Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shortcuts' Target box got "infected"?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Tenshi447

Tenshi447

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 27 November 2016 - 06:41 PM

I'll try to keep it as short as possible. Yesterday I accidentally downloaded and opened a weird .exe file, although I've been using a PC since more than 10 years ago. Got it from an adf.ly link and, even though the real link after it doesn't contain anything weird, that adf.ly itself does. (I lost it now, but still have the direct link for the). Afterwards things start to get really annoying like they're throwing a party, with bunch of unknown softwares silently or not, installing in the background, strange processes in Task manager, high CPU and disk usage, weird windows popping up,..

 

I managed to remove everything I could find and all the problems except one.. Simply put, some of my browser shortcuts' Properties have the Target line like this: D:\Software\Mozilla Firefox\firefox.exe http://yeabd66.cc/

See that link at the end? Yep. I tried hours looking for a way through Google, plus all the knowledge I have, and the Target path keeps resetting itself to the above after every few minutes.

 

I saw this topic in our forum which stated the same problem I'm having, and I read it more than one time, but I'm still unclear on what to do.. :"(

http://www.bleepingcomputer.com/forums/t/576008/browser-shortcut-pinned-to-task-bar-target-window-modified/

Oh and, yeah, not only Taskbar pinned shortcuts but also in the Start Menu.

 

Thank you for your concern! (Attachments included)

Attached File  Addition.txt   39.76KB   7 downloads

Attached File  FRST.txt   52.16KB   3 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 AM

Posted 29 November 2016 - 11:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program via the Control Panel > Programs > Programs and Features.
KMSpico v9.2.3 (HKLM\...\KMSpico_is1) (Version: 9.2.3 - )
===


ATTENTION: System Restore is disabled
Turn your System Restore ON - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
+++

Windows Firewall is disabled.

Turn ON your Firewall Windows 10.
https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off
+++

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-2106719365-3044273216-2909515200-1000\...\Run: [AdobeBridge] => [X]
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  No File
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
FF user.js: detected! => C:\Users\Tenshi\AppData\Roaming\Mozilla\Firefox\Profiles\wiskpths.default\user.js [2016-11-27]
FF NewTab: Mozilla\Firefox\Profiles\wiskpths.default -> chrome://fvd.speeddial/content/fvd_about_blank.html
FF Extension: (Speed Dial [FVD] - New Tab Page, Sync...) - C:\Users\Tenshi\AppData\Roaming\Mozilla\Firefox\Profiles\wiskpths.default\Extensions\pavel.sherbakov@gmail.com [2016-10-15]
FF Plugin: @esn/npbattlelog,version=2.7.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.1\npbattlelogx64.dll [No File]
FF Plugin-x32: @360.cn/npaxlogin -> C:\Program Files (x86)\360\360Safe\Utils\npaxlogin.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.7.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.1\npbattlelog.dll [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Tenshi\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-27]
CHR Extension: (Chrome Media Router) - C:\Users\Tenshi\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-27]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [977088 2014-03-02] () [File not signed]
S4 LenovoPcManagerService; "C:\Program Files (x86)\Lenovo\PCManager\LenovoPcManagerService.exe" [X]
S4 Prercertain; C:\Program Files (x86)\Cherro\kotutherrercapyconfiguration.dll [X]
S1 360AntiHacker; System32\Drivers\360AntiHacker64.sys [X]
S1 360Box64; system32\DRIVERS\360Box64.sys [X]
S3 360Camera; System32\Drivers\360Camera64.sys [X]
S1 360Hvm; System32\Drivers\360Hvm64.sys [X]
S1 360netmon; system32\DRIVERS\360netmon.sys [X]
S3 cpuz140; \??\C:\Users\Tenshi\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [X]
S3 GGSAFERDriver; \??\D:\Games\LienMinhHuyenThoai\GameData\Room\safedrv.sys [X]
S3 gkernel; \??\C:\Users\Tenshi\AppData\Local\Temp\gkernel.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Task: {A144FD47-1297-48DA-B0AB-D90BBB9B6E08} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Users\Tenshi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\Tenshi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk -> D:\Software\lawlietfox-50.0-1-win32-vc14-betterpgo-sse2\firefox.exe (Mozilla Corporation) -> hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\Tenshi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://yeabd66.cc/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Tenshi\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Tenshi\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
2016-09-19 22:30 - 2016-09-19 22:30 - 00211968 _____ () C:\Windows\W7FBC\dll.dll
AlternateDataStreams: C:\Windows\EmptyStandbyList.exe:BDU [0]
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [1442146]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [126]
FirewallRules: [{0125E831-AEE8-4DA2-837E-8DE830FA5C34}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{46F8B3EF-0930-4907-BD41-4781DB0BFE8A}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{DF59E931-D8A4-4007-A16C-3ED5327A65E0}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{ECCCC320-B01A-4E7E-92DA-ECB5D5E97549}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
C:\Program Files\KMSpico
C:\Users\Tenshi\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Tenshi\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Please let me know what problem persists with this computer.

#3 Tenshi447

Tenshi447
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 29 November 2016 - 01:06 PM

Alright, everything's done and there's a few things to notice:
1. When I try to uninstall KMSPico, it said something like "the program had already been uninstalled, remove remainings..".

2. I enabled System Restore and went to use the Fix function in FRST, but when my PC restarted, SR says "No restore points have been created..".

3. The shortcut files of Firefox and IE don't have the weird link in their Target boxes anymore, EXCEPT for Chrome. But I removed it and it doesn't seem to come back either.. so it's all good.

 

I waited for 20 minutes and it doesn't happen anymore.. So I could say this is a success, thanks to you :D But I'm kinda curious about which was the culprit behind all this? Firefox addons? Driver files? Regedit?,..



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 AM

Posted 29 November 2016 - 01:39 PM

Lets check these services.

Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#5 Tenshi447

Tenshi447
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 29 November 2016 - 02:53 PM

Farbar Service Scanner Version: 27-01-2016
Ran by Tenshi (administrator) on 30-11-2016 at 02:52:36
Running from "C:\Users\Tenshi\Downloads\Programs"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 AM

Posted 30 November 2016 - 09:40 AM


Create a system restore point.
How to:
https://support.microsoft.com/en-us/instantanswers/e6bbddb0-9db4-4d88-9063-42c52c79a96e/create-a-system-restore-point
===

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 Tenshi447

Tenshi447
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 01 December 2016 - 01:22 PM

Alright, all done! Thanks for helping me since the start, let's close this thread.

Have a good day!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users