Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Various Malwares


  • This topic is locked This topic is locked
7 replies to this topic

#1 dolev91

dolev91

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 02 December 2016 - 09:07 AM

Hi, downloaded a zip file about 3 weeks ago. Since than Firefox browser crash at double-click, uTorrent is not responding at all, connection is very slow sometimes. Adding to all that i really am afraid that when i purchase something my details are not secure and 3rd party can use them. I've used many Antimalware/Antivirus Programs since, and still, no cure.

attached several files:

Farbar log, farbar addition log, freefixer log, 2 malwarebites logs (one from the day of the infection, one from yestreday).Attached File  FRST021216.txt   89.93KB   7 downloadsAttached File  FRST021216 Addition.txt   38.79KB   2 downloads

 

 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 dolev91

dolev91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 03 December 2016 - 08:34 AM

help? anyone?



#3 dolev91

dolev91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 04 December 2016 - 01:56 AM

???



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 04 December 2016 - 10:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
Winsock: Catalog9 01 chtbrkg.dll No File
Winsock: Catalog9 02 chtbrkg.dll No File
Winsock: Catalog9 03 chtbrkg.dll No File
Winsock: Catalog9 04 chtbrkg.dll No File
Winsock: Catalog9 05 chtbrkg.dll No File
Winsock: Catalog9 06 chtbrkg.dll No File
Winsock: Catalog9 07 chtbrkg.dll No File
Winsock: Catalog9 08 chtbrkg.dll No File
Winsock: Catalog9 09 chtbrkg.dll No File
Winsock: Catalog9 10 chtbrkg.dll No File
Winsock: Catalog9 11 chtbrkg.dll No File
Winsock: Catalog9 12 chtbrkg.dll No File
Winsock: Catalog9 13 chtbrkg.dll No File
Winsock: Catalog9 27 chtbrkg.dll No File
Winsock: Catalog9-x64 01 chtbrkg.dll No File
Winsock: Catalog9-x64 02 chtbrkg.dll No File
Winsock: Catalog9-x64 03 chtbrkg.dll No File
Winsock: Catalog9-x64 04 chtbrkg.dll No File
Winsock: Catalog9-x64 05 chtbrkg.dll No File
Winsock: Catalog9-x64 06 chtbrkg.dll No File
Winsock: Catalog9-x64 07 chtbrkg.dll No File
Winsock: Catalog9-x64 08 chtbrkg.dll No File
Winsock: Catalog9-x64 09 chtbrkg.dll No File
Winsock: Catalog9-x64 10 chtbrkg.dll No File
Winsock: Catalog9-x64 11 chtbrkg.dll No File
Winsock: Catalog9-x64 12 chtbrkg.dll No File
Winsock: Catalog9-x64 13 chtbrkg.dll No File
Winsock: Catalog9-x64 27 chtbrkg.dll No File
FF Extension: (No Name) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [not found]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-08]
CHR Extension: (Chrome Media Router) - C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-08]
S2 HpSvc; C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll [X] <==== ATTENTION
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
Task: {E303EDF5-6C39-4DBF-8F09-F493E2592253} - System32\Tasks\{1B770E6F-0A58-4D32-9A94-585F2B138E45} => pcalua.exe -a C:\Users\Dolev\AppData\Local\Temp\KavInstaller.exe -c /u <==== ATTENTION
C:\Users\Dolev\AppData\Local\Temp\KavInstaller.exe
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 dolev91

dolev91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 04 December 2016 - 03:15 PM

Hi, firefox is up and running again! Thank you! how do i make sure this entity is out of the system completley? 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 04-12-2016
Ran by Dolev (04-12-2016 20:59:01) Run:1
Running from C:\Users\Dolev\Desktop\FRST
Loaded Profiles: Dolev (Available Profiles: Dolev)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
Winsock: Catalog9 01 chtbrkg.dll No File
Winsock: Catalog9 02 chtbrkg.dll No File
Winsock: Catalog9 03 chtbrkg.dll No File
Winsock: Catalog9 04 chtbrkg.dll No File
Winsock: Catalog9 05 chtbrkg.dll No File
Winsock: Catalog9 06 chtbrkg.dll No File
Winsock: Catalog9 07 chtbrkg.dll No File
Winsock: Catalog9 08 chtbrkg.dll No File
Winsock: Catalog9 09 chtbrkg.dll No File
Winsock: Catalog9 10 chtbrkg.dll No File
Winsock: Catalog9 11 chtbrkg.dll No File
Winsock: Catalog9 12 chtbrkg.dll No File
Winsock: Catalog9 13 chtbrkg.dll No File
Winsock: Catalog9 27 chtbrkg.dll No File
Winsock: Catalog9-x64 01 chtbrkg.dll No File
Winsock: Catalog9-x64 02 chtbrkg.dll No File
Winsock: Catalog9-x64 03 chtbrkg.dll No File
Winsock: Catalog9-x64 04 chtbrkg.dll No File
Winsock: Catalog9-x64 05 chtbrkg.dll No File
Winsock: Catalog9-x64 06 chtbrkg.dll No File
Winsock: Catalog9-x64 07 chtbrkg.dll No File
Winsock: Catalog9-x64 08 chtbrkg.dll No File
Winsock: Catalog9-x64 09 chtbrkg.dll No File
Winsock: Catalog9-x64 10 chtbrkg.dll No File
Winsock: Catalog9-x64 11 chtbrkg.dll No File
Winsock: Catalog9-x64 12 chtbrkg.dll No File
Winsock: Catalog9-x64 13 chtbrkg.dll No File
Winsock: Catalog9-x64 27 chtbrkg.dll No File
FF Extension: (No Name) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [not found]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-08]
CHR Extension: (Chrome Media Router) - C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-08]
S2 HpSvc; C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll [X] <==== ATTENTION
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
Task: {E303EDF5-6C39-4DBF-8F09-F493E2592253} - System32\Tasks\{1B770E6F-0A58-4D32-9A94-585F2B138E45} => pcalua.exe -a C:\Users\Dolev\AppData\Local\Temp\KavInstaller.exe -c /u <==== ATTENTION
C:\Users\Dolev\AppData\Local\Temp\KavInstaller.exe
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
cmd: netsh winsock reset catalog
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
"HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj" => key removed successfully
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj2" => key removed successfully
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => key not found. 
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000027" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000006" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000007" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000009" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000010" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000011" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000012" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000013" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000027" => key removed successfully
C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi => path removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf" => key removed successfully
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HpSvc => service removed successfully
aswVmm => service could not remove
dbx => service removed successfully
Partizan => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E303EDF5-6C39-4DBF-8F09-F493E2592253}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E303EDF5-6C39-4DBF-8F09-F493E2592253}" => key removed successfully
C:\WINDOWS\System32\Tasks\{1B770E6F-0A58-4D32-9A94-585F2B138E45} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1B770E6F-0A58-4D32-9A94-585F2B138E45}" => key removed successfully
"C:\Users\Dolev\AppData\Local\Temp\KavInstaller.exe" => not found.
"C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"C:\Users\Dolev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm" => not found.
 
========= netsh winsock reset catalog =========
 
Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 1126356 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 57624544 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 4450143 B
Edge => 14439 B
Chrome => 479604099 B
Firefox => 374467875 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 62690 B
NetworkService => 259750 B
Dolev => 119873955 B
 
RecycleBin => 0 B
EmptyTemp: => 989.4 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:00:35 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 05 December 2016 - 09:56 AM

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 dolev91

dolev91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 05 December 2016 - 01:16 PM

It crashed while exporting the text file.

I've copied what it found:

 

C:\Users\Dolev\AppData\Local\Temp\HYD4F84.tmp.1480882715\HTA\install.1480882715.zip a variant of Win32/FusionCore.K potentially unwanted application deleted
C:\Users\Dolev\AppData\Local\Temp\HYD4F84.tmp.1480882715\HTA\3rdparty\FS.dll a variant of Win32/FusionCore.K potentially unwanted application cleaned by deleting
 
Found those 2 as threats.
Deleted them ofcourse. 
Are there any other steps to make sure that i'm safe?
Thank you for your help.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 05 December 2016 - 02:34 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users