Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browsers (Firefox, Explorer)


  • Please log in to reply
14 replies to this topic

#1 AMS_70

AMS_70

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 19 October 2016 - 11:11 PM

Hello, facing  hijacked browsers infection here:

 

Firefox, Explorer are launched or new windows pop-up with links to various sites, such as videostalking.com, miss18live, etc.

 

Problem  started when spouse sheepishly downloaded some "free"  course preparation software. Failed to resolve with various anti-virus scans- Malwarebytes, Hitman, JRT, TDSS, etc.

 

Thank you for any help.

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-10-2016
Ran by ANTON (administrator) on ACER (19-10-2016 23:42:28)
Running from C:\Users\ANTON\Desktop\Downloads
Loaded Profiles: ANTON (Available Profiles: ANTON)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Samsung) C:\Program Files\Samsung\AllShare Framework DMS\1.3.23\AllShareFrameworkManagerDMS.exe
(Samsung) C:\Program Files\Samsung\AllShare Framework DMS\1.3.23\AllShareFrameworkDMS.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Copyright 2013 SAMSUNG) C:\Program Files\Samsung\Samsung Link\Samsung Link.exe
(Copyright 2013 SAMSUNG) C:\Program Files\Samsung\Samsung Link\Samsung Link.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Windows\PLFSetI.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(Copyright 2013 SAMSUNG) C:\Program Files\Samsung\Samsung Link\Samsung Link Tray Agent.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Safer Networking Limited) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Hidfind.exe
(Google Inc.) C:\Users\ANTON\AppData\Local\Google\Update\GoogleUpdate.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe
(Dropbox, Inc.) C:\Users\ANTON\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(pepsmich) C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl\curl.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [206208 2010-01-13] ()
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [344872 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)
HKLM\...\Run: [Samsung Link] => C:\Program Files\Samsung\Samsung Link\Samsung Link Tray Agent.exe [600928 2014-03-13] (Copyright 2013 SAMSUNG)
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [SuiteTray] => C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-04] (Dritek System Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395616 2014-09-03] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2014-09-03] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [curl] => C:\Users\Default\AppData\Roaming\Microsoft\Windows\Curl\curl.exe [10240 2016-08-20] (pepsmich)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2631120 2016-07-28] (Malwarebytes Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\igfxcui: 
HKLM\...\Policies\Explorer: [UseDefaultTile] 0
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-15] (Google Inc.)
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23375200 2016-07-29] (Google)
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [Google Update] => C:\Users\ANTON\AppData\Local\Google\Update\GoogleUpdate.exe [107848 2015-04-11] (Google Inc.)
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [Dropbox Update] => C:\Users\ANTON\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-23] (Dropbox, Inc.)
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [001d46a7] => C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe <===== ATTENTION
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4272840 2014-03-31] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-03-26] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll [2010-02-01] (Egis Technology Inc.)
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll [2010-02-01] (Egis Technology Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2014-11-27]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-10-14]
ShortcutTarget: Dropbox.lnk -> C:\Users\ANTON\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424 2013-09-07] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{081085BF-8D4B-4805-8376-4A5FD41A483E}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{69549B1B-992A-4D88-8732-EA9C378F0FFC}: [DhcpNameServer] 75.75.75.75 75.75.76.76
ManualProxies: 
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://remote.jfkhealth.org/+CSCOE+/logon.html
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_enUS419US419
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-27] (Google Inc.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-10-17] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-27] (Google Inc.)
BHO-x32: Skype Plug-In -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-02-11] (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-17] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-27] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-27] (Google Inc.)
Toolbar: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-27] (Google Inc.)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} hxxps://remote.jfkhealth.org/+CSCOL+/relayp.cab
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://vpn.numc.edu/dana-cached/sc/JuniperSetupClient.cab
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-02-11] (Skype Technologies S.A.)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)
 
FireFox:
========
FF ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930 [2016-10-19]
FF Extension: (NoScript) - C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-10-18]
FF ProfilePath: C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default [2014-05-22]
FF Extension: (Skype extension) - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2016-09-21] [not signed]
FF HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: (McAfee Security Scan Plus) - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_185.dll [2016-10-11] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_185.dll [2016-10-11] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-02-20] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2014-09-03] (Citrix Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-17] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-17] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-10-12] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin-x32: samsung.com/SamsungLinkPCPlugin -> C:\Program Files\Samsung\Samsung Link\utils\npSamsungLinkPCPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @ringcentral.com/RingCentralMeetingsPlugin -> C:\Users\ANTON\AppData\Roaming\RingCentralMeetings\bin\nprcmsplugin.dll [2016-02-19] (Zoom Video Communications, Inc. and RingCentral Inc.)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\ANTON\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @talk.google.com/O1DPlugin -> C:\Users\ANTON\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @tools.google.com/Google Update;version=3 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @tools.google.com/Google Update;version=9 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\ANTON\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2012-12-07] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: SkypePlugin -> C:\Users\ANTON\AppData\Local\SkypePlugin\7.25.0.32\npGatewayNpapi.dll [2016-09-01] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-1970154587-1612378100-1195232074-1001: SkypePlugin64 -> C:\Users\ANTON\AppData\Local\SkypePlugin\7.25.0.32\npGatewayNpapi-x64.dll [2016-09-01] (Skype Technologies S.A.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\ANTON\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\ANTON\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://start.msn.iplay.com/?o=shp
CHR StartupUrls: Default -> "hxxp://start.mysearchdial.com/?f=1&a=dsites_14_13_ff&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0EtAyBtC0AtC0Ezy0AyCtN0D0Tzu0SzztCyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyC0CtCzz0B0B0EtGtByBzy0CtGzytBtAyCtGtCtAyD0CtGyCtA0B0Ezzzyzy0C0C0DtB0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyCtCtCtA0AyDyBtGyEyCyDyCtGtDtAtCtCtGtDtAyEyCtGtBtA0B0DtC0DtByDzy0D0DtC2Q&cr=167113048&ir=","hxxp://www.google.com/"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Microsoft® Windows Media Player Firefox Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Picasa) - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Profile: C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default [2016-10-19]
CHR Extension: (Google Drive) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-06]
CHR Extension: (Google Docs Offline) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-25]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2016-05-25]
CHR Extension: (Poppit!) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-11-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-06]
CHR Extension: (Fast search) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha [2016-09-27]
CHR Extension: (Chrome Media Router) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-19]
CHR Extension: (Default Extension) - C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk [2016-03-16]
CHR HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\ANTON\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-03-23]
CHR HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AllShare Framework DMS; C:\Program Files\Samsung\AllShare Framework DMS\1.3.23\AllShareFrameworkManagerDMS.exe [404360 2013-12-21] (Samsung) [File not signed]
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-10-01] (SurfRight B.V.)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [750032 2016-07-28] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [250368 2010-03-08] (NewTech Infosystems, Inc.) [File not signed]
R2 Samsung Link Service; C:\Program Files\Samsung\Samsung Link\Samsung Link.exe [609632 2014-03-13] (Copyright 2013 SAMSUNG)
S2 SoftShieldService; C:\Program Files (x86)\ExamSoft\SofTest 11.0\Examsoft.ShieldRunner.exe [33152 2012-06-20] (Hewlett-Packard)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [75360 2016-08-04] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-10-19] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [141384 2010-11-11] (MCCI Corporation)
S3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [16896 2007-07-23] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [27136 2007-07-23] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [29696 2007-07-23] (LG Electronics Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-19 23:41 - 2016-10-19 23:42 - 00000000 ____D C:\FRST
2016-10-19 23:18 - 2016-10-19 23:24 - 00967518 _____ C:\TDSSKiller.3.1.0.11_19.10.2016_23.18.00_log.txt
2016-10-19 23:12 - 2016-10-19 23:14 - 00215898 _____ C:\TDSSKiller.3.1.0.11_19.10.2016_23.12.32_log.txt
2016-10-19 23:12 - 2016-10-19 23:12 - 00001888 _____ C:\TDSSKiller.2.6.25.0_19.10.2016_23.12.05_log.txt
2016-10-19 23:01 - 2016-10-19 23:01 - 00089030 _____ C:\Users\ANTON\Desktop\bookmarks.html
2016-10-18 21:08 - 2016-10-18 21:08 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2016-10-18 21:08 - 2016-10-18 21:08 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-10-18 20:58 - 2016-10-18 20:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2016-10-18 20:57 - 2016-10-18 20:58 - 00000000 ____D C:\Program Files (x86)\QuickTime
2016-10-18 19:19 - 2016-10-18 19:19 - 00001329 _____ C:\Users\ANTON\Desktop\notepad.lnk
2016-10-18 19:01 - 2016-10-18 19:01 - 00003187 _____ C:\Users\ANTON\Desktop\JRT.txt
2016-10-18 00:51 - 2016-10-18 19:22 - 00002642 _____ C:\Users\ANTON\Desktop\Rkill.txt
2016-10-18 00:14 - 2016-10-18 00:35 - 00000000 ____D C:\EEK
2016-10-17 23:19 - 2016-10-17 23:19 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2016-10-17 21:13 - 2016-10-17 21:18 - 00216158 _____ C:\TDSSKiller.3.1.0.11_17.10.2016_21.13.43_log.txt
2016-10-17 21:13 - 2016-10-17 21:13 - 00000348 _____ C:\TDSSKiller.2.6.25.0_17.10.2016_21.13.17_log.txt
2016-10-14 22:24 - 2016-10-14 22:26 - 00008314 _____ C:\Users\ANTON\Desktop\Certificate NIHSS.htm
2016-10-14 22:24 - 2016-10-14 22:24 - 00000000 ____D C:\Users\ANTON\Desktop\Certificate NIHSS_files
2016-10-14 20:50 - 2016-10-14 20:50 - 00000000 ____D C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-10-13 23:31 - 2016-10-13 23:41 - 00197462 _____ C:\Users\ANTON\Desktop\oct-november-dec call schedule 10-7-2016.pdf
2016-10-13 23:29 - 2016-10-13 23:28 - 00204763 _____ C:\Users\ANTON\Desktop\year schedule updated 10-12-16.pdf
2016-10-13 23:00 - 2016-10-13 23:03 - 00216580 _____ C:\TDSSKiller.3.1.0.11_13.10.2016_23.00.04_log.txt
2016-10-13 22:59 - 2016-10-13 22:59 - 00000348 _____ C:\TDSSKiller.2.6.25.0_13.10.2016_22.59.23_log.txt
2016-10-12 20:05 - 2016-10-12 20:05 - 00000000 _____ C:\TOSTACK
2016-10-12 20:01 - 2016-10-13 01:39 - 00000000 ____D C:\Users\ANTON\AppData\Local\GeoLocator
2016-10-02 10:39 - 2016-10-02 10:39 - 00105743 _____ C:\Users\ANTON\Desktop\SCHEDULE 2016-2017.xlsx
2016-10-02 09:41 - 2016-10-02 09:42 - 00215772 _____ C:\TDSSKiller.3.1.0.11_02.10.2016_09.41.12_log.txt
2016-10-02 09:40 - 2016-10-02 09:40 - 00000348 _____ C:\TDSSKiller.2.6.25.0_02.10.2016_09.40.28_log.txt
2016-10-02 01:07 - 2016-10-17 21:33 - 00000000 ____D C:\Users\ANTON\Desktop\Old Firefox Data
2016-10-02 01:00 - 2016-10-17 23:03 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-10-02 00:20 - 2016-10-02 00:58 - 00001038 _____ C:\Windows\system32\.crusader
2016-10-01 23:40 - 2016-10-13 01:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2016-10-01 23:40 - 2016-10-13 01:21 - 00000000 ____D C:\Program Files\HitmanPro
2016-10-01 23:40 - 2016-10-01 23:40 - 00001901 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2016-10-01 23:34 - 2016-10-17 22:59 - 00000000 ____D C:\AdwCleaner
2016-10-01 22:31 - 2016-10-14 20:45 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-10-01 22:31 - 2016-10-01 22:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2016-10-01 22:30 - 2016-10-01 22:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2016-09-28 21:47 - 2016-09-28 21:47 - 00896496 _____ C:\Windows\Minidump\092816-23150-01.dmp
2016-09-27 22:12 - 2016-09-27 22:12 - 00000000 ____D C:\Users\ANTON\Desktop\Passp Foto
2016-09-27 19:30 - 2016-09-27 19:30 - 00000000 ____D C:\Users\ANTON\AppData\Local\UCBrowser
2016-09-27 19:17 - 2016-09-27 19:17 - 00000000 ____D C:\Users\ANTON\AppData\Local\Tempfolder
2016-09-27 19:10 - 2016-09-27 19:10 - 00000000 ____D C:\Windows\Azart
2016-09-27 11:18 - 2016-10-18 00:35 - 00000000 ____D C:\Users\Default\Act
2016-09-27 11:18 - 2016-09-27 11:18 - 00001437 ___RS C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхplоrer.lnk
2016-09-27 11:18 - 2016-09-27 11:18 - 00001169 ___RS C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоoglе Chrоme.lnk
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default\Documents\SmartScreen
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default\AppData\Local\AutoUpdate
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default User\Documents\SmartScreen
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClientProtocol
2016-09-27 11:18 - 2016-09-27 11:18 - 00000000 ____D C:\Users\Default User\AppData\Local\AutoUpdate
2016-09-25 12:14 - 2016-09-25 12:14 - 00278096 _____ C:\Windows\Minidump\092516-31465-01.dmp
2016-09-21 00:10 - 2016-10-19 23:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-20 06:44 - 2016-09-20 06:44 - 00278096 _____ C:\Windows\Minidump\092016-105207-01.dmp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-19 23:34 - 2015-06-23 22:23 - 00000918 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1970154587-1612378100-1195232074-1001UA.job
2016-10-19 23:28 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-19 23:28 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-19 23:26 - 2011-02-14 20:22 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-19 23:22 - 2013-04-11 19:58 - 00000000 ___RD C:\Users\ANTON\Dropbox
2016-10-19 23:21 - 2014-07-05 09:17 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-10-19 23:20 - 2014-03-23 15:06 - 00000000 ___RD C:\Users\ANTON\Google Drive
2016-10-19 23:16 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-19 23:15 - 2015-04-11 11:35 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1970154587-1612378100-1195232074-1001UA.job
2016-10-19 23:15 - 2015-04-11 11:35 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1970154587-1612378100-1195232074-1001Core.job
2016-10-19 23:11 - 2013-01-12 18:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-10-19 20:03 - 2015-06-23 22:22 - 00000866 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1970154587-1612378100-1195232074-1001Core.job
2016-10-18 21:08 - 2011-04-09 15:04 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-10-17 22:59 - 2011-02-14 19:44 - 00000000 ____D C:\Users\ANTON
2016-10-17 21:29 - 2014-07-01 06:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-10-17 21:29 - 2012-10-04 20:57 - 00000000 ____D C:\Program Files (x86)\Java
2016-10-17 21:27 - 2015-11-22 11:04 - 00000000 ____D C:\Users\ANTON\.oracle_jre_usage
2016-10-17 21:26 - 2014-08-23 10:44 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-10-17 20:33 - 2011-03-12 23:33 - 00000000 ____D C:\Users\ANTON\AppData\Roaming\Skype
2016-10-14 20:58 - 2011-03-12 23:34 - 00002189 ____H C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-10-14 20:50 - 2013-04-11 19:54 - 00000000 ____D C:\Users\ANTON\AppData\Roaming\Dropbox
2016-10-13 22:45 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PLA
2016-10-13 02:19 - 2012-01-04 18:42 - 00000000 ____D C:\Windows\ERDNT
2016-10-13 01:21 - 2014-11-17 17:04 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2016-10-13 01:21 - 2012-01-04 14:27 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-10-13 01:21 - 2011-05-11 00:47 - 00000000 ____D C:\Users\ANTON\AppData\Roaming\SoftGrid Client
2016-10-13 01:21 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-10-13 01:21 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-10-11 20:11 - 2013-01-12 18:56 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-10-11 20:11 - 2012-12-13 00:26 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-10-11 20:11 - 2012-12-13 00:26 - 00000000 ____D C:\Windows\system32\Macromed
2016-10-11 20:11 - 2011-12-14 23:05 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-10-11 20:11 - 2010-04-15 02:09 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-10-02 00:52 - 2011-11-15 17:13 - 00616578 _____ C:\Windows\ntbtlog.txt
2016-10-01 18:44 - 2010-07-29 18:25 - 00000000 ____D C:\BOOK
2016-10-01 15:17 - 2011-03-12 23:33 - 00000000 ____D C:\ProgramData\Skype
2016-10-01 09:46 - 2012-12-30 13:03 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-10-01 09:45 - 2015-07-28 20:33 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-10-01 09:38 - 2015-06-23 22:22 - 00000000 ____D C:\Users\ANTON\AppData\Local\Dropbox
2016-09-28 22:03 - 2012-01-04 15:38 - 00000000 ____D C:\ProgramData\HitmanPro
2016-09-28 21:47 - 2016-01-16 11:09 - 343211809 _____ C:\Windows\MEMORY.DMP
2016-09-28 21:47 - 2016-01-16 11:09 - 00000000 ____D C:\Windows\Minidump
2016-09-27 22:14 - 2013-11-14 09:40 - 00000000 ____D C:\Users\ANTON\Desktop\Broken flash copy
2016-09-27 22:12 - 2015-11-15 19:28 - 00000000 ____D C:\Users\ANTON\Desktop\Case Reports
2016-09-27 21:56 - 2009-03-12 05:30 - 00000000 ____D C:\Windows\LP
2016-09-27 20:22 - 2012-01-04 18:41 - 00000000 ____D C:\Qoobox
2016-09-25 12:20 - 2011-03-12 23:33 - 00000000 ___RD C:\Program Files (x86)\Skype
 
==================== Files in the root of some directories =======
 
2011-05-12 12:26 - 2011-05-12 12:26 - 0000000 _____ () C:\Users\ANTON\AppData\Roaming\wklnhst.dat
2012-07-15 00:25 - 2012-07-15 00:25 - 0004608 _____ () C:\Users\ANTON\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-07 18:17 - 2011-12-07 19:39 - 0011562 ___SH () C:\Users\ANTON\AppData\Local\f7n6beithc3553o8ae7ie4l1neo
2011-08-12 12:13 - 2012-07-20 14:03 - 0000018 _____ () C:\Users\ANTON\AppData\Local\msesbucf.txt
2011-03-12 23:43 - 2011-03-12 23:43 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-12-07 18:17 - 2011-12-07 19:39 - 0011562 ___SH () C:\ProgramData\f7n6beithc3553o8ae7ie4l1neo
2012-07-20 13:56 - 2012-07-20 14:03 - 0000034 _____ () C:\ProgramData\msrecovery.cfc
 
Some files in TEMP:
====================
C:\Users\ANTON\AppData\Local\Temp\d8e70d3e-6077-464a-b1b0-e4bf1da120e9.exe
C:\Users\ANTON\AppData\Local\Temp\f46edfeb-241c-473d-b1c2-f10ace77264c.exe
C:\Users\ANTON\AppData\Local\Temp\libeay32.dll
C:\Users\ANTON\AppData\Local\Temp\msvcr120.dll
C:\Users\ANTON\AppData\Local\Temp\Relay.dll
C:\Users\ANTON\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-11 14:39
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 21 October 2016 - 01:38 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset catalog

HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [001d46a7] => C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe <===== ATTENTION
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424 2013-09-07] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: samsung.com/SamsungLinkPCPlugin -> C:\Program Files\Samsung\Samsung Link\utils\npSamsungLinkPCPlugin.dll [No File]
CHR HomePage: Default -> hxxp://start.msn.iplay.com/?o=shp
CHR StartupUrls: Default -> "hxxp://start.mysearchdial.com/?f=1&a=dsites_14_13_ff&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0EtAyBtC0AtC0Ezy0AyCtN0D0Tzu0SzztCyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyC0CtCzz0B0B0EtGtByBzy0CtGzytBtAyCtGtCtAyD0CtGyCtA0B0Ezzzyzy0C0C0DtB0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyCtCtCtA0AyDyBtGyEyCyDyCtGtDtAtCtCtGtDtAyEyCtGtBtA0B0DtC0DtByDzy0D0DtC2Q&cr=167113048&ir=","hxxp://www.google.com/"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Extension: (Poppit!) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-11-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-06]
CHR Extension: (Chrome Media Router) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-19]
CHR Extension: (Default Extension) - C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk [2016-03-16]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?rer (No Add-?ns).lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G?ogl? Chrom?.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet E?pl?r?r ?r?ws?r.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogl? Chr?me.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic
AlternateDataStreams: C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg:3or4kl4x13tuuug3Byamue2s4b [83]
AlternateDataStreams: C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Adobe AIR is out-or-date and vulnerable.

https://get.adobe.com/air/

Go to Start > Control Panel > Programs and Features and uninstall the old version(s) if present.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
===

Your version(s) of Adobe Flash are out-or-date and vulnerable.
Go to Start > Control Panel > Programs and Features and uninstall the following programs:
Adobe Flash Player 10 ActiveX

Go to this page with Firefox to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
----

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

This program is no longer supported. Remove it via the Control panel as well.
HiJackThis (HKLM-x32\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)

===

Please post the Fixlog.txt and let me know what problem persists.

#3 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 21 October 2016 - 09:50 PM

Here it is:
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by ANTON (21-10-2016 22:26:40) Run:1
Running from C:\Users\ANTON\Desktop\Downloads
Loaded Profiles: ANTON (Available Profiles: ANTON)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset catalog
 
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\...\Run: [001d46a7] => C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe <===== ATTENTION
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424 2013-09-07] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: samsung.com/SamsungLinkPCPlugin -> C:\Program Files\Samsung\Samsung Link\utils\npSamsungLinkPCPlugin.dll [No File]
CHR HomePage: Default -> hxxp://start.msn.iplay.com/?o=shp
CHR StartupUrls: Default -> "hxxp://start.mysearchdial.com/?f=1&a=dsites_14_13_ff&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0EtAyBtC0AtC0Ezy0AyCtN0D0Tzu0SzztCyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyC0CtCzz0B0B0EtGtByBzy0CtGzytBtAyCtGtCtAyD0CtGyCtA0B0Ezzzyzy0C0C0DtB0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyCtCtCtA0AyDyBtGyEyCyDyCtGtDtAtCtCtGtDtAyEyCtGtBtA0B0DtC0DtByDzy0D0DtC2Q&cr=167113048&ir=","hxxp://www.google.com/"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Extension: (Poppit!) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-11-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-06]
CHR Extension: (Chrome Media Router) - C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-19]
CHR Extension: (Default Extension) - C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk [2016-03-16]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\ANTON\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?rer (No Add-?ns).lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G?ogl? Chrom?.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet E?pl?r?r ?r?ws?r.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogl? Chr?me.lnk -> C:\Users\ANTON\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic
AlternateDataStreams: C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg:3or4kl4x13tuuug3Byamue2s4b [83]
AlternateDataStreams: C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\Software\Microsoft\Windows\CurrentVersion\Run\\001d46a7 => value removed successfully
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\samsung.com/SamsungLinkPCPlugin" => key removed successfully
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\pdf.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.59\gcswf32.dll => not found.
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll => not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => not found.
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => not found.
C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => not found.
C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => not found.
c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => not found.
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi => moved successfully
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk => moved successfully
catchme => service removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKU\S-1-5-21-1970154587-1612378100-1195232074-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
"C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t E?pl?rer.lnk" => Could not move.
"C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?rer (No Add-?ns).lnk" => Could not move.
"C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G?ogl? Chrom?.lnk" => Could not move.
"C:\Users\ANTON\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Internet E?pl?r?r ?r?ws?r.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogl? Chr?me.lnk" => Could not move.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg => ":3or4kl4x13tuuug3Byamue2s4b" ADS could not remove.
C:\Users\ANTON\Desktop\Anton-passport zayavlenie.jpg => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\ANTON\AppData\Local\Temp\world-super-ext.exe" => not found.
"C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi" => not found.
"C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm" => not found.
"C:\Users\ANTON\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fahfcddejagamippohogfbojgekjebgk" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 97038052 B
Java, Flash, Steam htmlcache => 1110 B
Windows/system/drivers => 2571369297 B
Edge => 0 B
Chrome => 249842766 B
Firefox => 171295360 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 55459090 B
systemprofile32 => 19149576 B
LocalService => 132244 B
NetworkService => 345486 B
ANTON => 300679328 B
 
RecycleBin => 5383682 B
EmptyTemp: => 3.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 22:31:55 ====


#4 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 21 October 2016 - 10:10 PM

Pop-ups continue, however (blocked by NoScript but never the less). Spybot Search and Destroy is detecting changes after restart and asks for permissions to make changes to registry, etc.- not sure if i should just disable Spybot  for now. Thank you for your help.


Edited by AMS_70, 21 October 2016 - 10:11 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 22 October 2016 - 09:40 AM



Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here
Disable Spybot for now.


When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#6 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 22 October 2016 - 10:42 PM

Hello,

Zoek appears to be stuck at this point, this is a copy of the zoek run window:

 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by ANTON on Sat 10/22/2016 at 22:27:33.17.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\ANTON\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
===== Runcheck 22:28:57.08 =====
 
--- Create Environment Variables 22:28:59.31 
--- Create System Restore Point 22:29:12.28 
--- Checking Input 22:29:45.05 
--- AU AppData Check 22:30:53.17 
--- Remove From Windows Installer 22:30:59.81 
--- Empty Folders Check 22:33:50.59 
--- Registry HKLM Software Check 22:33:50.62 
--- Quick Launch Shortcut Check 22:34:28.83 
--- IE Startpage Check 22:34:45.20 
--- Program Files DB Check 22:35:43.62 
--- C:\Users\ANTON\AppData\Roaming DB Check 22:37:22.21 
--- C:\Users\Default\AppData\Roaming DB Check 22:37:22.21 
--- C:\Users\Default User\AppData\Roaming DB Check 22:37:22.21 
--- C:\Windows\SysNative\config\systemprofile\AppData\Roaming DB Check 22:37:22.21 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming DB Check 22:37:22.21 
--- C:\Windows\serviceprofiles\networkservice\AppData\Roaming DB Check 22:37:22.21 
--- C:\Windows\serviceprofiles\Localservice\AppData\Roaming DB Check 22:37:22.21 
--- C:\Users\ANTON DB Check 22:42:31.94 
--- C:\PROGRA~3 DB Check 22:43:10.24 
--- C:\Users\ANTON\AppData\Local DB Check 22:43:44.22 
--- C:\Users\Default\AppData\Local DB Check 22:43:44.22 
--- C:\Users\Default User\AppData\Local DB Check 22:43:44.22 
--- C:\Users\Public\AppData\Local DB Check 22:43:44.22 
--- C:\Windows\SysNative\config\systemprofile\AppData\Local DB Check 22:43:44.22 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Local DB Check 22:43:44.22 
--- C:\Windows\serviceprofiles\networkservice\AppData\Local DB Check 22:43:44.22 
--- C:\Windows\serviceprofiles\Localservice\AppData\Local DB Check 22:43:44.22 
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check 22:47:42.85 
--- C:\Users\ANTON\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check 22:48:05.49 
--- Tasks DB Check 22:48:19.62 
--- Downloads DB Check 22:48:29.09 
--- C:\Users\ANTON\AppData\LocalLow DB Check 22:48:38.29 
--- C:\Windows\SysNative\config\systemprofile\AppData\LocalLow DB Check 22:48:38.29 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow DB Check 22:48:38.29 
--- C:\Windows\serviceprofiles\networkservice\AppData\LocalLow DB Check 22:48:38.29 
--- C:\Windows\serviceprofiles\Localservice\AppData\LocalLow DB Check 22:48:38.29 
--- Tasks2 DB Check 22:50:21.77 
--- Documents DB Check 22:51:33.75 
--- C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default DB Check 22:51:50.86 
--- C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930 DB Check 22:51:50.86 
--- C:\Users\Public\Desktop DB Check 22:52:01.75 
--- C:\Users\ANTON\Desktop DB Check 22:52:14.27 
--- Services DB Check 22:52:34.62 
--- FF prefs.js DB Check 22:53:28.15 
--- Emptyclsid 22:56:20.67 
--- Del by CLSID 22:56:26.44 
--- Delete Services 22:57:45.97 
--- Firefox Fix 22:57:49.19 
--- Batch Commands 22:57:57.51 
--- Delete files\folders 22:57:58.01 
--- Create Backups 22:57:58.22 
--- Firefox Extensions 22:58:12.59 


#7 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 22 October 2016 - 10:45 PM

Firefox pop-ups came up a couple times during the zoek run, and again  now.


Edited by AMS_70, 22 October 2016 - 10:47 PM.


#8 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 23 October 2016 - 07:12 AM

Zoek result log:
 
 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by ANTON on Sat 10/22/2016 at 22:27:33.17.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\ANTON\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
10/22/2016 10:29:42 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\Program Files\Common Files\McAfee deleted successfully
C:\PROGRA~3\V CAST Media Manager deleted successfully
C:\PROGRA~3\Verizon deleted successfully
C:\Users\ANTON\AppData\Roaming\82658 deleted successfully
C:\Users\ANTON\AppData\Roaming\Backup Tickets deleted successfully
C:\Users\ANTON\AppData\Roaming\JcAA11ivD2on4pH deleted successfully
C:\Users\ANTON\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\ANTON\AppData\Roaming\TP deleted successfully
C:\Users\ANTON\AppData\Local\EmieSiteList deleted successfully
C:\Users\ANTON\AppData\Local\EmieUserList deleted successfully
C:\Users\ANTON\AppData\Local\Skype deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1970154587-1612378100-1195232074-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default\prefs.js:
 
Added to C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Deleted from C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\prefs.js:
 
Added to C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default
 
user.js not found
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20161022_1057_.backup
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
 
user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("capability.policy.maonoscript.sites", "addons.mozilla.org adobe.com adobedtm.com adobetag.com afx.ms ajax.aspnetcdn.com ajax.googleapis.com
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20161022_1057_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\Package Cache deleted
C:\Users\ANTON\AppData\Local\Unity deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk deleted
C:\Users\ANTON\AppData\LocalLow\Unity deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\uTorrentBar deleted
C:\Users\ANTON\Desktop\Downloads\SoftonicDownloader_for_passport-photo-maker.exe deleted
"C:\Windows\Installer\c7787d40.msi" deleted
"C:\Users\ANTON\AppData\Local\f7n6beithc3553o8ae7ie4l1neo" deleted
"C:\ProgramData\f7n6beithc3553o8ae7ie4l1neo" deleted
"C:\Users\ANTON\AppData\Roaming\Temp" deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions Registry ======================
 
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{e4f94d1e-2f53-401e-8885-681602c0ddd8}"="C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi" [04/04/2014 06:36 AM]


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 23 October 2016 - 09:10 AM

Is the issue solved?

#10 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 23 October 2016 - 08:49 PM

Unfortunately not- still getting Firefox pop-ups.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 24 October 2016 - 09:05 AM

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Keep me posted.

#12 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 24 October 2016 - 09:43 PM

This virus is stubborn. After re-setting Firefix and cleaning the cache as above and restarting the machine  it still:  1. launches Firefox 2. directs it to some random websites 

 

Here's zoek log, after i managed to run it to completion:

 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by ANTON on Sun 10/23/2016 at 22:24:47.89.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\ANTON\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2016-10-23-025812.log 4283 bytes
 
==== System Restore Info ======================
 
10/23/2016 10:26:58 PM Zoek.exe System Restore Point Created Successfully.
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Added to C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Deleted from C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Added to C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default
 
user.js not found
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20161023_1055_.backup
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
 
user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("capability.policy.maonoscript.sites", "addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com bootstrapcdn.com code.jquery.com fi
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20161023_1055_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
"C:\Windows\Installer\c7787d40.msi" not found
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Flickr\Flickr Uploadr\Profiles\g1dhk26c.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Skype extension - %AppDir%\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\ANTON\AppData\Roaming\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930
32534FFE70905DD87DDAAF7437897560 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_185.dll - Shockwave Flash
D23D6FEF2818C5B62BCD80BCA70362CD - C:\Users\ANTON\AppData\Local\SkypePlugin\7.25.0.32\npGatewayNpapi.dll - Skype Web Plugin
3EE8AE0ECFE5D79DE1737A855AD1E84C - C:\Users\ANTON\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll - Google Update
B8A82EC7DDB65E6D8F7B44D412FE993B - C:\Users\ANTON\AppData\Roaming\RingCentralMeetings\bin\nprcmsplugin.dll - RingCentral launcher plugin - 3.5.0
20FF20FBC1F20ADEC0AD6AF98ABE9545 - C:\Users\ANTON\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll - Google Talk Plugin
57D28190C994AD5E9B1007FB2259393A - C:\Users\ANTON\AppData\Roaming\Mozilla\plugins\npo1d.dll - Google Talk Plugin Video Renderer
328EEECD6DE8DDCB287F9E3A80846469 - C:\Users\ANTON\AppData\Local\SkypePlugin\7.25.0.32\npGatewayNpapi-x64.dll - Skype Web Plugin
 
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
 
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
apdfllckaahabafndbhieahigkjlhalf - C:\Users\ANTON\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx[03/23/2014 03:05 PM]
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]
 
Google Drive App Launcher - ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh
ECHO is off. - ANTON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{67A2568C-7A0A-4EED-AECC-B5405DE63B64}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\ANTON\AppData\Local\UCBrowser\User Data\Default\Preferences was reset successfully
C:\Users\ANTON\AppData\Local\UCBrowser\User Data\Default\Secure Preferences was reset successfully
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
C:\Users\ANTON\AppData\Local\UCBrowser\User Data\Default\Web Data.65 was reset successfully
C:\Users\ANTON\AppData\Local\UCBrowser\User Data\Default\Web Data.65-journal was reset successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ED77BE5C789DA434DB25DEDB12DDD18A deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnityWebPlayer deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C5EB77DE-D987-434A-BD52-EDBD21DD1DA8} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\ED77BE5C789DA434DB25DEDB12DDD18A deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\ANTON\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\ANTON\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
C:\Users\ANTON\AppData\Local\Mozilla\Firefox\Profiles\96uyzrmy.default-1476754398930\cache2 emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\ANTON\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\ANTON\AppData\Local\UCBrowser\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=21 folders=16 25502662 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\ANTON\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\ANTON\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Mon 10/24/2016 at  7:33:02.50 ======================


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 25 October 2016 - 10:12 AM

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Keep me posted.

#14 AMS_70

AMS_70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 26 October 2016 - 05:02 PM

Nope, resetting the cable modem/router did not do the trick either, problem persists.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 PM

Posted 27 October 2016 - 09:15 AM



Are we dealing with this type of infection?
ENTERPRISE POLICY....

https://malwaretips.com/blogs/installed-enterprise-policy-removal/
Remove Installed by enterprise policy extension from Chrome
<<<>>>

Open you Chrome setting and check the Extensions installed.

Do you see any of them showing the Enterprise policy?
Check the image on the link.

===

Removal instructions available on this site.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

If not at easy with removing it using the REGEDIT tool give me the Chrome extension name (The long string such as this one ghbmnnjooekpmoecnnnilnnbdlolhkhi which is for Google Docs.)

I will give you a fix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users