Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone take a look at my Hijack This log?


  • This topic is locked This topic is locked
7 replies to this topic

#1 deirdrebythesea

deirdrebythesea

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 03 September 2016 - 06:02 PM

Hi. I've happily relied on Malwarebytes, Hijack This and Bleeping Computer for years. This time however, it's not enough.Can anyone tell me what is safe to check for "Fix checked" on Hijack This or other advice. Googling these Hijack This line items are not bringing up anything on Google which is such a surprise to me and I'm stumped because I'm sure something is still not right.

 

It's not a serious problem, but my computer is slower, and unstable for some users more than others. Also Chrome is unstable even after uninstalling/reinstaling so I'm using Mozilla Firefox.

 

Thank you for looking at this if you do!  Deirdre

 

My HiJackThis log looks like this: I've attached it and also printed it out here.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 3:10:06 PM, on 9/3/2016
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18427)

FIREFOX: 34.0.5 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\oases\castellano.exe
C:\Program Files\WinZip\WZUpdateNotifier.exe
C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\OSTotoSoft\DriverTalent\DriverTalent.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Users\Trip\AppData\Local\Temp\{C432CBF6-02C4-41A0-BD75-B8972683ABC9}\{7E48AFD3-F28A-4E54-99A8-9F3A4A27DBC4}\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Windows\SysWOW64\Rundll32.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Brother\BrUtilities\BrLogRx.exe
C:\Program Files (x86)\Mozilla Firefox\firefox334.exe
C:\Users\Trip\Downloads\HijackThis.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\find.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.myway.com/mapsgalaxy/ttab02/index.html?n=782B18CA&p2=^UX^xdm025^TTAB02^us&ptb=A5CD4896-56AA-4067-A222-5CABDAA0E9D5&si=539528_
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: 162.222.194.13 cocomo.tremorhub.com
O1 - Hosts: 162.222.194.13 www.virustotal.com
O1 - Hosts: 162.222.194.13 virustotal.com
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files (x86)\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
O4 - HKLM\..\Run: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
O4 - HKLM\..\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [DriverTalent] "C:\Program Files (x86)\OSTotoSoft\DriverTalent\DriverTalent.exe" /start
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [ic-0.df0a99369a0298.exe -start] C:\Users\Trip\AppData\Local\Temp\20732080\ic-0.df0a99369a0298.exe -start
O4 - HKLM\..\Run: [wharfs] "C:\Program Files (x86)\telekinetic\barbieri.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files (x86)\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [iCloudServices] "C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe"
O4 - HKCU\..\Run: [tangiers] "C:\Program Files (x86)\telekinetic\barbieri.exe"
O4 - HKCU\..\Run: [debility] "C:\Program Files (x86)\telekinetic\barbieri.exe"
O4 - HKCU\..\Run: [castellano] "C:\Program Files (x86)\oases\castellano.exe"
O4 - HKCU\..\Run: [seedbed] "C:\Program Files (x86)\telekinetic\barbieri.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe" (User 'Default user')
O4 - Global Startup: FAH.lnk = C:\Program Files\WinZip\FAHConsole.exe
O4 - Global Startup: Update Notifier.lnk = C:\Program Files\WinZip\WZUpdateNotifier.exe
O4 - Global Startup: WinZip Preloader.lnk = C:\Program Files\WinZip\WzPreloader.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96283754-FFC7-4FA8-AF82-D8B9D7A85687}: NameServer = 188.120.239.115,8.8.8.8
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: Citdhwa - Unknown owner - C:\Users\Trip\AppData\Roaming\AzigcWig\Geeswu.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V5 Service4(04) (EPSON_EB_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
O23 - Service: EPSON V3 Service4(04) (EPSON_PM_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Garmin Core Update Service - Garmin Ltd or its subsidiaries - C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
O23 - Service: NVIDIA GeForce Experience Service (GfExperienceService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NETGEARGenieDaemon - NETGEAR - C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WD Backup (WDBackup) - Western Digital  - C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
O23 - Service: WD Rules (WDRulesService) - Western Digital  - C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
O23 - Service: WindowService - Unknown owner - C:\Program Files (x86)\Videodriver\WindowService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 15804 bytes
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 04 September 2016 - 09:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Let me know what problems persists.

==

p.s.
HijackThis is no longer supported.
I suggest your remove via the Control panel > Programs > Programs and Features Applet.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 deirdrebythesea

deirdrebythesea
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 04 September 2016 - 12:02 PM

Okay I think everything looks better.

Thank you!

Deirdre :)

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 04 September 2016 - 01:23 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files (x86)\oases\castellano.exe
() C:\Program Files (x86)\telekinetic\barbieri.exe
HKLM\...\Run: [fff] => C:\Program Files (x86)\telekinetic\barbieri.exe [194048 2016-08-28] ()
HKLM-x32\...\Run: [wharfs] => C:\Program Files (x86)\telekinetic\barbieri.exe [194048 2016-08-28] ()
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\...\Run: [tangiers] => C:\Program Files (x86)\telekinetic\barbieri.exe [194048 2016-08-28] ()
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\...\Run: [debility] => C:\Program Files (x86)\telekinetic\barbieri.exe [194048 2016-08-28] ()
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\...\Run: [castellano] => C:\Program Files (x86)\oases\castellano.exe [36774 2016-08-28] ()
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\...\Run: [seedbed] => C:\Program Files (x86)\telekinetic\barbieri.exe [194048 2016-08-28] ()
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-296952795-3116253940-3791473323-1004\Software\Microsoft\Internet Explorer\Main,Start Page =
SearchScopes: HKU\S-1-5-21-296952795-3116253940-3791473323-1004 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-296952795-3116253940-3791473323-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn => not found
S2 Citdhwa; "C:\Users\Trip\AppData\Roaming\AzigcWig\Geeswu.exe" -cms [X]
U3 DifkuCiabf; no ImagePath
Task: {08BB9A4C-DA55-47FF-9428-76B7054DD321} - \{7E05C791-9A09-45EE-80D9-39BD2A1BF5C1} -> No File <==== ATTENTION
Task: {12DF3075-C472-4220-A195-B9B6A30FC9D4} - \FacebookUpdateTaskUserS-1-5-21-296952795-3116253940-3791473323-1001Core -> No File <==== ATTENTION
Task: {18397C65-9CF4-4D48-946E-C54958DB4C7E} - \Amazon Music Helper -> No File <==== ATTENTION
Task: {1A23F044-F00E-4C22-B6A6-243D402CF76A} - System32\Tasks\50973550481d5b1fba2cd28bdffa56cf => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File C:\Windows\50973550481d5b1fba2cd28bdffa56cf.ps1 <==== ATTENTION
Task: {29F13E64-CB38-4C32-AFB4-65966C5FB34D} - System32\Tasks\Da3448123934481239 => C:\Program Files (x86)\telekinetic\barbieri.exe [2016-08-28] ()
Task: {4065AC77-ADD6-4307-A378-92AE8CE6C4FA} - \{5DC1971D-1451-4688-A2E4-55020B934E81} -> No File <==== ATTENTION
Task: {4B569D97-4081-4456-AEEB-BF8FE0BABA87} - \AdobeAAMUpdater-1.0-Deirdre-PC-Deirdre -> No File <==== ATTENTION
Task: {4EFD3650-6966-411C-89AA-609725B98937} - \GoogleUpdateTaskUserS-1-5-21-296952795-3116253940-3791473323-1001Core -> No File <==== ATTENTION
Task: {58F23BC8-2C85-4C13-A43E-C6B620CDB5B1} - \{EADDC295-DC84-496D-9740-250155F6316A} -> No File <==== ATTENTION
Task: {861FF78F-2FF3-43C9-8466-515197D6F9DA} - \FacebookUpdateTaskUserS-1-5-21-296952795-3116253940-3791473323-1001UA -> No File <==== ATTENTION
Task: {93021EF0-EF9F-41CC-996D-91B55FD9C3E6} - \{2023A3F8-CEC7-4BE1-A067-16B924246295} -> No File <==== ATTENTION
Task: {9CF6D254-0AE0-491B-8741-D3F3E772CDC4} - System32\Tasks\34481239 => C:\Program Files (x86)\telekinetic\barbieri.exe [2016-08-28] () <==== ATTENTION
Task: {9E8FE199-8F20-4188-A01E-672A1203ABF9} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {A43DA509-55CF-4227-94DC-0A6A701C724A} - \{50EA2B96-4D20-4864-B09B-055C80C4DA8B} -> No File <==== ATTENTION
Task: {A7DEEED4-B71F-45B8-8569-AB2ACEC8AE76} - \{2BDBF36B-2BEB-464C-8595-3B878340652F} -> No File <==== ATTENTION
Task: {B5E8AE3C-AFD4-4D0D-81C2-1E651498865D} - \GoogleUpdateTaskUserS-1-5-21-296952795-3116253940-3791473323-1001UA1d043543dc11be0 -> No File <==== ATTENTION
Task: {CFE0AB97-B3C0-4CF0-B646-9DD9EA2E8FBE} - \GarminUpdaterTask -> No File <==== ATTENTION
Task: {D8154697-1A62-4034-A99D-BDCE4DEA2D7A} - \{31B91761-2E34-473F-A332-A4EE11E8204A} -> No File <==== ATTENTION
Task: {E021150A-C934-47B6-9955-60A5007A1F6A} - \{D1671C7D-8680-4355-AB6C-CF2ED2BFC81D} -> No File <==== ATTENTION
Task: {E70BD75F-5329-496B-AD91-AF39278A04DC} - \{4C5F3DD1-6F46-47AA-B168-5C12CFEE0F49} -> No File <==== ATTENTION
Task: {E82D551D-2493-4CDC-BDFD-3897DAE41764} - \GoogleUpdateTaskUserS-1-5-21-296952795-3116253940-3791473323-1001UA -> No File <==== ATTENTION
Task: {EE02073E-E111-40FB-AD54-86560D1943AC} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {F89964FF-B99D-4787-BC06-EFE3411986D2} - \{C57EA056-6D9F-4A45-9C8D-88C37460E349} -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Trip\Desktop\Random Assortment of Junk\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe () -> hxxp://www-searching.com/?prd=set_epf&s=g8szftptn095001bu,f9f8aa76-28ea-4bd4-b5aa-474fcd11ccf1,
ShortcutWithArgument: C:\Users\Trip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s=g8szftptn095001bu,f9f8aa76-28ea-4bd4-b5aa-474fcd11ccf1,
ShortcutWithArgument: C:\Users\Trip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s=g8szftptn095001bu,f9f8aa76-28ea-4bd4-b5aa-474fcd11ccf1,
ShortcutWithArgument: C:\Users\Trip\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe () -> hxxp://www-searching.com/?prd=set_epf&s=g8szftptn095001bu,f9f8aa76-28ea-4bd4-b5aa-474fcd11ccf1,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe () -> hxxp://www-searching.com/?prd=set_epf&s=g8szftptn095001bu,f9f8aa76-28ea-4bd4-b5aa-474fcd11ccf1,
2016-08-28 15:51 - 2016-08-28 15:51 - 00036774 _____ () C:\Program Files (x86)\oases\castellano.exe
2016-08-28 15:51 - 2016-08-28 15:51 - 00194048 _____ () C:\Program Files (x86)\telekinetic\barbieri.exe
2016-08-28 15:51 - 2016-08-28 15:51 - 00313856 _____ () C:\Program Files (x86)\telekinetic\settings.dll
2016-09-04 09:21 - 2016-09-04 09:21 - 00004608 _____ () C:\Users\Trip\AppData\Local\Temp\nsqF528.tmp\ExecCmd.dll
FirewallRules: [{6D0AB6D5-63CD-4F00-A91D-36A70D08BBCC}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{B99FC4D7-1258-43A6-A08B-9227B5425C48}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{A010E380-D158-40C2-AD43-3CB8904977D7}] => (Allow) C:\Users\Trip\AppData\Local\ddnowyes.exe
FirewallRules: [{73815D64-D9EC-4F1D-B872-657D942BE453}] => (Allow) C:\Users\Trip\AppData\Local\Temp\installer1.exe
FirewallRules: [{BEC34479-C526-4B33-B8C5-3A4B55746E14}] => (Allow) C:\Users\Trip\AppData\Local\13229014.exe
FirewallRules: [{8C9DC8A5-10C8-4FD5-B812-87CE853F3EF2}] => (Allow) C:\Users\Trip\AppData\Local\tinstall.exe
FirewallRules: [{05977888-7C42-436B-846A-679E99386792}] => (Allow) C:\Program Files (x86)\telekinetic\barbieri.exe
C:\Program Files (x86)\oases
C:\Program Files (x86)\telekinetic
C:\Users\Trip\AppData\Local\Temp\nsqF528.tmp
C:\Users\Trip\AppData\Local\Temp\installer1.exe
C:\Users\Trip\AppData\Local\13229014.exe
C:\Users\Trip\AppData\Local\tinstall.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your Firefox browser was compromised.
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox334.exe

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Before proceeding save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Install the latest version of the application.

You can then import them to the new version of Firefox.

Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

Please post the Fixlog and let me know what problem persists with this computer.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 10 September 2016 - 07:51 AM

Are you still with me?

#6 deirdrebythesea

deirdrebythesea
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 10 September 2016 - 04:18 PM

yes thank you I was away from my computer for a few days

I just ran the latest script and uninstalled firefox

 

I have great hopes this is it :)

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 11 September 2016 - 07:28 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 17 September 2016 - 08:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users