Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackthis log


  • This topic is locked This topic is locked
5 replies to this topic

#1 fixmymalware2017

fixmymalware2017

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 10 January 2017 - 05:22 PM

Hi,
Relatively, teksavvy user here...
Tried to use virustotal scan from autoruns and processexplorer.
Currently running EsetOnline Scanner, I also have avast antivirus,malwarebytes scans I did and ran RKill.
I have noticed adwcleaner coming up with firefox page change when I scan, even when I reboot.
 
I think I fixed the problem now...used ProcMon I put a filter for the registry key affected, turns out IOBit Malware /advanced systemcare were changing my homepage to yahoo ..oddly mbamservice(malware bytes) and Avast  i see a create file of the firefox preferences path
 
 
 
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 5:15:14 PM, on 1/10/2017
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.14393.0000)
 
FIREFOX: 50.1.0 (x86 en-US)
Boot mode: Normal
 
Running processes:
C:\Program Files\AVAST Software\Avast\avastui.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\WINDOWS\SysWoW64\ctfmon.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\zerou\Downloads\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =  
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Skype for Business Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - D:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files (x86)\Mindjet\MindManager 14\Mm8InternetExplorer.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_112\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - D:\PROGRA~2\Microsoft Office\Office15\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_112\bin\jp2ssv.dll
O2 - BHO: IObit Ads Removal - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\IObit\Advanced SystemCare\Surfing Protection\Adblock\Adblock.dll
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [OneDrive] "C:\Users\zerou\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
O4 - HKCU\..\Run: [SpybotPostWindows10UpgradeReInstall] "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
O4 - HKCU\..\Run: [Fences] "C:\program files (x86)\stardock\fences\Fences.exe" /startup
O4 - Startup: DontSleep_x64.exe
O4 - Startup: DontSleep_x64.ini
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://D:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll/105
O8 - Extra context menu item: Send Image To Mindjet - res://C:\Program Files (x86)\Mindjet\MindManager 14\Mm8InternetExplorer.dll/201
O8 - Extra context menu item: Send Link To Mindjet - res://C:\Program Files (x86)\Mindjet\MindManager 14\Mm8InternetExplorer.dll/203
O8 - Extra context menu item: Send Page To Mindjet - res://C:\Program Files (x86)\Mindjet\MindManager 14\Mm8InternetExplorer.dll/204
O8 - Extra context menu item: Send Text To Mindjet - res://C:\Program Files (x86)\Mindjet\MindManager 14\Mm8InternetExplorer.dll/202
O8 - Extra context menu item: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra button: Skype for Business Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - D:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Skype for Business Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - D:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9fbea694-7ad1-45c3-a9f2-8e828a0592bd}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - D:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Advanced SystemCare Service 10 (AdvancedSystemCareService10) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: ASUS Com Service (asComSvc) - Unknown owner - C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
O23 - Service: ASUS HM Com Service (asHmComSvc) - ASUSTeK Computer Inc. - C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: BlackBerry Device Manager - BlackBerry Limited - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate1d26b1f21018f6c) (gupdate1d26b1f21018f6c) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem1d26b1f21022b53) (gupdatem1d26b1f21022b53) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Integrated Clock Controller Service - Intel® ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LiveUpdate (LiveUpdateSvc) - IObit - C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
O23 - Service: ManyCam Service - Visicom Media Inc. - C:\ProgramData\ManyCam\Service\ManyCamService.exe
O23 - Service: MBAMScheduler - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Netlogon - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: RIM MDNS - Apple Inc. - C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
O23 - Service: BlackBerry Link Communication Manager (RIM Tunnel Service) - BlackBerry Limited - C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: scc - Unknown owner - C:\WINDOWS\system32\scc.exe
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 13865 bytes
 
 
AdwCleaner LOG ...these entries show each time I reboot...even after adwcleaner supposedly does its magic.
 
***** [ Registry ] *****
 
Data Found:  HKU\S-1-5-21-24983673-948008275-1473286479-1001\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fs_16_47&para
Data Found:  HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fs_16_47&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fs_16_47&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa
 
 
***** [ Web browsers ] *****
 
Firefox pref Found:  [C:\Users\zerou\AppData\Roaming\Mozilla\Firefox\Profiles\047b3c1h.default\prefs.js] - "browser.startup.homepage" -  "hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fs
No malicious Chromium based browser items found.

Edited by EltonAguiar, 10 January 2017 - 05:54 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:22 AM

Posted 11 January 2017 - 11:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
===

p.s.
HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 fixmymalware2017

fixmymalware2017
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 11 January 2017 - 12:12 PM

i kept getting timeout when pasting FRST :(

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:22 AM

Posted 11 January 2017 - 02:08 PM


Remove this programs in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
IFEO\taskmgr.exe: [Debugger] "D:\USERS\ZEROU_000\DOWNLOADS\PROCESSEXPLORER\PROCEXP.EXE"
SearchScopes: HKU\S-1-5-21-24983673-948008275-1473286479-1001 -> {E06B85D6-A440-4CF1-AF13-715FCF6F2798} URL = hxxps://ca.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [No File]
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\zerou\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-10]
CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
U0 qjfs; C:\WINDOWS\System32\drivers\ftllahr.sys [79064 2017-01-11] (Malwarebytes)
C:\WINDOWS\System32\drivers\ftllahr.sys

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please let me know what problem persists with this computer.

#5 fixmymalware2017

fixmymalware2017
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 11 January 2017 - 02:56 PM

fixlog posted, when the tool ran it rebooted after, froze on windows logo so I rebooted by holding power button.
After that, Chrome extensions that I use UBlock (Adblocker) and Chromecast were removed, and it tried to add some Search and New Tab for Yahoo chrome extension, I said no to it. 
Aside from that things seem to be running well now thanks!
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 11-01-2017
Ran by zerou (11-01-2017 14:47:41) Run:1
Running from C:\Users\zerou\Downloads
Loaded Profiles: zerou (Available Profiles: zerou)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
IFEO\taskmgr.exe: [Debugger] "D:\USERS\ZEROU_000\DOWNLOADS\PROCESSEXPLORER\PROCEXP.EXE"
SearchScopes: HKU\S-1-5-21-24983673-948008275-1473286479-1001 -> {E06B85D6-A440-4CF1-AF13-715FCF6F2798} URL = hxxps://ca.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [No File]
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\zerou\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-10]
CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
U0 qjfs; C:\WINDOWS\System32\drivers\ftllahr.sys [79064 2017-01-11] (Malwarebytes)
C:\WINDOWS\System32\drivers\ftllahr.sys
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe => key removed successfully
HKU\S-1-5-21-24983673-948008275-1473286479-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E06B85D6-A440-4CF1-AF13-715FCF6F2798} => key removed successfully
HKCR\CLSID\{E06B85D6-A440-4CF1-AF13-715FCF6F2798} => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\@Citrix.com/npican => key removed successfully
Chrome DefaultSuggestURL => removed successfully
C:\Users\zerou\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fabhkdeopjkcpkmofliimbjckmocfiom => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully
HKLM\System\CurrentControlSet\Services\qjfs => key removed successfully
qjfs => service removed successfully
C:\WINDOWS\System32\drivers\ftllahr.sys => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 103666628 B
Java, Flash, Steam htmlcache => 22665503 B
Windows/system/drivers => 2216092 B
Edge => 305210 B
Chrome => 768870238 B
Firefox => 12010351 B
Opera => 242688 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 16781976 B
NetworkService => 0 B
zerou => 111071961 B
 
RecycleBin => 0 B
EmptyTemp: => 989.8 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 14:48:01 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:22 AM

Posted 12 January 2017 - 08:47 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users