Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Guayadeque temp folder?


  • Please log in to reply
18 replies to this topic

#1 shmendan

shmendan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 December 2016 - 01:32 PM

This is a repost in the right section, can a moderator please remove my other post with the same name please? I could not figure out how to delete posts -_-   Done - Hamluis.

 

 

So recently, 2 days ago, i downloaded a "free" game from a website. The game normally costs 3 bucks, but i thought it may be worth it to take the risk, it was not. I downloaded a game called "I get this call everyday" from some website. I currently have malwarebytes (Free version) and avast internet security on my PC. So i downloaded the file, which was a .rar file. I opened it using winrar and there was an executable file. I scanned it using avast and malwarebytes, no threats detected. So i ran the file, and it did not open up an installer like i would expect it to. Instead, it just downloaded trash on my computer. I managed to remove it all, except for this one thing. When i use google chrome and search something, it takes me to cse.google.com. For example, this is the link it takes me to when i type in "Hello"

 

https://cse.google.com/cse?vd=0ahUKEwiXrqfP1ODOAhVcVWMKHS1hC8o4WhD8BQgIKAE&hl=en&rl=1C1ASUM_enUS507US507&cx=partner-pub-3583953509187452:13rjo5-ejqn&pf_rd_r=V2W8AFHYSM36R90VWAD5&q=hello#gsc.tab=0&gsc.q=hello&gsc.page=1

 

I have been trying to search for things but it has been hard because it keeps giving me the wrong results, and is very slow! I tried messing with the omnibox settings for google chrome, but that did nothing. So i scanned with avast and malwarebytes and i found the problem files. They are in my temp folder. The following files are the problem files:

 

g425C.tmp

g4838.tmp

g4838.tmp.exe

gAA34.tmp

gC87F.tmp

 

I deleted these folders and it was fine, but the next day, they came back! I tried using CCleaner also. An odd thing about g4838.tmp.exe is that it has a Guayadeque symbol, which i discovered by using google image search. The other folders all have a white blank icon, like most tmp files. However, gAA34.tmp and g4838.tmp have a lock in front of the blank white icon. I am really hoping you guys can help! I cannot find any programs to uninstall in "uninstall or change a program". I am running windows 7.


Edited by hamluis, 19 December 2016 - 02:39 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:47 AM

Posted 19 December 2016 - 01:53 PM

Give the programs below and chance to find and remove the adware.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:47 AM

Posted 19 December 2016 - 01:59 PM

Run this scan, too.

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 December 2016 - 02:26 PM

Thank you, i will try this out and report back tomorrow.



#5 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 December 2016 - 03:37 PM

I do not see the ESET online scanner button, i am on google chrome. Instead  i pressed "Scan Now" in order to download the file onto my computer. Here is my JRT log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Shmendan (Administrator) on 19/12/2016 at 14:38:39.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 26 
 
Successfully deleted: C:\ProgramData\mntemp (File) 
Successfully deleted: C:\Users\Shmendan\AppData\Roaming\spi (Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BW454F0A (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GW0S7O6G (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J61OXVW4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K45DNYSK (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFDPTDA3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PA454XK5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2B113EE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Shmendan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XBRHONAW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BW454F0A (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GW0S7O6G (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J61OXVW4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K45DNYSK (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MFDPTDA3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PA454XK5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2B113EE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XBRHONAW (Temporary Internet Files Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/12/2016 at 14:41:24.93
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by shmendan, 19 December 2016 - 05:38 PM.


#6 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 December 2016 - 06:30 PM

I restarted  my computer and it was working fine, but an hour later it went back to cse.google.com :(



#7 Havachat

Havachat

  • Members
  • 1,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:03:47 PM

Posted 19 December 2016 - 06:46 PM

Until buddy215  gets back to you.

 

Eset Online Scanner , as buddy215 quoted instructions , you can download the executable file and run it.

esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.

Then follow as per his Instructions Previously.

 

Also run Download AdwCleaner by Xplode and Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop / as asked , and follow his instructions as stated previously.


Edited by Havachat, 19 December 2016 - 06:48 PM.


#8 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 December 2016 - 08:32 PM

Until buddy215  gets back to you.

 

Eset Online Scanner , as buddy215 quoted instructions , you can download the executable file and run it.

esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.

Then follow as per his Instructions Previously.

 

Also run Download AdwCleaner by Xplode and Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop / as asked , and follow his instructions as stated previously.

I did all those things...



#9 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:47 AM

Posted 20 December 2016 - 06:50 AM

I only see the log from JRT. What about the logs for AdwCleaner, Eset and MBAR? I need to confirm that what if anything

those scans detected was deleted/ quarantined or not.

 

If those scans found nothing...then run this scan.

Please download Rkill to your Desktop.

iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

 

Reset Google Chrome

You can restore your browser settings in Chrome at any time. You might need to do this if apps or extensions you installed changed your settings without your knowledge. Your saved bookmarks and passwords won't be cleared or changed.

  1. On your computer, open Chrome.
  2. At the top right, click More Settings.
  3. At the bottom, click Show advanced settings.
  4. Under the section "Reset settings,” click Reset settings.
  5. In the box that appears, click Reset. ​

Edited by buddy215, 20 December 2016 - 07:05 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 20 December 2016 - 01:19 PM

I'm sorry. Avast just alerted me and blocked those temp folders again :/ Said they were a malware gen. I am not sure what the path is to eset logs so if you could help me with that, i would be thankful. I reset chrome, it didn't work. I will try rkill soon

 

 

 

mbar log

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.12.19.09
  rootkit: v2016.11.20.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18537
Shmendan :: SHMENDAN-PC [administrator]
 
19/12/2016 1:27:40 PM
mbar-log-2016-12-19 (13-27-40).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 323446
Time elapsed: 20 minute(s), 13 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
My malwarebytes log
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 18/12/2016
Scan Time: 5:25 PM
Logfile: mbamlog.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.12.17.07
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Shmendan
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 1
Time Elapsed: 0 min, 15 sec
 
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

Adwcleaner log #1

 

# AdwCleaner v6.041 - Logfile created 19/12/2016 at 14:01:05
# Updated on 16/12/2016 by Malwarebytes
# Database : 2016-12-19.1 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Shmendan - SHMENDAN-PC
# Running from : C:\Users\Shmendan\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
[#] File deleted: C:\Windows\SysNative\LavasoftTcpService64.dll
[#] File deleted: C:\Windows\SysWOW64\lavasofttcpservice.dll
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Wd]
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Shmendan\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1099 Bytes] - [19/12/2016 14:01:05]
C:\AdwCleaner\AdwCleaner[S0].txt - [5469 Bytes] - [19/12/2016 13:52:56]
C:\AdwCleaner\AdwCleaner[S1].txt - [1429 Bytes] - [19/12/2016 14:00:29]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1318 Bytes] ##########
 
 
Adwcleaner log #2
 
# AdwCleaner v6.041 - Logfile created 19/12/2016 at 13:52:56
# Updated on 16/12/2016 by Malwarebytes
# Database : 2016-12-19.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Shmendan - SHMENDAN-PC
# Running from : C:\Users\Shmendan\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Service Found:  LavasoftTcpService
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Shmendan\Desktop\Spigot
 
 
***** [ Files ] *****
 
File Found:  C:\Windows\SysNative\LavasoftTcpService64.dll
File Found:  C:\Windows\SysNative\LavasoftTcpServiceOff.ini
File Found:  C:\Windows\SysWOW64\lavasofttcpservice.dll
File Found:  C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
Key Found:  HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
Key Found:  [x64] HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key Found:  HKU\S-1-5-21-2445892550-3838771563-814202035-1000\Software\AppDataLow\Software\adawarebp
Key Found:  HKCU\Software\AppDataLow\Software\adawarebp
Key Found:  HKLM\SOFTWARE\Lavasoft\Web Companion
Key Found:  [x64] HKCU\Software\AppDataLow\Software\adawarebp
Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Wd]
Key Found:  HKCU\Software\Google\Chrome\Extensions\hegneaniplmfjcmohoclabblbahcbjoe
Key Found:  HKLM\SOFTWARE\Google\Chrome\Extensions\hegneaniplmfjcmohoclabblbahcbjoe
Key Found:  [x64] HKCU\Software\Google\Chrome\Extensions\hegneaniplmfjcmohoclabblbahcbjoe
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Shmendan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - aaaaaiabcopkplhgaedhbloeejhhankf
Chrome pref Found:  [C:\Users\Shmendan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hegneaniplmfjcmohoclabblbahcbjoe
Chrome pref Found:  [C:\Users\Shmendan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - oilkkkefbalmbfppgjmgjoefbclebkce
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [5241 Bytes] - [19/12/2016 13:52:56]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5314 Bytes] ##########
 

Edited by shmendan, 20 December 2016 - 01:25 PM.


#11 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:47 AM

Posted 20 December 2016 - 01:44 PM

Rerun AdwCleaner and be sure to choose Clean after scan finishes. Post the new log.

 

The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. To view the log file, Show hidden files and folders must be enabled. New logs are appended to the existing log files when multiple scans are run. 

The path to the log file is the following: C:\users\%userprofile%\appdata\local\temp\log.txt


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 20 December 2016 - 07:46 PM

Rerun AdwCleaner and be sure to choose Clean after scan finishes. Post the new log.

 

The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. To view the log file, Show hidden files and folders must be enabled. New logs are appended to the existing log files when multiple scans are run. 

The path to the log file is the following: C:\users\%userprofile%\appdata\local\temp\log.txt

When i run CCleaner it seems to fix the issue, but the next day, it comes back! When it comes back the next day, i will scan using adwcleaner and i will post the log. I will post the rkiller log also.



#13 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 December 2016 - 03:35 PM

Alright, it came back again and here i am with my Adwcleaner log that i literally just ran.

# AdwCleaner v6.041 - Logfile created 21/12/2016 at 14:26:02
# Updated on 16/12/2016 by Malwarebytes
# Database : 2016-12-21.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Shmendan - SHMENDAN-PC
# Running from : C:\Users\Shmendan\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Wd]
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
:: " Image File Execution Options" keys deleted
:: "Prefetch" files deleted
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1401 Bytes] - [19/12/2016 14:01:05]
C:\AdwCleaner\AdwCleaner[C2].txt - [1377 Bytes] - [19/12/2016 14:17:56]
C:\AdwCleaner\AdwCleaner[C3].txt - [1836 Bytes] - [19/12/2016 14:27:40]
C:\AdwCleaner\AdwCleaner[C4].txt - [1967 Bytes] - [20/12/2016 12:08:37]
C:\AdwCleaner\AdwCleaner[C5].txt - [1228 Bytes] - [21/12/2016 14:26:02]
C:\AdwCleaner\AdwCleaner[S0].txt - [5469 Bytes] - [19/12/2016 13:52:56]
C:\AdwCleaner\AdwCleaner[S1].txt - [1429 Bytes] - [19/12/2016 14:00:29]
C:\AdwCleaner\AdwCleaner[S2].txt - [1462 Bytes] - [19/12/2016 14:06:22]
C:\AdwCleaner\AdwCleaner[S3].txt - [1502 Bytes] - [19/12/2016 14:17:41]
C:\AdwCleaner\AdwCleaner[S4].txt - [1715 Bytes] - [19/12/2016 14:22:26]
C:\AdwCleaner\AdwCleaner[S5].txt - [1788 Bytes] - [19/12/2016 14:27:28]
C:\AdwCleaner\AdwCleaner[S6].txt - [1867 Bytes] - [19/12/2016 14:33:48]
C:\AdwCleaner\AdwCleaner[S7].txt - [1940 Bytes] - [19/12/2016 14:35:07]
C:\AdwCleaner\AdwCleaner[S8].txt - [2013 Bytes] - [20/12/2016 12:07:31]
C:\AdwCleaner\AdwCleaner[S9].txt - [2160 Bytes] - [21/12/2016 10:45:20]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C5].txt - [2031 Bytes] ##########
 
 
 
 
 
I also got rkill and i ran it as an administrator. It opened up a command prompt and terminated 1 process. Here is the log for it.
 
Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 12/21/2016 02:32:26 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\TEMP\g1584.tmp.exe (PID: 2704) [WD-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * TBS [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 v1.ff.avast.com 
  127.0.0.1 vlcproxy.ff.avast.com 
 
Program finished at: 12/21/2016 02:34:42 PM
Execution time: 0 hours(s), 2 minute(s), and 15 seconds(s)
 
 
 
It has not told me to reboot, so should i reboot anyways? Oh and the broser hijacker is still there :/

Edited by shmendan, 21 December 2016 - 03:36 PM.


#14 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:47 AM

Posted 21 December 2016 - 04:03 PM

Do a clean uninstall of Google Chrome. That will remove your profile including your bookmarks. You can save your bookmarks

before uninstalling if you would like to do that.

 

 

  1. On your computer, close all Chrome windows and tabs.
  2. Open the Control Panel:
    • Windows 7 & Vista: Click the Start menu > Control Panel.
    • Windows 8: Point to the top right of your screen. Click Settings > Control Panel.
  3. Click Uninstall a program or Programs and Features.
  4. Double-click Google Chrome.
  5. To delete your profile information, like bookmarks and history, check "Also delete your browsing data."
  6. Click Uninstall.

 

How to backup bookmarks in Chrome

To backup your bookmarks in chrome the steps to be followed are given below

  1. Click the three horizontal lines at the top- right of Google chrome and go to Bookmarks or just type chrome://bookmarks/#1 in the browser.
  2. In Bookmarks, go to the Bookmark manager tab, click on the organize option and then click on the Export bookmarks to HTML file.
  3. To restore bookmarks, again go to Bookmarks manager -> organize -> Import bookmarks from HTML file. Select your file and click open.

screenshot-juan2geek.com-2015-11-09-15-2

Download and install Google Chrome


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 shmendan

shmendan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 December 2016 - 04:12 PM

It works fine now, but it might come back tomorrow. I will report back tomorrow. Thanks for all the help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users