Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome opens and redirects upon booting and about every 10 minutes.


  • This topic is locked This topic is locked
34 replies to this topic

#1 dacheezta

dacheezta

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 May 2016 - 02:49 AM

Hi all,

I recently got some nasty malware on my computer. It started out downloading about 15 unwanted programs to my computer and changing my browsers default settings (search engine, home page, etc.) I have run a variety of anti-malware scans and fixes and I have resolved 90% of the problem, but one thing keeps recurring. Whenever I restart my computer, chrome opens up immediately, and sends me to "https://ads01-atmgroup.rhcloud.com/ads.php", which then redirects to a website called "go.padsdel.com". I've done some research and I haven't really found anyone with the same problem as I, so I'm coming here. 

Programs I've used to look for this malware include:

1. Malwarebytes Anti-Malware
2. RKill

3. ADWCleaner

4. JRT

5. RootKit Removal tool. 
 

I've also uninstalled chrome twice and reset, so the problem seems to be deep somewhere where no program can find it.

Any help is appreciated. Below are my FRST files.

FRST.txt

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-05-2016
Ran by Cameron (administrator) on 420MLGXXX (09-05-2016 03:32:20)
Running from C:\Users\Cameron\Downloads
Loaded Profiles: Cameron (Available Profiles: Cameron)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
() C:\Riot Games\LolScreenSaver\service\service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Plays.tv, LLC) C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
() C:\Windows\SysWOW64\PnkBstrB.exe
(Razer Inc) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\timeout.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Spotify Ltd) C:\Users\Cameron\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(RemoteMouse.net) C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Game Booster\RzKLService.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Plays.tv, LLC) C:\Program Files (x86)\Raptr Inc\PlaysTV\playstv.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Raptr Inc.) C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_ep64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2771576 2015-12-16] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [15033976 2015-11-20] (Logitech Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13317960 2016-04-27] (Zemana Ltd.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PlaysTV] => C:\Program Files (x86)\Raptr Inc\PlaysTV\playstv_launcher.exe [71440 2016-04-27] (Plays.tv, LLC)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\RunOnce: [Gobarurele] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Cameron\AppData\Local\5AC973~1\Dele.dat"
HKLM-x32\...\RunOnce: [AdBlock] => "AdBlock.exe"
HKU\S-1-5-21-644968830-336766481-3016761123-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3077712 2016-04-29] (Valve Corporation)
HKU\S-1-5-21-644968830-336766481-3016761123-1000\...\Run: [Spotify Web Helper] => C:\Users\Cameron\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1525360 2016-04-27] (Spotify Ltd)
HKU\S-1-5-21-644968830-336766481-3016761123-1000\...\Run: [Remote Mouse] => C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe [871936 2016-03-28] (RemoteMouse.net)
HKU\S-1-5-21-644968830-336766481-3016761123-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\es.scr [4136960 2011-12-13] ()
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{149AF8E0-7F5B-45DB-BD04-23265EE71686}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{64310D1B-0B04-4440-824A-663F455073BF}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-644968830-336766481-3016761123-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-644968830-336766481-3016761123-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-16] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-05] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-03-16] (Microsoft Corporation)
BHO: Efamnedwoko -> {C351CECA-6289-4B45-8491-02DE054C361C} -> C:\Program Files\Efamnedwoko\Mobmioo64.dll => No File
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-05] (Oracle Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-03-16] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-05-08] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-03-16] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-08] (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-08-24] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-07] ()
FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-05] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-05] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-07] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-08] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-08] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-03] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-08-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-12-16] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-12-16] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-644968830-336766481-3016761123-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Cameron\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-03-10] (Unity Technologies ApS)
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-05-08]
CHR Extension: (BetterTTV) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-05-08]
CHR Extension: (Google Docs) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-08]
CHR Extension: (Google Drive) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-08]
CHR Extension: (YouTube) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-08]
CHR Extension: (Honey) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-05-09]
CHR Extension: (Adblock Plus) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-05-08]
CHR Extension: (uBlock Origin) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-05-08]
CHR Extension: (Google Sheets) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-08]
CHR Extension: (Google Docs Offline) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-08]
CHR Extension: (tab.pics) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcaanmfcilckhmibiacbenapbdjgcnfa [2016-05-08]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2016-05-08]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-05-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-08]
CHR Extension: (Oddshot) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnoeeagkgpkplnhmnnlgodjnjgckhja [2016-05-08]
CHR Extension: (AlienTube for YouTube™) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\opgodjgjgojjkhlmmhdlojfehcemknnp [2016-05-08]
CHR Extension: (Hover Zoom+) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pccckmaobkjjboncdfnnofkonhgpceea [2016-05-08]
CHR Extension: (Psykopaint) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgjchkcfmigkkhedgjedmffdepgmpfil [2016-05-08]
CHR Extension: (Gmail) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-08]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1225216 2015-09-23] ()
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1156216 2015-12-16] (NVIDIA Corporation)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-05-08] (SurfRight B.V.)
R2 LogiRegistryService; C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [193144 2015-11-20] (Logitech Inc.)
R2 LolScreenSaverService; C:\Riot Games\LolScreenSaver\service\service.exe [707072 2016-03-30] () [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-12-16] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [8185464 2015-12-16] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [6477432 2015-12-16] (NVIDIA Corporation)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1286896 2016-04-24] (Overwolf LTD)
R2 PlaysService; C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe [32528 2016-04-27] (Plays.tv, LLC)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [75064 2015-08-27] ()
R2 PnkBstrB; C:\Windows\SysWOW64\PnkBstrB.exe [215128 2015-08-27] ()
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [49152 2015-07-29] (Razer Inc) [File not signed]
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [187072 2015-02-04] ()
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Game Booster\RzKLService.exe [105448 2014-02-25] (Razer Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [56552 2016-03-22] (Microsoft Corporation)
S3 wampmysqld64; C:\wamp64\bin\mysql\mysql5.7.9\bin\mysqld.exe [38587904 2015-10-12] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13317960 2016-04-27] (Zemana Ltd.)
S2 Efamnedwoko Updater; C:\Program Files\Efamnedwoko\Agasbuo.exe [X]
S2 Lamzap; C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a
S2 RetxiEesyu; "C:\Program Files\Efamnedwoko\RetxiEesyu.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R2 LGCoreTemp; C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys [14184 2015-06-21] (Logitech)
R3 LGJoyXlCore; C:\Windows\System32\drivers\LGJoyXlCore.sys [68384 2015-06-10] (Logitech Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-09] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [121416 2012-05-12] (MotioninJoy) [File not signed]
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-12-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [50472 2015-12-16] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\DRIVERS\rzendpt.sys [39592 2014-12-30] (Razer Inc)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2015-02-04] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [129600 2015-03-03] (Razer, Inc.)
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [202656 2016-05-09] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [202656 2016-05-09] (Zemana Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-09 03:32 - 2016-05-09 03:32 - 00022804 _____ C:\Users\Cameron\Downloads\FRST.txt
2016-05-09 03:31 - 2016-05-09 03:32 - 00000000 ____D C:\FRST
2016-05-09 03:31 - 2016-05-09 03:31 - 02379264 _____ (Farbar) C:\Users\Cameron\Downloads\FRST64.exe
2016-05-09 03:22 - 2016-05-09 03:22 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-05-09 02:19 - 2016-05-09 03:32 - 00033408 _____ C:\Windows\ZAM.krnl.trace
2016-05-09 02:19 - 2016-05-09 03:23 - 00000119 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-05-09 02:18 - 2016-05-09 02:19 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-05-09 02:18 - 2016-05-09 02:18 - 05479312 _____ ( ) C:\Users\Cameron\Downloads\Zemana.AntiMalware.Setup.exe
2016-05-09 02:18 - 2016-05-09 02:18 - 00202656 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-05-09 02:18 - 2016-05-09 02:18 - 00202656 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-05-09 02:18 - 2016-05-09 02:18 - 00001148 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-05-09 02:18 - 2016-05-09 02:18 - 00000000 ____D C:\Users\Cameron\AppData\Local\Zemana
2016-05-09 02:18 - 2016-05-09 02:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-05-09 02:10 - 2016-05-09 02:10 - 00033451 _____ C:\ComboFix.txt
2016-05-09 01:58 - 2016-05-09 02:10 - 00000000 ____D C:\ComboFix
2016-05-09 01:58 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2016-05-09 01:58 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2016-05-09 01:58 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-05-09 01:58 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-05-09 01:58 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-05-09 01:58 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2016-05-09 01:58 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2016-05-09 01:58 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2016-05-09 01:57 - 2016-05-09 01:57 - 05658358 ____R (Swearware) C:\Users\Cameron\Downloads\ComboFix.exe
2016-05-09 00:03 - 2016-05-09 00:03 - 00000222 _____ C:\Users\Cameron\Desktop\The Talos Principle.url
2016-05-08 22:25 - 2016-05-08 22:25 - 00010028 _____ C:\Windows\system32\.crusader
2016-05-08 21:54 - 2016-05-08 22:27 - 00000000 ____D C:\ProgramData\HitmanPro
2016-05-08 21:54 - 2016-05-08 22:25 - 00212690 _____ C:\TDSSKiller.3.1.0.9_08.05.2016_21.54.34_log.txt
2016-05-08 21:54 - 2016-05-08 21:54 - 00001893 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2016-05-08 21:54 - 2016-05-08 21:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2016-05-08 21:54 - 2016-05-08 21:54 - 00000000 ____D C:\Program Files\HitmanPro
2016-05-08 21:49 - 2016-05-08 21:50 - 11441168 _____ (SurfRight B.V.) C:\Users\Cameron\Downloads\HitmanPro_x64.exe
2016-05-08 20:01 - 2016-05-08 20:01 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Cameron\Downloads\tdsskiller.exe
2016-05-08 20:00 - 2016-05-08 20:00 - 01610816 _____ (Malwarebytes) C:\Users\Cameron\Downloads\JRT.exe
2016-05-08 19:52 - 2016-05-08 19:52 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Cameron\Downloads\rkill.com
2016-05-08 19:51 - 2016-05-08 19:51 - 03615296 _____ C:\Users\Cameron\Downloads\adwcleaner_5.115.exe
2016-05-08 19:31 - 2016-05-08 19:31 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-08 19:31 - 2016-05-08 19:31 - 00002255 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-08 15:51 - 2016-05-08 15:51 - 00987728 _____ (Google Inc.) C:\Users\Cameron\Downloads\ChromeSetup.exe
2016-05-08 15:00 - 2016-05-08 15:25 - 00234932 _____ C:\Windows\ntbtlog.txt
2016-05-08 14:53 - 2016-05-08 14:53 - 00000000 ____D C:\Windows\system32\odi
2016-05-08 14:46 - 2016-05-08 14:46 - 00003108 _____ C:\Windows\System32\Tasks\{E8A7716C-D1FF-4F53-AA6C-B5302B7FC2EE}
2016-05-08 14:28 - 2016-05-08 14:52 - 00001096 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-08 14:14 - 2016-05-08 14:14 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Mozilla
2016-05-08 14:12 - 2016-05-08 22:25 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Gaeqokapfa
2016-05-08 14:12 - 2016-05-08 22:25 - 00000000 ____D C:\ProgramData\Lamzap
2016-05-08 14:12 - 2016-05-08 14:57 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\EoqoFaci
2016-05-08 14:12 - 2016-05-08 14:39 - 00000000 ____D C:\Program Files\EfamnedwokoUn
2016-05-08 14:12 - 2016-05-08 14:12 - 06494208 _____ C:\Users\Cameron\AppData\Roaming\agent.dat
2016-05-08 14:12 - 2016-05-08 14:12 - 01626777 _____ C:\Users\Cameron\AppData\Roaming\Duoflex.tst
2016-05-08 14:12 - 2016-05-08 14:12 - 00072717 _____ C:\Users\Cameron\AppData\Roaming\Inchdax.tst
2016-05-08 14:12 - 2016-05-08 14:12 - 00018432 _____ C:\Users\Cameron\AppData\Roaming\Main.dat
2016-05-08 14:11 - 2016-05-08 14:11 - 00000000 _____ C:\Windows\SysWOW64\Number of results
2016-05-08 13:52 - 2016-05-07 00:14 - 00303226 _____ ( ) C:\Windows\AdBlock.exe
2016-05-08 13:44 - 2016-05-09 03:22 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\efo
2016-05-08 13:42 - 2016-05-08 14:49 - 00000000 ____D C:\Program Files\Caster
2016-05-08 13:41 - 2016-05-09 03:22 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Ebijvib
2016-05-08 13:41 - 2016-05-08 14:25 - 00000000 ____D C:\Program Files\KolfekdolUn
2016-05-08 13:41 - 2016-05-08 14:12 - 00000000 ____D C:\Users\Cameron\AppData\Local\Tempfolder
2016-05-08 13:41 - 2016-05-08 14:11 - 00127488 _____ C:\Users\Cameron\AppData\Roaming\Installer.dat
2016-05-08 13:41 - 2016-05-08 13:41 - 00000000 ____D C:\uninst
2016-05-08 13:41 - 2016-05-08 13:39 - 00000217 _____ C:\Windows\system32\Drivers\etc\hp.bak
2016-05-05 19:59 - 2016-05-05 19:59 - 00000000 ____D C:\Users\Cameron\.jmc
2016-05-05 18:48 - 2016-05-08 14:37 - 00000000 ____D C:\Users\Cameron\AppData\Local\Eclipse
2016-05-05 18:47 - 2016-05-08 14:51 - 00000833 _____ C:\Users\Cameron\Desktop\Eclipse.lnk
2016-05-05 18:46 - 2016-05-05 19:59 - 00000000 ____D C:\Users\Cameron\.oracle_jre_usage
2016-05-05 18:46 - 2016-05-05 18:46 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Sun
2016-05-05 18:44 - 2016-05-05 18:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit
2016-05-05 18:42 - 2016-05-05 18:43 - 196518456 _____ (Oracle Corporation) C:\Users\Cameron\Downloads\jdk-8u91-windows-x64.exe
2016-05-05 18:29 - 2016-05-05 18:35 - 158826718 _____ C:\Users\Cameron\Downloads\eclipse-java-kepler-SR1-win32-x86_64.zip
2016-05-05 18:24 - 2016-05-05 22:34 - 00000000 ____D C:\Users\Cameron\Desktop\Coding
2016-05-05 18:16 - 2016-05-05 18:16 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Sublime Text 3
2016-05-05 18:16 - 2016-05-05 18:16 - 00000000 ____D C:\Users\Cameron\AppData\Local\Sublime Text 3
2016-05-04 20:10 - 2016-05-04 20:10 - 03384760 _____ C:\Users\Cameron\Downloads\ParkRecTampa.pdf
2016-05-04 20:10 - 2016-05-04 20:10 - 03384760 _____ C:\Users\Cameron\Downloads\ParkRecTampa (1).pdf
2016-05-02 02:27 - 2016-05-02 02:27 - 00000000 ____D C:\Users\Cameron\Documents\Rockstar Games
2016-05-02 02:27 - 2016-05-02 02:27 - 00000000 ____D C:\Users\Cameron\AppData\Local\Rockstar Gamest
2016-05-01 11:49 - 2016-05-01 11:49 - 00000000 ____D C:\ProgramData\Age of Empires 3
2016-05-01 11:38 - 2016-05-01 11:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Age of Empires III - Complete Collection
2016-05-01 11:28 - 2016-05-01 11:38 - 00000000 ____D C:\Program Files (x86)\Age of Empires III - Complete Collection
2016-04-27 05:24 - 2016-04-27 05:24 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\LolScreenSaver
2016-04-27 05:20 - 2016-04-27 05:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electric Sheep
2016-04-27 05:19 - 2016-04-27 05:20 - 00000000 ____D C:\ProgramData\ElectricSheep
2016-04-27 05:19 - 2016-04-27 05:20 - 00000000 ____D C:\Program Files (x86)\Electric Sheep
2016-04-27 05:19 - 2016-04-27 05:19 - 19832128 _____ C:\Users\Cameron\Downloads\electricsheep-2.7b34.exe
2016-04-19 02:41 - 2016-04-19 02:41 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Tera_Awesomium
2016-04-15 22:37 - 2016-04-15 22:37 - 00067963 _____ C:\Users\Cameron\Downloads\The Mars Volta - Tetragrammaton (Pro).gp5
2016-04-15 12:24 - 2016-04-15 12:24 - 17383431 _____ C:\Users\Cameron\Downloads\CAMERON.pdf
2016-04-15 06:35 - 2016-04-15 06:35 - 00122734 _____ C:\Users\Cameron\Downloads\Test 3 Review Quiz s16 (1).pdf
2016-04-14 17:45 - 2016-04-14 17:45 - 00122734 _____ C:\Users\Cameron\Downloads\Test 3 Review Quiz s16.pdf
2016-04-13 18:29 - 2016-04-13 18:30 - 08207433 _____ C:\Users\Cameron\Downloads\Diana Hacker, Nancy Sommers, Jane Rosenzweig-The Bedford Handbook with 2009 MLA and 2010 APA Updates, 8th Edition-Bedford_St. Martin's (2009).pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-09 03:32 - 2015-07-14 17:52 - 00000000 ____D C:\Users\Cameron\Desktop\Random bleep
2016-05-09 03:32 - 2015-05-13 17:09 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-09 03:24 - 2015-06-29 21:17 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\PlaysTV
2016-05-09 03:24 - 2015-02-21 00:29 - 00000000 ____D C:\Program Files (x86)\Steam
2016-05-09 03:24 - 2015-02-21 00:21 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-09 03:23 - 2015-02-21 00:00 - 00000000 ____D C:\ProgramData\NVIDIA
2016-05-09 03:23 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-09 03:08 - 2015-02-21 00:21 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-09 03:04 - 2015-02-28 00:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-09 02:24 - 2009-07-14 00:45 - 00017360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-09 02:24 - 2009-07-14 00:45 - 00017360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-09 02:19 - 2015-02-20 23:33 - 00000000 ____D C:\Users\Cameron
2016-05-09 02:10 - 2015-05-13 19:17 - 00000000 ____D C:\Qoobox
2016-05-09 02:08 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
2016-05-09 02:01 - 2015-02-28 00:17 - 00000000 ____D C:\Users\Cameron\AppData\Local\Adobe
2016-05-09 00:03 - 2015-02-20 23:36 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2016-05-08 23:50 - 2015-03-08 18:26 - 00000000 ____D C:\Users\Cameron\AppData\Local\ElevatedDiagnostics
2016-05-08 23:50 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-05-08 22:25 - 2015-02-25 15:31 - 00000000 ____D C:\Users\Cameron\Documents\Journal
2016-05-08 21:45 - 2015-02-21 00:40 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Spotify
2016-05-08 20:39 - 2015-02-21 00:21 - 00000000 ____D C:\Users\Cameron\AppData\Local\Google
2016-05-08 20:25 - 2015-02-21 00:40 - 00000000 ____D C:\Users\Cameron\AppData\Local\Spotify
2016-05-08 20:02 - 2015-02-21 01:13 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Skype
2016-05-08 20:00 - 2015-12-04 17:39 - 00000000 ____D C:\Users\Cameron\AppData\Local\Overwolf
2016-05-08 19:53 - 2015-05-13 18:58 - 00000000 ____D C:\AdwCleaner
2016-05-08 19:53 - 2015-03-06 03:47 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\vlc
2016-05-08 19:31 - 2015-02-21 00:21 - 00000000 ____D C:\Program Files (x86)\Google
2016-05-08 19:12 - 2015-02-21 00:21 - 00000000 ____D C:\Users\Cameron\AppData\Local\Deployment
2016-05-08 16:51 - 2015-02-21 02:09 - 00000000 ____D C:\Program Files (x86)\LOOT
2016-05-08 15:56 - 2015-06-17 21:37 - 00000000 ____D C:\Users\Cameron\Documents\My Games
2016-05-08 15:43 - 2016-04-07 16:56 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\GameVox
2016-05-08 15:39 - 2015-09-28 22:53 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Curse Client
2016-05-08 15:33 - 2009-07-14 01:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-08 15:33 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-05-08 15:31 - 2016-01-25 23:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Mouse
2016-05-08 15:31 - 2016-01-25 23:32 - 00000000 ____D C:\Program Files (x86)\Remote Mouse
2016-05-08 15:26 - 2009-07-14 03:46 - 00000000 ____D C:\Windows\RemotePackages
2016-05-08 14:55 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Cursors
2016-05-08 14:52 - 2016-04-04 22:32 - 00001534 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Blend for Visual Studio 2015.lnk
2016-05-08 14:52 - 2016-04-04 22:26 - 00001535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Visual Studio 2015.lnk
2016-05-08 14:52 - 2016-04-04 19:13 - 00001039 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sublime Text 3.lnk
2016-05-08 14:52 - 2015-12-28 18:22 - 00001207 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6.lnk
2016-05-08 14:52 - 2015-12-28 18:22 - 00001119 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6 (64 Bit).lnk
2016-05-08 14:52 - 2015-12-28 18:21 - 00001519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2016-05-08 14:52 - 2015-12-28 18:21 - 00001353 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
2016-05-08 14:52 - 2015-12-28 18:21 - 00001169 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6.lnk
2016-05-08 14:52 - 2015-12-28 18:21 - 00001081 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
2016-05-08 14:52 - 2015-08-10 07:17 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-05-08 14:52 - 2015-06-03 13:34 - 00002156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth.lnk
2016-05-08 14:52 - 2015-06-03 00:15 - 00001019 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2016-05-08 14:52 - 2015-04-06 11:47 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-05-08 14:52 - 2015-02-21 20:30 - 00000852 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dying Light.lnk
2016-05-08 14:52 - 2015-02-20 14:28 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-05-08 14:52 - 2015-02-20 14:27 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-05-08 14:52 - 2009-07-14 00:57 - 00001523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-05-08 14:52 - 2009-07-14 00:57 - 00001304 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-05-08 14:52 - 2009-07-14 00:57 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-05-08 14:52 - 2009-07-14 00:54 - 00001210 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-05-08 14:51 - 2015-12-27 18:42 - 00000949 _____ C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\osu!.lnk
2016-05-08 14:51 - 2015-09-28 22:53 - 00001025 _____ C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse.lnk
2016-05-08 14:51 - 2015-05-20 20:25 - 00000836 _____ C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-05-08 14:51 - 2015-02-21 00:40 - 00001802 _____ C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2016-05-08 14:51 - 2015-02-20 23:34 - 00001413 _____ C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-08 14:51 - 2009-07-14 01:01 - 00001218 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-05-08 14:51 - 2009-07-14 00:49 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-05-08 14:41 - 2015-12-24 00:46 - 00000000 ____D C:\Users\Cameron\AppData\Local\CrashDumps
2016-05-08 14:28 - 2015-05-13 17:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-05-08 14:28 - 2015-05-13 17:08 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-05-08 14:26 - 2016-04-01 18:05 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2016-05-08 03:36 - 2015-08-24 13:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-05-08 03:36 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-05-08 01:59 - 2015-02-21 22:03 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\OBS
2016-05-06 18:19 - 2016-02-07 19:24 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-05-06 18:19 - 2016-02-07 19:24 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\discord
2016-05-06 18:19 - 2016-02-07 19:23 - 00000000 ____D C:\Users\Cameron\AppData\Local\Discord
2016-05-06 18:18 - 2016-02-07 19:23 - 00000000 ____D C:\Users\Cameron\AppData\Local\SquirrelTemp
2016-05-06 04:57 - 2015-08-24 13:56 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-05-06 04:55 - 2015-08-24 13:53 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-05-05 18:45 - 2015-05-08 15:56 - 00110144 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2016-05-05 18:45 - 2015-05-08 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-05-05 18:45 - 2015-05-08 15:56 - 00000000 ____D C:\Program Files\Java
2016-05-03 11:40 - 2015-12-04 17:40 - 00000000 ____D C:\Program Files (x86)\Overwolf
2016-05-01 22:57 - 2015-02-21 19:08 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-01 15:07 - 2015-04-27 10:04 - 00000000 ____D C:\Program Files (x86)\R.G. Mechanics
2016-04-25 23:56 - 2016-01-01 19:40 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-04-25 23:56 - 2015-02-21 01:13 - 00000000 ____D C:\ProgramData\Skype
2016-04-24 17:58 - 2015-12-27 18:42 - 00000000 ____D C:\Users\Cameron\AppData\Local\osu!
2016-04-19 02:39 - 2016-04-01 18:43 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-04-15 04:18 - 2015-02-21 00:41 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Adobe
 
==================== Files in the root of some directories =======
 
2016-05-08 14:12 - 2016-05-08 14:12 - 6494208 _____ () C:\Users\Cameron\AppData\Roaming\agent.dat
2016-05-08 14:12 - 2016-05-08 14:12 - 1626777 _____ () C:\Users\Cameron\AppData\Roaming\Duoflex.tst
2016-05-08 14:12 - 2016-05-08 14:12 - 0072717 _____ () C:\Users\Cameron\AppData\Roaming\Inchdax.tst
2016-05-08 13:41 - 2016-05-08 14:11 - 0127488 _____ () C:\Users\Cameron\AppData\Roaming\Installer.dat
2016-05-08 14:12 - 2016-05-08 14:12 - 0018432 _____ () C:\Users\Cameron\AppData\Roaming\Main.dat
2015-03-06 18:18 - 2015-05-13 16:53 - 0000134 _____ () C:\Users\Cameron\AppData\Roaming\WB.CFG
2015-03-08 08:18 - 2015-03-08 08:18 - 0000010 _____ () C:\Users\Cameron\AppData\Local\DSI.DAT
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
nointegritychecks: ==> "IntegrityChecks" is disabled. <===== ATTENTION
 
 
LastRegBack: 2016-05-08 10:15
 
==================== End of FRST.txt ============================

 

 

Addition.txt is attached below.

 

 

Any and all help is greatly appreciated. It's quite a nuisance. 


Edited by dacheezta, 09 May 2016 - 03:12 AM.


BC AdBot (Login to Remove)

 


#2 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 May 2016 - 03:02 AM

Apologies for the repeated posts. It didn't look like it was going through. This is the original.

Edited by Platypus, 09 May 2016 - 03:41 AM.
Duplicates deleted


#3 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 May 2016 - 03:04 AM

Here is the addition.txt

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 09 May 2016 - 08:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please update Windows Defender.
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


Windows Firewall is disabled.
Turn your Firewall ON.
http://windows.microsoft.com/en-ca/windows/turn-windows-firewall-on-off#turn-windows-firewall-on-off=windows-7
===

Remove via the Control panel > Programs > Programs and Features applet these old versions of Java.

Java 7 Update 80 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417080FF}) (Version: 7.0.800 - Oracle)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-644968830-336766481-3016761123-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Efamnedwoko -> {C351CECA-6289-4B45-8491-02DE054C361C} -> C:\Program Files\Efamnedwoko\Mobmioo64.dll => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Honey) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-05-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-08]
S2 Efamnedwoko Updater; C:\Program Files\Efamnedwoko\Agasbuo.exe [X]
S2 Lamzap; C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a
S2 RetxiEesyu; "C:\Program Files\Efamnedwoko\RetxiEesyu.exe" [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {243B965F-836D-4F2B-A865-A8119A9548BF} - \{0D0E0A47-0B0C-0C08-0A11-7F0F0A7D110F} -> No File <==== ATTENTION
Task: {570D4969-0600-445F-88AB-624EB9C9272F} - System32\Tasks\{E8A7716C-D1FF-4F53-AA6C-B5302B7FC2EE} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION
C:\PROGRA~2\SearchProtect\
C:\ProgramData\\Lamzap
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 May 2016 - 12:37 PM

Hi nasdaq, thank you for the help.

 

Unfortunately my computer is still exhibiting the same symptoms. The same redirect page opened up immediately upon startup.

Here is the Fixlog.txt:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-05-2016

Ran by Cameron (2016-05-09 13:28:38) Run:1
Running from C:\Users\Cameron\Downloads
Loaded Profiles: Cameron (Available Profiles: Cameron)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-644968830-336766481-3016761123-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Efamnedwoko -> {C351CECA-6289-4B45-8491-02DE054C361C} -> C:\Program Files\Efamnedwoko\Mobmioo64.dll => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Honey) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-05-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-08]
S2 Efamnedwoko Updater; C:\Program Files\Efamnedwoko\Agasbuo.exe [X]
S2 Lamzap; C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a
S2 RetxiEesyu; "C:\Program Files\Efamnedwoko\RetxiEesyu.exe" [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {243B965F-836D-4F2B-A865-A8119A9548BF} - \{0D0E0A47-0B0C-0C08-0A11-7F0F0A7D110F} -> No File <==== ATTENTION
Task: {570D4969-0600-445F-88AB-624EB9C9272F} - System32\Tasks\{E8A7716C-D1FF-4F53-AA6C-B5302B7FC2EE} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION
C:\PROGRA~2\SearchProtect\
C:\ProgramData\\Lamzap
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
HKU\S-1-5-21-644968830-336766481-3016761123-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C351CECA-6289-4B45-8491-02DE054C361C}" => key removed successfully
"HKCR\CLSID\{C351CECA-6289-4B45-8491-02DE054C361C}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj => moved successfully
C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
Efamnedwoko Updater => service removed successfully
Lamzap => service removed successfully
RetxiEesyu => service removed successfully
catchme => service removed successfully
Synth3dVsc => service removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
"C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj" => not found.
"C:\Users\Cameron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{243B965F-836D-4F2B-A865-A8119A9548BF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{243B965F-836D-4F2B-A865-A8119A9548BF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0D0E0A47-0B0C-0C08-0A11-7F0F0A7D110F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{570D4969-0600-445F-88AB-624EB9C9272F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{570D4969-0600-445F-88AB-624EB9C9272F}" => key removed successfully
C:\Windows\System32\Tasks\{E8A7716C-D1FF-4F53-AA6C-B5302B7FC2EE} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E8A7716C-D1FF-4F53-AA6C-B5302B7FC2EE}" => key removed successfully
"C:\PROGRA~2\SearchProtect" => not found.
C:\ProgramData\\Lamzap => moved successfully
EmptyTemp: => 1011.6 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 13:29:09 ====

 

I followed all other instructions listed.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 09 May 2016 - 01:23 PM

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

===

If the problem persists execute this.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

If the problem persists in other browsers let me know.

#7 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 May 2016 - 07:35 PM

Nasdaq,

 

The nature of the problem has changed a bit. I get redirected to a different site now. It is called "igcognito chrome" or something, and it asks me to install an "extension". I of course have not clicked on the links it has sent me, but malwarebytes no longer is able to block the website. This started BEFORE I followed your instructions above.

Resetting chrome, and clearing the browser cache and cookies did not work. The problem still persists. The redirect address is the same but it now sends me to "https://www.searchincognito.com/landing/prp?implementation_id=prp1-dp-alone&ce_cid=174841725521". 

I uninstalled chrome and then waited with Internet Explorer, and the problem occured there too. 


 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 10 May 2016 - 07:01 AM

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#9 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 10 May 2016 - 03:42 PM

Did everything, problem still occurringl.

If it means anything the last time i ran MalwareBytes it said it couldn't start the rootkit scanning tool, and that it might be because of a rootkit. 

I really have no idea what's going on.



#10 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 10 May 2016 - 04:41 PM

Also, now the redirect sends me to a website that locks me out of my browser completely.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 16 May 2016 - 07:47 AM

Sorry I missed you replies.

Are you still with me?

#12 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 16 May 2016 - 12:56 PM

Yes, I'm still here and the problem is still occuring. Still having Chrome open up right upon reboot and about every 25 minutes, trying to redirect me to a Malware page. I installed an extension that blocks the redirect address and sends me straight to google instead but I want this thing completely off my computer.

I got SpyHunter 4 and have been running scans and there are 2 things which it just can't seem to remove. All of the "threats" are in the registry and when i go try to manually delete them, it just says that a registry error occured. I believe that this might be the problem. There are 2 PUP's, One System Care and Shopper Pro. I can provide a screenshot of the scan if you would like.



#13 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 16 May 2016 - 01:12 PM

I'll go ahead and include the SpyHunter screenshot just in case it helps.

LcG8vLN.jpg



#14 dacheezta

dacheezta
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 16 May 2016 - 06:00 PM

Just for the sake of keeping you updated, I managed to remove all of the registry entries manually. SpyHunter now detects no threats, but the malware is stiill there.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 17 May 2016 - 07:24 AM

There are 2 PUP's, One System Care and Shopper Pro
Both of these PUPs were not seen in your logs.
Possibly the programs were removed and some registry items were not removed.

Thank you for the information.
It may help others in the future.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users