Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Snap.do, airtostrong, xifs, hijacked browsers


  • This topic is locked This topic is locked
20 replies to this topic

#1 alien12

alien12

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 01 May 2016 - 05:31 PM

Hi to everyone who is willing to help.

 

I have the following problem; I downloaded a file obviously containing a virus and when I opened it, my computer got infected with several browser hijackers and other ad- and malware. The one I could identify were snap.do, airtostrong, xifs, bittorrent.

I cleaned my computer manually (I ran several cleaning programs Spybot, Adaware, Real security,Spyhunter, Sophos virus removal,JRT) file by file and it took me two days to make my way through all the hidden files and registry. Now I need someone to check the FRST logs to see if I missed something and tell me what to do next.

Thanks for your help!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 01 May 2016 - 05:41 PM

Hello alien12 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please run FRST again and post the new log.

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt


Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 01 May 2016 - 06:41 PM

Thanks for your help! I really appreciate it.

 

Here you go ...

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 01 May 2016 - 07:07 PM

I’m looking at your logs but whilst I check them I’d like you to run a couple more scans.

  • Please download MGADiag by clicking here and save it to your desktop
  • double click the diagicon.png icon on your desktop
  • push continue.png
  • push copy.png
  • go to Start -> Run and type in "Notepad"
  • go to Edit -> Paste in notepad
  • Copy and paste that log here.

===================================================

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

Please also include the MGADiag log.

I won’t reply tonight as it’s one in the morning here but I’ll be in touch as soon as I can.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 May 2016 - 03:58 AM

Thanks for your quick help.

 

Here are the logs you requested ...

 

-----------

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\acrylic wi-fi home\libs\tarlogic.apkeygen.dll
c:\program files\asp32\keygen.exe
scanner sequence 3.LB.11.UJNARZ
 ----- EOF -----
 

 

Attached Files



#6 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 02 May 2016 - 07:33 AM

You have illegal software on your computer and it would appear that your version of Windows is also not genuine. Are you aware of that?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 May 2016 - 09:01 AM

I bought my laptop used and it came with a preinstalled copy of Windows. As everything worked fine I left it as it was. I am aware of some illegal software, but that is not the culprit. As I said before, I deleted everything suspicious, now I ask for help with looking for possible hijacker/adware remnants.



#8 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 02 May 2016 - 09:25 AM

I am aware of some illegal software, but that is not the culprit.

 

And how would you know that?

 

Besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code.

This forum, as well as all the other well-respected malware removal forums, does not condone the use of illegal software. If you disregard this warning and become re-infected, we may not assist you the next time.

Please uninstall all the illegal software that you have downloaded and installed. When you have done this, run CKScanner again and post a new log.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 May 2016 - 10:22 AM

OK, I respected your warning and did as you told me, but the acrylic is still reappearing in the log and I know that it is legit, because it's free.

 

-----------------------

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\acrylic wi-fi home\libs\tarlogic.apkeygen.dll
scanner sequence 3.NA.11.GXLBF0
 ----- EOF -----
 


Edited by alien12, 02 May 2016 - 10:24 AM.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 02 May 2016 - 10:44 AM

Yes, I know that one is legitimate.

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.

GroupPolicyUsers\S-1-5-21-4085096826-446561640-3722783149-1009\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-4085096826-446561640-3722783149-1001\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: HKLM -> Default = {FE69C007-C452-4d3e-86D2-1730DF8BC871}
SearchScopes: HKLM -> DefaultScope value is missing
CHR Extension: (New Tab Page by Speed Dial Team) - C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\idgeoanibcknhniccgaoaiolihidecjn [2016-02-05]
CHR HKLM\...\Chrome\Extension: [poebmmdfibcjaegpfefgnigcagnpmcgj] - C:\Program Files\OApps\chrome-sl.crx <not found>
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [408280 2015-12-09] (BitDefender S.R.L.)
S3 CV2K1; system32\DRIVERS\cv2k1.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad32v.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2016-04-29 20:58 - 2016-04-29 20:59 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\ACER\Desktop\SpyHunter-Installer.exe
2016-04-30 00:55 - 2016-04-30 00:55 - 00001080 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spy Protector.lnk
C:\Users\ACER\setup_COMSHOPfoto.exe
C:\Users\ACER\AppData\Local\Temp\libeay32.dll
C:\Users\ACER\AppData\Local\Temp\msvcr120.dll
C:\Users\ACER\AppData\Local\Temp\sqlite3.dll
C:\Windows\System32\NTIBUN5.dll
AntimalwareEngine (Version: 3.0.99.0 - Lavasoft) Hidden
Task: {05D7DDB7-6657-441C-9101-4113D196AAAD} - System32\Tasks\{0E5EC379-92E3-4964-ACBF-EAD1A92FE7DC} => C:\Users\ACER\AppData\Local\Temp\$\setup.exe <==== ATTENTION
Task: {43E4D829-95B1-49E9-8EB9-8103F3D28E8F} - System32\Tasks\{CB2F7CBA-B5BD-43E6-A2F6-F08C186F0B09} => C:\Users\ACER\AppData\Local\Temp\$\setup.exe <==== ATTENTION
Task: {C0FF591A-8879-429F-A587-4E8191CCB13D} - System32\Tasks\{9ADCF3C1-5A26-49CD-ABB7-BCE142FC57C6} => pcalua.exe -a "C:\Program Files\Avira\AntiVir Desktop\setup.exe" -c /REMOVE
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Multiple antiviruses

You have Ad-Aware and Microsoft Security Essentials, (MSE) antivirus programs installed.

You can not run two real-time antiviruses at the same time. Although many have different methods of searching for and recognising threats, they will all be 'fighting' in memory to kick each other out, rendering them all ineffective.

I would suggest you uninstall Ad-Aware but it is your choice.

  • click Start, Control Panel, Programs and Features
  • scroll down the list click on either Ad-Aware, (all entries), or Microsoft Security Client and then on Remove.

===================================================

Run Security Check

Download Security Check by screen317 from here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

Fixlog.txt
Checkup.txt
New Frst.txt
New Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 May 2016 - 01:08 PM

OK, I did the following:

 

- ran FRST, clicked fix and rebooted

- uninstalled Adaware, rebooted

- ran Security Check (downloaded it elsewhere, because your link says "account suspended")

- checked Java version (Verify Java version tells me I have an up-to-date version)

- ran FRST again

 

 

 

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 03 May 2016 - 03:06 AM

Sorry for the delay but I seem to have missed your reply.

 

That’s looking a lot better but strangely, a proxy server has suddenly appeared. Let’s tidy that up and have a further look.

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.

ProxyServer: [S-1-5-21-4085096826-446561640-3722783149-1001] => localhost:8080
AutoConfigURL: [S-1-5-21-4085096826-446561640-3722783149-1001] => localhost:8080
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4085096826-446561640-3722783149-1001 -> {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = hxxp://www.google.si
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    createsrpoint;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
    
  • close any open programs
  • click the Run script button, and wait. It takes a few minutes to run
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with next post:

Fixlog.txt
Zoek results log

 

Can you tell me how things are now and what problems remain.

 

Thanks

Satchfan


Edited by satchfan, 03 May 2016 - 03:10 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 May 2016 - 09:37 AM

What can I say ... for now, things are looking good. There seems to be no delays or redirections to other sites

 

Some files were deleted (like Bonjour, Foto Hofer) but they did no harm to the computer and were safe.

 

But I found a suspicious entry in the Zoek.log:

 

user_pref("browser.startup.homepage", "C:\ProgramData\xifss\ff.HP")

 

Am I right or not?

 

 

Attached Files



#14 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 AM

Posted 03 May 2016 - 12:01 PM

I found a suspicious entry in the Zoek.log:

user_pref("browser.startup.homepage", "C:\ProgramData\xifss\ff.HP")

It appears to be an HP-supported, customer release version of HP Firefox Web Browser but we'll set them back to default settings if this is nothing that you set.

Run Zoek

  • run Zoek again by right-clicking Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    createsrpoint;
    autoclean;
    emptyclsid;
    emptyffcache;
    FFdefaults;
    emptyiecache;
    iedefaults;
    emptychrcache;
    CHRdefaults;
    emptyalltemp;
    emptyfolderscheck;delete
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

===================================================

Download Malwarebytes-Anti-Malware

Click here.

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7, 8, 10 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

Zoek log
Mbam.txt


Satchfan


 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 alien12

alien12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 May 2016 - 03:43 PM

I did as you told me. Strange is, that Malwarebytes found 8 registry keys/values (conduit ...), removed them, but in the log it says it found nothing ....

Attached Files


Edited by alien12, 03 May 2016 - 03:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users