Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google.com not working


  • This topic is locked This topic is locked
12 replies to this topic

#1 aqdasios

aqdasios

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 11 January 2017 - 02:29 PM

Hello,
being to careful was not enough i think,, i downloaded the last episode from Sherlock, and there was read me file saying install the last codak is you have problem with your video player, and stupidly i just did it..
It install a punch of applications i managed to delete them, but the main problem is firefox blocking google.com returning unsafe signature or something like this..

i used  Malwarebytes and AdwCleaner.. they found ton of malwares..

but the problem didn't solve with them, now firefox just returning this message when i trying access google :

function httpGetAsync(theUrl, callback) { var xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = function() { if (xmlHttp.readyState == 4 && xmlHttp.status == 200) callback(xmlHttp.responseText); } xmlHttp.open("GET", theUrl, true); // true for asynchronous xmlHttp.send(null); } document.onclick = function() { window.open("http://www1.xmediaserve.com/apu.php?n=&zoneid=17529&cb=INSERT_RANDOM_NUMBER_HERE&direct=1") document.onclick = null; httpGetAsync("http://sstatic1.histats.com/0.gif?3685753&101", null); }

 


and more,, now youtube not working to, [as the attached picture]..

i used farbar tool, and got FRST.txt and the Addition.txt


could anyone help me with this


 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 12 January 2017 - 11:49 AM

Sorry not intended for your problem.

Edited by nasdaq, 12 January 2017 - 11:51 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 12 January 2017 - 02:00 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
KMSnano 22 (HKLM\...\KMSnano 22_is1) (Version: KMSnano 22 - )
KMSpico 4.5 (HKLM\...\KMSpico v4.5_is1) (Version: 4.5 - )
Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.6.0.7 - Pando Networks Inc.)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

() C:\Program Files\KMSpico\Service_KMS.exe
HKLM-x32\...\Run: [LManager] => [X]
ShellExecuteHooks: No Name - {8395822C-D1C8-11E6-9072-64006A5CFC23} - C:\Users\Monster\AppData\Roaming\Gireshckcge\Chpyhobi.dll -> No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
SearchScopes: HKU\.DEFAULT -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> DefaultScope {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} URL =
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> {BFCBF23C-3DAD-482D-B128-6584ABA9D558} URL =
FF user.js: detected! => C:\Users\Monster\AppData\Roaming\Mozilla\Firefox\Profiles\x68zkcwc.default\user.js [2015-01-08]
FF Homepage: Mozilla\Firefox\Profiles\x68zkcwc.default -> hxxps://newtab.club
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin-x32: @cfca.com/SecEditCtl.BOC,version=3.0.1.2 -> C:\Windows\system32\npSecEditCtl.BOC.x86.dll [No File]
FF Plugin-x32: @microdone.cn/UPEditor -> C:\Windows\system32\UPEdit\npUPEditor2.dll [No File]
CHR Profile: C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-11] <==== ATTENTION
CHR Extension: (High Contrast) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph [2016-11-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR Extension: (No Name) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-01-09]
CHR Extension: (Chrome Media Router) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
R2 Qotackcoaback; C:\Program Files (x86)\Anomusyercit\drhcnf.dll [178688 2017-01-09] () [File not signed]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [454144 2013-03-27] () [File not signed]
S3 athr; \SystemRoot\system32\DRIVERS\athrx.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Task: {38B9F05F-AE22-4470-ACED-8BB74CB86B0B} - System32\Tasks\Trigger KMS Activation => C:\Program Files\KMSnano\TriggerKMS.exe [2013-01-26] ()
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk -> hxxp:
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\??zill? Fir?f??.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
ShortcutWithArgument: C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> 2 0 <===== Cyrillic
2014-03-14 15:49 - 2013-03-27 23:58 - 00454144 ___SH () C:\Program Files\KMSpico\Service_KMS.exe
AlternateDataStreams: C:\Users\Monster\Desktop\Aqdas SBS.pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Monster\Desktop\Aqdas_ch.docx:com.dropbox.attributes [168]
FirewallRules: [{05883C8C-7CE8-4512-9D9B-3B1C7B563BF6}] => C:\Program Files\KMSpico\KMSServer.exe
FirewallRules: [{3BF41268-A766-4078-8794-FD58DD762664}] => C:\Program Files\KMSpico\KMSServer.exe
C:\Program Files\KMSnano
C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk
C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists with this computer.

#4 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 12 January 2017 - 03:39 PM

everything seems tto work fine,, thank you for your help
but what left from before is that every time i open firefox those two taps open automatically;

http://2/ 
http://0/

its not a big deal but asking out of curiosity.. 

and this is the Fixlog.txt

thanks again for helping

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-01-2017
Ran by Monster (12-01-2017 22:48:12) Run:2
Running from C:\Users\Monster\Desktop\New folder (5)
Loaded Profiles: Monster (Available Profiles: Monster)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

() C:\Program Files\KMSpico\Service_KMS.exe
HKLM-x32\...\Run: [LManager] => [X]
ShellExecuteHooks: No Name - {8395822C-D1C8-11E6-9072-64006A5CFC23} - C:\Users\Monster\AppData\Roaming\Gireshckcge\Chpyhobi.dll -> No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
SearchScopes: HKU\.DEFAULT -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> DefaultScope {95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} URL =
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-610582492-2239252882-2337771158-1002 -> {BFCBF23C-3DAD-482D-B128-6584ABA9D558} URL =
FF user.js: detected! => C:\Users\Monster\AppData\Roaming\Mozilla\Firefox\Profiles\x68zkcwc.default\user.js [2015-01-08]
FF Homepage: Mozilla\Firefox\Profiles\x68zkcwc.default -> hxxps://newtab.club
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin-x32: @cfca.com/SecEditCtl.BOC,version=3.0.1.2 -> C:\Windows\system32\npSecEditCtl.BOC.x86.dll [No File]
FF Plugin-x32: @microdone.cn/UPEditor -> C:\Windows\system32\UPEdit\npUPEditor2.dll [No File]
CHR Profile: C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-11] <==== ATTENTION
CHR Extension: (High Contrast) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph [2016-11-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR Extension: (No Name) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-01-09]
CHR Extension: (Chrome Media Router) - C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
R2 Qotackcoaback; C:\Program Files (x86)\Anomusyercit\drhcnf.dll [178688 2017-01-09] () [File not signed]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [454144 2013-03-27] () [File not signed]
S3 athr; \SystemRoot\system32\DRIVERS\athrx.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Task: {38B9F05F-AE22-4470-ACED-8BB74CB86B0B} - System32\Tasks\Trigger KMS Activation => C:\Program Files\KMSnano\TriggerKMS.exe [2013-01-26] ()
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk -> hxxp:
Shortcut: C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\??zill? Fir?f??.lnk -> C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) <===== Cyrillic
ShortcutWithArgument: C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> 2 0 <===== Cyrillic
2014-03-14 15:49 - 2013-03-27 23:58 - 00454144 ___SH () C:\Program Files\KMSpico\Service_KMS.exe
AlternateDataStreams: C:\Users\Monster\Desktop\Aqdas SBS.pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Monster\Desktop\Aqdas_ch.docx:com.dropbox.attributes [168]
FirewallRules: [{05883C8C-7CE8-4512-9D9B-3B1C7B563BF6}] => C:\Program Files\KMSpico\KMSServer.exe
FirewallRules: [{3BF41268-A766-4078-8794-FD58DD762664}] => C:\Program Files\KMSpico\KMSServer.exe
C:\Program Files\KMSnano
C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk
C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
C:\Program Files\KMSpico\Service_KMS.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\LManager => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{8395822C-D1C8-11E6-9072-64006A5CFC23} => value removed successfully
HKCR\CLSID\{8395822C-D1C8-11E6-9072-64006A5CFC23} => key not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKU\S-1-5-21-610582492-2239252882-2337771158-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BFCBF23C-3DAD-482D-B128-6584ABA9D558} => key removed successfully
HKCR\CLSID\{BFCBF23C-3DAD-482D-B128-6584ABA9D558} => key not found.
C:\Users\Monster\AppData\Roaming\Mozilla\Firefox\Profiles\x68zkcwc.default\user.js => moved successfully
C:\Users\Monster\AppData\Roaming\Mozilla\Firefox\Profiles\x68zkcwc.default\user.js => not found.
Firefox "homepage" removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@cfca.com/SecEditCtl.BOC,version=3.0.1.2 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microdone.cn/UPEditor => key removed successfully
C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph => not found
C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pbdpajcdgknpendpmecafmopknefafha => not found
C:\Users\Monster\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
HKLM\System\CurrentControlSet\Services\Qotackcoaback => key removed successfully
Qotackcoaback => service removed successfully
Service KMSELDI => service not found.
HKLM\System\CurrentControlSet\Services\athr => key removed successfully
athr => service removed successfully
HKLM\System\CurrentControlSet\Services\xhunter1 => key removed successfully
xhunter1 => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38B9F05F-AE22-4470-ACED-8BB74CB86B0B} => key not found.
C:\Windows\System32\Tasks\Trigger KMS Activation => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Trigger KMS Activation => key not found.
"C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk" => Could not move.
C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk => moved successfully
C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk" => Could not move.
C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk => not found.
"C:\Users\Public\Desktop\??zill? Fir?f??.lnk" => Could not move.
C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.
"C:\Program Files\KMSpico\Service_KMS.exe" => not found.
C:\Users\Monster\Desktop\Aqdas SBS.pdf => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Monster\Desktop\Aqdas_ch.docx => ":com.dropbox.attributes" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{05883C8C-7CE8-4512-9D9B-3B1C7B563BF6} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3BF41268-A766-4078-8794-FD58DD762664} => value not found.
"C:\Program Files\KMSnano" => not found.
"C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video to GIF\Video to GIF on the Web.lnk" => not found.
"C:\Users\Monster\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 25165824 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 21114593 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => -2072 B
Edge => 0 B
Chrome => 0 B
Firefox => 379152804 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 1582 B
NetworkService => 0 B
UpdatusUser => 0 B
Monster => 3773069 B
UpdatusUser => 0 B

RecycleBin => 39036912 B
EmptyTemp: => 446.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:50:04 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 13 January 2017 - 11:08 AM



Refer to this article.
http://techdows.com/2014/02/enable-http2-in-firefox.html

Type about:config in the location bar and press enter

How is this entry set with true or false.
Set network.http.spdy.enabled.http2draft and security.ssl.enable_alpn preferences values to true from false

#6 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 14 January 2017 - 06:25 AM

couldn't find network.http.spdy.enabled.http2draft
but i found security.ssl.enable_alpn and it was already true



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 14 January 2017 - 10:13 AM

Lets see what the registry search will give us.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    http://2/
    http://0/
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled [b]SystemLook.txt.
===

#8 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 14 January 2017 - 10:36 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:16 on 14/01/2017 by Monster
Administrator - Elevation successful

========== regfind ==========

Searching for "http://2/"
No data found.

Searching for "http://0/"
No data found.

-= EOF =-


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 14 January 2017 - 01:58 PM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#10 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 14 January 2017 - 03:53 PM

this is before removing

RogueKiller V12.9.2.0 (x64) [Jan  9 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Monster [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/14/2017 22:52:08 (Duration : 00:50:47)

¤¤¤ Processes : 4 ¤¤¤
[VT.Unknown] webservd.exe(2668) -- C:\Program Files (x86)\IMFirewall\WFilter\webservd.exe[7] -> Found
[VT.Unknown] userAgent.exe(2892) -- C:\Program Files (x86)\IMFirewall\WFilter\userAgent.exe[7] -> Found
[VT.Unknown] webcategory.exe(2916) -- C:\Program Files (x86)\IMFirewall\WFilter\webcategory.exe[7] -> Found
[VT.Unknown] startsys.exe(9064) -- C:\Program Files (x86)\IMFirewall\WFilter\startsys.exe[7] -> Found

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{8395822C-D1C8-11E6-9072-64006A5CFC23} (C:\Users\Monster\AppData\Roaming\Gireshckcge\Chpyhobi.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} (C:\Program Files (x86)\Youtube AdBlock\IEEF\_LCtDrh.dll) -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-610582492-2239252882-2337771158-1002\Software\IM -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-610582492-2239252882-2337771158-1002\Software\IM -> Found
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AIPS (C:\Program Files (x86)\netcut\services\AIPS.exe) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1F686B85-8800-44E4-B48B-9948C0CC161A} | DhcpNameServer : 172.20.10.1 ([])  -> Found
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E0124C98-3703-4701-AEF0-38783E135546} : v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=CODYQX4 Emulator| [x] -> Found
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {30EDC1B1-F8FD-439C-9350-56E7C66441DF} : v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=CODYQX4 Emulator| [x] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Tr.Gen0|Suspicious.Path] \Microsoft\Windows\Multimedia\Manager -- C:\Users\Monster\AppData\Roaming\Adobe\Manager.exe (604C4206-B430-43E1-A102-8BF11249AEC2) -> Found

¤¤¤ Files : 27 ¤¤¤
[PUP.Gen0][File] C:\Users\Public\Desktop\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Found
[PUP.Gen0][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 3 1 -> Found
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\UninstallWeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\UNINST~1.EXE -> Found
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\WeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\WeChat.exe -> Found
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41073\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_42923\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Found
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 1 0 -> Found
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Found
[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Found
[PUP.HackTool][Folder] C:\Program Files (x86)\netcut -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Tencent -> Found
[PUP.Gen0][File] C:\Users\Public\Desktop\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Found
[PUP.Gen0][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 3 1 -> Found
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\UninstallWeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\UNINST~1.EXE -> Found
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\WeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\WeChat.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 3b760448ef80038b672328bed8c5e7aa
[BSP] f72ab7aead03320091e181d167f4b44d : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 232213 MB
4 - Basic data partition | Offset (sectors): 477270016 | Size: 229487 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 947261440 | Size: 14410 MB
User = LL1 ... OK
User = LL2 ... OK

and this one is after removing

RogueKiller V12.9.2.0 (x64) [Jan  9 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Monster [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 01/14/2017 22:52:08 (Duration : 00:50:47)

¤¤¤ Processes : 4 ¤¤¤
[VT.Unknown] webservd.exe(2668) -- C:\Program Files (x86)\IMFirewall\WFilter\webservd.exe[7] -> Found
[VT.Unknown] userAgent.exe(2892) -- C:\Program Files (x86)\IMFirewall\WFilter\userAgent.exe[7] -> Found
[VT.Unknown] webcategory.exe(2916) -- C:\Program Files (x86)\IMFirewall\WFilter\webcategory.exe[7] -> Found
[VT.Unknown] startsys.exe(9064) -- C:\Program Files (x86)\IMFirewall\WFilter\startsys.exe[7] -> Found

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{8395822C-D1C8-11E6-9072-64006A5CFC23} (C:\Users\Monster\AppData\Roaming\Gireshckcge\Chpyhobi.dll) -> Not selected
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B} (C:\Program Files (x86)\Youtube AdBlock\IEEF\_LCtDrh.dll) -> Not selected
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-610582492-2239252882-2337771158-1002\Software\IM -> Not selected
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-610582492-2239252882-2337771158-1002\Software\IM -> Not selected
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AIPS (C:\Program Files (x86)\netcut\services\AIPS.exe) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1F686B85-8800-44E4-B48B-9948C0CC161A} | DhcpNameServer : 172.20.10.1 ([])  -> Replaced ()
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E0124C98-3703-4701-AEF0-38783E135546} : v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=CODYQX4 Emulator| [x] -> Not selected
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {30EDC1B1-F8FD-439C-9350-56E7C66441DF} : v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=CODYQX4 Emulator| [x] -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)

¤¤¤ Tasks : 1 ¤¤¤
[Tr.Gen0|Suspicious.Path] \Microsoft\Windows\Multimedia\Manager -- C:\Users\Monster\AppData\Roaming\Adobe\Manager.exe (604C4206-B430-43E1-A102-8BF11249AEC2) -> Deleted

¤¤¤ Files : 27 ¤¤¤
[PUP.Gen0][File] C:\Users\Public\Desktop\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Deleted
[PUP.Gen0][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 3 1 -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\UninstallWeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\UNINST~1.EXE -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\WeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\WeChat.exe -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent -> Removed at reboot [91]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\2558 -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\am.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ar.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\bg.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\bn.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ca.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\cs.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\da.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\de.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\el.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\en-GB.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\en-US.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\es-419.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\es.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\et.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\fa.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\fi.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\fil.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\fr.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\gu.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\he.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\hi.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\hr.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\hu.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\id.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\it.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ja.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\kn.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ko.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\lt.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\lv.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ml.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\mr.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ms.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\nb.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\nl.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\pl.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\pt-BR.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\pt-PT.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ro.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ru.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\sk.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\sl.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\sr.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\sv.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\sw.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\ta.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\te.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\th.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\tr.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\uk.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\vi.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\zh-CN.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales\zh-TW.pak -> Removed at reboot [5]
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\locales -> Removed at reboot [91]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\qb.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\qb_100_percent.pak -> Removed at reboot [5]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources\qb_200_percent.pak -> Removed at reboot [5]
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\CefResources -> Removed at reboot [91]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\config\25d2ec66.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\config\3ebffe94.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\config\d2f42068.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\config\update.data -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users\config -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\All Users -> Removed at reboot [91]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\cdn\cdninfo.txt -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\cdn\download -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\cdn\upload -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\cdn -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\cgi-mapping_1644363869.xml -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\getdns.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\host-redirect.xml -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\ip.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\ipportrecords2.xml -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host\other_6203005d.getdns2 -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\host -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\improve.xml -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\158525431_1644363869_-1_1484421762_0_93_input.statistic -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\config.ini -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\key_158525431_1644363869_3_1484286584_0_28_ready.monitor -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\key_158525431_1644363869_3_1484376739_0_18_ready.monitor -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\key_158525431_1644363869_3_1484423355_0_90_input.statistic -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm\new_strategy_file -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\kvcomm -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\cef.log -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\MM.mmap2 -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\MM_20170111.xlog -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\MM_20170112.xlog -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\MM_20170113.xlog -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\MM_20170114.xlog -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\update_20170111.log -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log\update_20170114.log -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\log -> Deleted
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\patch\26c1968279e33d6368943daf6d4842a1.zip -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat\patch -> Deleted
[PUP.Gen1][Folder] C:\Users\Monster\AppData\Roaming\Tencent\WeChat -> Removed at reboot [91]
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41073\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_42923\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\Monster\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Deleted
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 1 0 -> Deleted
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Deleted
[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Deleted
[PUP.HackTool][File] C:\Program Files\KMSpico\TokensBackup\cache\cache.dat -> Deleted
[PUP.HackTool][Folder] C:\Program Files\KMSpico\TokensBackup\cache -> Deleted
[PUP.HackTool][File] C:\Program Files\KMSpico\TokensBackup\data.dat -> Deleted
[PUP.HackTool][File] C:\Program Files\KMSpico\TokensBackup\tokens.dat -> Deleted
[PUP.HackTool][Folder] C:\Program Files\KMSpico\TokensBackup -> Deleted
[PUP.HackTool][Folder] C:\Program Files (x86)\netcut -> Removed at reboot [91]
[PUP.HackTool][File] C:\Program Files (x86)\netcut\services\aips.exe -> Removed at reboot [5]
[PUP.HackTool][Folder] C:\Program Files (x86)\netcut\services -> Removed at reboot [91]
[PUP.Gen1][Folder] C:\Program Files (x86)\Tencent -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\AndroidAssistHelper.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\avcodec-57.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\avdevice-57.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\avfilter-6.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\avformat-57.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\avutil-55.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\bugreport.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\CEF LICENSE.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\CefResources.data -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\d3dcompiler_43.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\d3dcompiler_47.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\directui license.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\duilib license.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\ffmpegsumo.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\icudtl.dat -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\improve.xml -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\libEGL.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\libgcc_s_dw2-1.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\libGLESv2.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\libiconv-2.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\natives_blob.bin -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\pdf.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\pepflashplayer.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\protobuf-lite LICENSE.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\PrScrn.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\pthreadGC-3.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\QbBridge.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\qbcore.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\snapshot_blob.bin -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\SPEEX LICENSE.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\swresample-2.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\swscale-4.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\tinyxml.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\Uninstall.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\VoipEngine.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\WeChat.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\WeChat.lnk -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\WeChatResource.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\WechatUpdate.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Tencent\WeChat\WeChatWeb.exe -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Tencent\WeChat -> Deleted
[PUP.Gen0][File] C:\Users\Public\Desktop\??zill? Fir?f??.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 2 0 -> Removed at reboot [2]
[PUP.Gen0][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\Users\Monster\AppData\Roaming\HPRewriter2\RewRun3.exe 3 1 -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\UninstallWeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\UNINST~1.EXE -> Removed at reboot [2]
[PUP.Gen1][File] C:\Users\Monster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeChat\WeChat.lnk [LNK@] C:\PROGRA~2\Tencent\WeChat\WeChat.exe -> Removed at reboot [2]

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 3b760448ef80038b672328bed8c5e7aa
[BSP] f72ab7aead03320091e181d167f4b44d : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 232213 MB
4 - Basic data partition | Offset (sectors): 477270016 | Size: 229487 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 947261440 | Size: 14410 MB
User = LL1 ... OK
User = LL2 ... OK

Wechat is a normal app but maleware removers keep deleting it !!
 



#11 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 14 January 2017 - 03:59 PM

i still get those two taps open when i start firefox
http://2/
http://0/



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 PM

Posted 15 January 2017 - 09:46 AM


Your copy of Wechat may be compromised.
http://www.isthisfilesafe.com/filename/wechat.exe_details.aspx

===

Check with the Firefox forum for you current issue.
http://forums.mozillazine.org/viewforum.php?f=38

===

#13 aqdasios

aqdasios
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 15 January 2017 - 10:07 AM

RogueKiller already deleted wechat, and i download it again from the official website and install it again,, there is no problem with it this way?

and thanks again for help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users