted: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\btpersonas@brandthunder.com\searchplugins\btpisearch.xml (File) 
Successfully deleted: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\isreaditlater@ideashower.com (Folder) 
Successfully deleted: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Invalidprefs.js (File) 
Successfully deleted: C:\Users\andrew\AppData\Roaming\paretologic\regcure pro (Folder) 
Successfully deleted: C:\Users\andrew\AppData\Roaming\systweak (Folder) 
Successfully deleted: C:\Users\andrew\Start Menu\Programs\play games online.url (Shortcut) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
Successfully deleted: C:\Windows\couponprinter.ocx (File) 
Successfully deleted: C:\Windows\reimage.ini (File) 
Successfully deleted: C:\Windows\System32\ai_recyclebin (Folder) 
Successfully deleted: C:\Program Files\002 (Folder) 
Successfully deleted: C:\Program Files\coupons (Folder) 
Successfully deleted: C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ODR6GAM (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CBLR9W1Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S082Z040 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH5ZO4OU (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ODR6GAM (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CBLR9W1Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S082Z040 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH5ZO4OU (Temporary Internet Files Folder) 



Registry: 2 

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_3CBE92DCCA0A34C15444B20BBB1344B9 (Registry Value) 
Successfully deleted: HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\jid1-xnaj4kgyf5wyhg@jetpack (Registry Value) 




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 04/22/2016 at 23:27:34.10
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attached Files



#7 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 01:48 AM

AdwCleaner Log:

# AdwCleaner v5.112 - Logfile created 22/04/2016 at 23:42:19
# Updated 17/04/2016 by Xplode
# Database : 2016-04-19.5 [Server]
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (X86)
# Username : andrew - ANDREW-PC
# Running from : C:\Users\andrew\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\ParetoLogic
[#] Folder Deleted : C:\ProgramData\Application Data\ParetoLogic
[-] Folder Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
[-] Folder Deleted : C:\Users\andrew\AppData\Roaming\Activeris
[-] Folder Deleted : C:\Users\andrew\AppData\Roaming\Gameo
[-] Folder Deleted : C:\Users\andrew\AppData\Roaming\ParetoLogic
[-] Folder Deleted : C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\FCTB

***** [ Files ] *****

[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\chrome-extension_gngocbkfmikdgphklgmmehbjjlfgdemm_0.localstorage-journal
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www-searching.com_0.localstorage
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www-searching.com_0.localstorage-journal
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www.veoh.com_0.localstorage
[-] File Deleted : C:\Users\andrew\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\hxxp_www.veoh.com_0.localstorage-journal

***** [ DLLs ] *****

[-] File Disinfected : C:\Windows\system32\dnsapi.dll

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\mysearchdial.mysearchdialappCore.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[-] Key Deleted : HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C358B3D0-B911-41E3-A276-E7D43A6BA56D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EC77D09-02CB-4E1F-E3C4-FB141B2610B3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{79F768ED-0B12-42EF-8257-36751A0ECF3A}]
[-] Key Deleted : HKCU\Software\360Chrome
[-] Key Deleted : HKCU\Software\Appscion
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\Optimizer Pro
[-] Key Deleted : HKCU\Software\ParetoLogic
[-] Key Deleted : HKCU\Software\Reimage
[-] Key Deleted : HKCU\Software\SoftSuma
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key Deleted : HKCU\Software\osTip
[-] Key Deleted : HKCU\Software\MICROSOFT\OTUT
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKCU\Software\MICROSOFT\IDSC
[-] Key Deleted : HKCU\Software\AppDataLow\Software\CompeteInc
[-] Key Deleted : HKLM\SOFTWARE\MPC
[-] Key Deleted : HKLM\SOFTWARE\ParetoLogic
[-] Key Deleted : HKLM\SOFTWARE\Reimage
[-] Key Deleted : HKLM\SOFTWARE\SearchModule
[-] Key Deleted : HKLM\SOFTWARE\SecureWebChannel
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Linksicle
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Faster Web
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mysearchdial
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\News
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\OneSystemCare
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SOUNDPLUS
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{6C982C47-D0BD-4977-93B0-8323ADB34940}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{A4AC3970-2F2D-484A-B996-9399A3851B02}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{3A0649B0-7B2C-464B-8769-E41B921580CF}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{76BEBC84-CF60-4B59-B8F8-D62649DAC43F}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{23BDC5BD-DD4E-46F4-927A-C18D46AB47CE}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{B1ED61AD-6035-4F17-8755-CFB78E8B365A}]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pastaleads.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www-searching.com

***** [ Web browsers ] *****

[-] [C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\prefs.js] Deleted : user_pref("extensions.brandthunder.websearchplus", false);

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [9109 bytes] - [22/04/2016 23:42:19]
C:\AdwCleaner\AdwCleaner[S1].txt - [353 bytes] - [22/04/2016 23:37:19]
C:\AdwCleaner\AdwCleaner[S2].txt - [11039 bytes] - [22/04/2016 23:38:28]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [9328 bytes] ##########


#8 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 01:54 AM

I also noticed that you might be running a pirated copy of Windows and/or Microsoft Office. BleepingComputer doesn't condone piracy, so I'll ask you to please get rid of any illegal loaders, activators, etc. you are using. If you don't know which one(s) I'm talking about, please let me know and I'll guide you.

Please guide me!



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 23 April 2016 - 11:58 AM

Thank you for the logs :)

For some reason, bittorrent and utorrent don't show up in the programs and features


You most likely never installed them, and just ran their executables, or you uninstalled them in the past.
 

and when I try to Uninstaller linksicle, Windows tells me that:
"an error occurred while trying to Uninstall linksicle. It may have already been removed. Would you like to remove it from the programs and features list?"


This means that Linksicle was already uninstalled from your system, so it's good.

Now, let's see if Malwarebytes still have anything to report, and we'll also throw in an Emsisoft Emergency Kit scan. Once done, we'll get a fresh set of FRST logs to see how things looks.

aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
0Wrv6UC.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;
After running all these scans, how is your computer running now? Is Malwarebytes still reporting threats? Were there any other issues to address?

Your next reply(ies) should include:
  • Copy/pasted content of the Malwarebytes clean log;
  • Copy/pasted content of the Emsisoft Emergency Kit log;
  • Copy/pasted content of the FRST.txt log;
  • Copy/pasted content of the Addition.txt log;
  • Answer to my questions about your computer, Malwarebytes and other issues remaining (if any);

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 02:23 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/23/2016
Scan Time: 11:57:01 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.04.23.05
Rootkit Database: v2016.04.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: andrew
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 313142
Time Elapsed: 27 min, 18 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#11 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 02:31 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:18-04-2016
Ran by andrew (administrator) on ANDREW-PC (23-04-2016 12:28:33)
Running from C:\Users\andrew\Desktop
Loaded Profiles: andrew (Available Profiles: andrew)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe
(Qihu Software Co. Limited) C:\Program Files\360\Total Security\safemon\QHWatchdog.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Blue Coat Systems, Inc.) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Windows\System32\PnkBstrA.exe
() C:\Windows\System32\PnkBstrB.exe
(Brother Industries, Ltd.) C:\Program Files\Browny02\Brother\BrStMonW.exe
(Dropbox, Inc.) C:\Program Files\Dropbox\Client\Dropbox.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Flux Software LLC) C:\Users\andrew\AppData\Local\FluxSoftware\Flux\flux.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCtrlCntr.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Brother Industries, Ltd.) C:\Program Files\Browny02\BrYNSvc.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [ControlCenter4] => C:\Program Files\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)
HKLM\...\Run: [Dropbox] => C:\Program Files\Dropbox\Client\Dropbox.exe [23248560 2016-04-08] (Dropbox, Inc.)
HKLM\...\Run: [DelaypluginInstall] => C:\ProgramData\iSkysoft\Video Converter Ultimate\DelayPluginI.exe [1960248 2015-09-01] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-02-13] (Apple Inc.)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [Lyrify] => C:\Program Files\Lyrify\lyrify.exe [282624 2014-12-31] (Lyrify)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [f.lux] => C:\Users\andrew\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Run: [GoogleChromeAutoLaunch_3CBE92DCCA0A34C15444B20BBB1344B9] => C:\Program Files\Google\Chrome\Application\chrome.exe [748872 2016-02-09] (Google Inc.)
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1522084407-2302393789-2833657126-1000\...\MountPoints2: {748da827-dc16-11e5-acab-0019b96c0ada} - G:\LaunchU3.exe -a
ShellExecuteHooks:  - {A5BE62CA-DE0F-4764-A0CB-4044816DB174} - C:\Program Files\tuEagles\EagleObj.dll [87416 2015-04-17] ()
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.30.dll [2016-04-08] (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 75.75.76.76
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{17BD128F-1C5B-44B1-B652-DEAE195C74BF}: [DhcpNameServer] 192.168.1.1 75.75.76.76

Internet Explorer:
==================
BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-28] (Oracle Corporation)
BHO: iSkysoft iMedia Converter Deluxe 5.1.0 -> {AEAF002F-E6D8-4A21-ABD3-2B309B79A6CE} -> C:\ProgramData\iSkysoft\Video Converter Ultimate\WSBrowserAppMgr.dll [2015-09-01] (Wondershare)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-28] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1219160.dll [2015-07-22] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-28] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-28] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-1522084407-2302393789-2833657126-1000: @tools.google.com/Google Update;version=3 -> C:\Users\andrew\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-1522084407-2302393789-2833657126-1000: @tools.google.com/Google Update;version=9 -> C:\Users\andrew\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF SearchPlugin: C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\searchplugins\blackle.xml [2014-06-02]
FF Extension: Menu Editor - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}.xpi [2014-05-14] [not signed]
FF Extension: HornTracker - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\horntracker@horntracker.com.xpi [2015-06-12]
FF Extension: Flashblock - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2015-06-12]
FF Extension: Tab Scope - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\tabscope@xuldev.org.xpi [2015-06-12]
FF Extension: 360 Internet Protection - C:\Program Files\360\Total Security\safemon\webprotection_firefox [2015-09-25] [not signed]
FF Extension: iSkysoft iMedia Converter Deluxe - C:\ProgramData\iSkysoft\Video Converter Ultimate\ISVCU@iSkysoft.com [2015-10-10] [not signed]
FF Extension: Personas Plus - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\personas@christopher.beard.xpi [2015-12-16]
FF Extension: Greasemonkey - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2015-12-16]
FF Extension: Default Theme Engine - Personas Interactive - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\extensions\btpersonas@brandthunder.com [2015-12-16]
FF Extension: Dictionnaires français - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\fr-dicollecte@dictionaries.addons.mozilla.org [2015-12-16]
FF Extension: Cheevos - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\jid1-bpzDizt9E1R7nw@jetpack.xpi [2015-06-06]
FF Extension: Adblock Plus - C:\Users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\eom23nht.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-16]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-02-10] [not signed]
FF HKLM\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files\360\Total Security\safemon\webprotection_firefox
FF HKLM\...\Firefox\Extensions: [ISVCU@iSkysoft.com] - C:\ProgramData\iSkysoft\Video Converter Ultimate\ISVCU@iSkysoft.com

Chrome: 
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.824\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\48.0.2564.109\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (MouseHunt HornTracker for Chrome) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoakbimfnggbhoplpfcpeifgbigmpepl [2015-09-22]
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-22]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-22]
CHR Extension: (Adblock Plus) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-09-22]
CHR Extension: (2048) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\clgddkicplcbgjfobecebadodeggpghp [2014-07-26]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-22]
CHR Extension: (EditThisCookie) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2014-09-29]
CHR Extension: (Google Docs Offline) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-22]
CHR Extension: (iNetClean porn filter - protect your family) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlegnaceckoffhpniohgnebjpllkhkbh [2015-09-22]
CHR Extension: (Pixlr Editor) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmaknaampgiegkcjlimdiidlhopknpk [2015-09-22]
CHR Extension: (DropMail Beta) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\inhencajoaopgphhgdolhfmdlghjdplp [2014-09-25]
CHR Extension: (Cut the Rope) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfbadlndcminbkfojhlimnkgaackjmdo [2014-04-08]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-09-22]
CHR Extension: (Utility functions for main add-on) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgjbbgpdcecjcfmmlgpjedodehfeepcg [2015-09-22]
CHR Extension: (MouseHunt) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmpneefkmjllddibccefaaiammnnnkeo [2014-04-08]
CHR Extension: (MuteTab) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmkbaaijgpppbokgnhhoakihofedkgcc [2015-09-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-22]
CHR Extension: (Flow Colors) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbnmelddedlommnmllmfhoephaidddmk [2014-04-09]
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-22]
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (Last Modified) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apehpgkcgpefnlpfindggfdecmgihlaj [2015-05-28]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Adblock Plus) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-08]
CHR Extension: (Spotify - Music for every moment) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2015-09-28]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Block site) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2016-01-18]
CHR Extension: (Google Docs Offline) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-14]
CHR Extension: (SwagButton) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm [2016-04-22]
CHR Extension: (Pixlr Editor) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\icmaknaampgiegkcjlimdiidlhopknpk [2015-10-09]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-17]
CHR Extension: (Lyrics Here by Rob W) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifkpflabnobkgbjpcmocmgcajlecbcp [2016-01-02]
CHR Extension: (MouseHunt) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lmpneefkmjllddibccefaaiammnnnkeo [2014-09-29]
CHR Extension: (Lightshot (screenshot tool)) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mbniclmhobmnbdlbpiphghaielnnpgdp [2016-04-01]
CHR Extension: (Capture Webpage Screenshot Entirely. FireShot) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2016-03-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Grooveshark Downloader) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ooblpjoncpjmbncgocjlnannofkjjhnp [2015-04-30] [UpdateUrl: hxxp://groovesharkdownload.net/Download/updates.xml] <==== ATTENTION
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]
CHR Profile: C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Extension: (Google Slides) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-13]
CHR Extension: (Google Docs) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-13]
CHR Extension: (Google Drive) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-13]
CHR Extension: (YouTube) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-13]
CHR Extension: (Google Search) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-13]
CHR Extension: (Google Sheets) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-13]
CHR Extension: (Google Wallet) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-13]
CHR Extension: (Gmail) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-13]
CHR Extension: (4Loot) - C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe [2015-01-14] [UpdateUrl: hxxp://autoupdate.chromewebtb.conduit-services.com/sb/?productId=CT3008547&extensionData=\u003Cextension_data>] <==== ATTENTION

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [1949400 2014-01-24] (Blue Coat Systems, Inc.)
R3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
S3 dbupdate; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [136048 2015-10-06] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [136048 2015-10-06] (Dropbox, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2014-05-30] ()
R2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189248 2014-05-30] ()
R2 QHActiveDefense; C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe [859768 2015-09-20] (QIHU 360 SOFTWARE CO. LIMITED)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-18] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker.sys [121936 2015-08-10] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [66128 2015-09-20] (360.cn)
R1 360Box; C:\Windows\System32\DRIVERS\360Box.sys [203856 2015-09-20] (360.cn)
S3 360Camera; C:\Windows\System32\Drivers\360Camera.sys [34888 2015-04-24] (360.cn)
R1 360SelfProtection; C:\Windows\System32\drivers\360SelfProtection.sys [178384 2015-08-10] (360安全中心)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV.sys [174672 2015-08-10] (360.cn)
R2 bckd; C:\Windows\System32\drivers\bckd.sys [106712 2014-01-24] (Blue Coat Systems, Inc.)
R0 DsArk; C:\Windows\system32\Drivers\DsArk.sys [109136 2015-09-20] (360.cn)
R1 EfiMon; C:\Windows\System32\Drivers\Efimon.sys [24296 2015-08-10] (360.cn)
R0 HookPort; C:\Windows\System32\Drivers\Hookport.sys [65872 2015-08-10] (360安全中心)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [126336 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-04-23] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
R3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [17160 2015-03-05] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [13064 2015-03-05] ()
R1 qutmdserv; C:\Windows\System32\DRIVERS\qutmdrv.sys [292560 2015-08-10] (360.cn)
R1 qutmipc; C:\Windows\system32\drivers\qutmipc.sys [53960 2015-08-10] (360.cn)
R3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [193696 2014-06-03] (Jungo)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 cpuz134; \??\C:\Users\andrew\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-23 12:25 - 2016-04-23 12:27 - 00000000 ____D C:\EEK
2016-04-23 11:55 - 2016-04-23 11:56 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-23 11:54 - 2016-04-23 11:54 - 00000899 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-23 11:54 - 2016-04-23 11:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-23 11:54 - 2016-04-23 11:54 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-04-23 11:54 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-23 11:54 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-23 11:54 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-23 11:17 - 2016-04-23 11:19 - 229419792 _____ C:\Users\andrew\Desktop\EmsisoftEmergencyKit.exe
2016-04-22 23:36 - 2016-04-22 23:42 - 00000000 ____D C:\AdwCleaner
2016-04-22 23:36 - 2016-04-22 23:36 - 03683904 _____ C:\Users\andrew\Desktop\AdwCleaner.exe
2016-04-22 23:27 - 2016-04-22 23:27 - 00003517 _____ C:\Users\andrew\Desktop\JRT.txt
2016-04-22 23:17 - 2016-04-22 23:17 - 01610008 _____ (Malwarebytes) C:\Users\andrew\Desktop\JRT.exe
2016-04-22 23:11 - 2016-04-22 23:11 - 00000022 _____ C:\Users\andrew\Desktop\Upload.zip
2016-04-22 23:09 - 2016-04-22 23:11 - 00012780 _____ C:\Users\andrew\Desktop\Fixlog.txt
2016-04-22 23:08 - 2016-04-22 23:08 - 00236759 _____ C:\Users\andrew\Desktop\Malwarebytes Logs.zip
2016-04-19 17:37 - 2016-04-19 17:48 - 00049263 _____ C:\Users\andrew\Desktop\Addition.txt
2016-04-19 17:31 - 2016-04-23 12:29 - 00024656 _____ C:\Users\andrew\Desktop\FRST.txt
2016-04-19 17:27 - 2016-04-23 12:28 - 00000000 ____D C:\FRST
2016-04-19 17:27 - 2016-04-19 17:27 - 01726464 _____ (Farbar) C:\Users\andrew\Desktop\FRST.exe
2016-04-18 20:35 - 2015-09-20 21:10 - 00109136 _____ (360.cn) C:\Windows\system32\Drivers\DsArk.sys
2016-04-18 18:36 - 2016-04-18 20:28 - 00000000 ____D C:\Users\andrew\AppData\Local\Setup Wizard
2016-04-18 18:10 - 2016-04-18 18:10 - 00000000 __RSH C:\MSDOS.SYS
2016-04-18 18:10 - 2016-04-18 18:10 - 00000000 __RSH C:\IO.SYS
2016-04-18 17:56 - 2016-04-18 17:56 - 00000000 ____D C:\Users\andrew\AppData\LocalLow\BitTorrent
2016-04-15 17:57 - 2016-04-15 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-03-27 19:55 - 2016-04-20 22:33 - 00000000 ____D C:\Users\andrew\Desktop\chemlab

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-23 11:36 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\inf
2016-04-23 11:36 - 2006-11-02 03:33 - 00786434 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-23 11:33 - 2015-10-06 22:34 - 00000000 ___RD C:\Users\andrew\Dropbox
2016-04-23 11:28 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-23 11:28 - 2006-11-02 05:47 - 00003664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-23 11:28 - 2006-11-02 05:47 - 00003664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-23 11:27 - 2006-11-02 06:01 - 00032552 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-04-22 23:10 - 2015-10-10 16:43 - 00002095 _____ C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk
2016-04-22 23:10 - 2015-10-10 16:43 - 00002087 _____ C:\Users\andrew\Desktop\Google Chrome Canary.lnk
2016-04-22 23:10 - 2014-04-08 17:20 - 00000000 ____D C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2016-04-22 23:10 - 2014-04-08 17:16 - 00001983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-22 23:10 - 2014-04-08 17:16 - 00001971 _____ C:\Users\andrew\Desktop\Google Chrome.lnk
2016-04-22 23:10 - 2014-03-26 20:37 - 00000846 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-04-22 23:10 - 2012-08-11 15:55 - 00000858 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-04-22 23:04 - 2012-08-14 20:25 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-04-22 23:04 - 2012-08-14 20:19 - 00000000 ____D C:\ProgramData\Adobe
2016-04-20 22:01 - 2016-01-16 13:05 - 00000000 ____D C:\Users\andrew\Desktop\Chemistry semester 1 pptx
2016-04-18 22:01 - 2015-10-12 20:57 - 00000000 ____D C:\Users\andrew\AppData\Local\Apps\2.0
2016-04-18 21:58 - 2015-10-10 16:40 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1522084407-2302393789-2833657126-1000UA.job
2016-04-18 21:58 - 2015-10-10 16:40 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1522084407-2302393789-2833657126-1000Core.job
2016-04-18 20:55 - 2006-11-02 03:23 - 00000321 _____ C:\Windows\win.ini
2016-04-18 20:44 - 2015-04-26 15:11 - 00000000 ____D C:\ProgramData\360Quarant
2016-04-18 20:44 - 2014-04-17 11:46 - 00000000 __SHD C:\$360Section
2016-04-18 20:34 - 2015-04-26 15:10 - 00000000 ____D C:\Users\andrew\AppData\LocalLow\360WD
2016-04-18 20:26 - 2014-05-07 21:45 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-04-18 20:18 - 2013-07-29 19:08 - 00621748 _____ C:\Windows\ntbtlog.txt
2016-04-18 20:17 - 2014-05-23 17:47 - 00000000 ____D C:\Program Files\Steam
2016-04-15 17:58 - 2015-10-06 22:28 - 00000000 ____D C:\Program Files\Dropbox
2016-04-15 17:50 - 2015-10-06 22:28 - 00000000 ____D C:\Users\andrew\AppData\Local\Dropbox
2016-04-14 21:53 - 2016-02-09 23:09 - 00000000 ____D C:\Users\andrew\Desktop\English 10 Essays
2016-04-06 10:18 - 2012-08-12 02:38 - 00374944 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2015-11-11 16:41 - 2015-11-11 17:18 - 0000115 _____ () C:\Users\andrew\AppData\Roaming\LogFile.txt
2014-05-30 18:29 - 2014-05-30 18:29 - 0138056 _____ () C:\Users\andrew\AppData\Roaming\PnkBstrK.sys
2014-04-16 19:44 - 2014-11-12 20:59 - 0000680 _____ () C:\Users\andrew\AppData\Local\d3d9caps.dat
2013-03-14 15:03 - 2015-12-16 20:47 - 0006144 _____ () C:\Users\andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-03 12:32 - 2015-07-03 12:32 - 0001456 _____ () C:\Users\andrew\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
C:\Users\andrew\AppData\Local\Temp\libeay32.dll
C:\Users\andrew\AppData\Local\Temp\msvcr120.dll
C:\Users\andrew\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-23 11:37

==================== End of FRST.txt ============================

Attached Files


Edited by azhang, 23 April 2016 - 02:37 PM.


#12 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 23 April 2016 - 02:33 PM

My computer is now running pretty smoothly, and Malwarebytes hasn't detected any threats recently. :)



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 23 April 2016 - 03:11 PM

Thank you for the logs :)

You might have noticed that EEK wouldn't launch, because you are running Windows Vista. I keep forgetting that Emsisoft dropped support for Windows XP AND Vista in version 11 of their products. My bad.

It looks like the 4Loot extension is still there in Google Chrome, so we'll delete it using FRST, and then run a last scan with ESET Online Scanner to replace EEK. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


cvMlKv6.pngESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.
  • Download and execute ESET Online Scanner (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
  • Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :
    • Enable detection of potentially unwanted applications;
    • Scan archives;
    • Scan for potentially unsafe applications;
    • Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;
  • After you're done checking these options, click on "Start" and ESET Online Scanner will download it's virus signature database before starting the scan;
  • Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
  • After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
  • Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
  • Once you're done, click on the Back button, then click on the Finish button;
Your next reply(ies) should include:
  • Copy/pasted content of the FRST fixlog;
  • Copy/pasted content of the ESET Online Scanner log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 azhang

azhang
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 24 April 2016 - 06:10 PM

Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by andrew (2016-04-23 20:27:05) Run:2
Running from C:\Users\andrew\Desktop
Loaded Profiles: andrew (Available Profiles: andrew)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CloseProcesses:

C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe
*****************

Processes closed successfully.
C:\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe => moved successfully


The system needed a reboot.

==== End of Fixlog 20:27:15 ====
 
 
ESET Online Scanner Log:
 
C:\FRST\Quarantine\C\Program Files\Gipwerbasdyrjob\Hafcycwy.dll a variant of Win32/Toolbar.Perion.AC potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Program Files\Gipwerbasdyrjob\Jhmilq64.dll a variant of Win64/Toolbar.Perion.H potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Program Files\Gipwerbasdyrjob\prc.exe a variant of Win32/Toolbar.Perion.AB potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Program Files\Gipwerbasdyrjob\Tirta.dll a variant of Win32/Toolbar.Perion.AC potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Program Files\Gipwerbasdyrjob\Vinzum.dll a variant of Win32/Toolbar.Perion.AC potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Program Files\sunnyday\uninstaller.exe a variant of MSIL/Kryptik.FTS trojan cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.29.0.20_0\APISupport\APISupport.dll a variant of Win32/Conduit.SearchProtect.N potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.29.0.20_0\nativeMessaging\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.29.0.20_0\plugins\ChromeApiPlugin.dll a variant of Win32/Conduit.SearchProtect.N potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.31.4.510_0\APISupport\APISupport.dll a variant of Win32/Conduit.SearchProtect.P potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.31.4.510_0\nativeMessaging\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkpcdceijednnilobgleblmagjchmofe\10.31.4.510_0\plugins\ChromeApiPlugin.dll a variant of Win32/Conduit.SearchProtect.N potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Roaming\PlusOzelab.exe.xBAD a variant of Win32/Kryptik.EUNU trojan cleaned by deleting
C:\FRST\Quarantine\C\Users\andrew\AppData\Roaming\Subair.exe.xBAD a variant of Win32/Kryptik.EUNU trojan cleaned by deleting
C:\Windows\AutoKMS\AutoKMS.exe MSIL/HackKMS.A potentially unsafe application cleaned by deleting
 


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 25 April 2016 - 05:19 AM

Thank you for the logs :) The last malicious remnant on your system was successfully moved by FRST, and ESET Online Scanner only detected files previously quarantined by it, so there's nothing left to look for. I declare your system clean :) We'll get rid of the tools I made you download and the logs they produced now.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.
  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;
Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and dqVs5wj.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

AntivirusAntimalwareFirewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;
Anti-Exploit/Anti-RansomwareWeb Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on BleepingComputer and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users