Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects in Chrome - Numerous failed attempts to remove the cause


  • This topic is locked This topic is locked
3 replies to this topic

#1 Marccus

Marccus

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 16 January 2017 - 11:51 AM

My Chrome browser redirects without clicking on anything.  This typically happens from my homepage www.drudgereport.com when the webpage refreshes the browser page is redirected to spam/phishing sites.  I've tried Malwarebytes, AdwCleaner, JRT, HitmanPro, ESET Scanner, and Zemana. A few items were found and removed/quarantined but the issue remains. I'm at a loss and need help from more knowledgeable people.

 

As the Preparation Guide instructed, the FRST log is copy-pasted below and the Addition log is attached. Thank you!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2017
Ran by Marcus (administrator) on MARCUS-PC (16-01-2017 10:43:17)
Running from C:\Users\Marcus\Desktop\Computer Clean Up\FRST
Loaded Profiles: Marcus (Available Profiles: Marcus)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\stacsv64.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Dominik Reichl) C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1552168 2008-09-25] (Synaptics, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3216544 2010-06-09] (Dell Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [371864 2012-04-05] (Citrix Systems, Inc.)
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-21-1396632235-4199963290-2768434452-1000\...\Policies\system: [DisableChangePassword] 0
HKU\S-1-5-21-1396632235-4199963290-2768434452-1000\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-1396632235-4199963290-2768434452-1000\...\Policies\system: [HideFastUserSwitching] 0
HKU\S-1-5-21-1396632235-4199963290-2768434452-1000\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-21-1396632235-4199963290-2768434452-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
AppInit_DLLs-x32: c:/progra~3/{f9b71~1/191~1.1/tose.dll => No File
AppInit_DLLs-x32: , C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [257176 2012-04-05] (Citrix Systems, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{63505AAD-1CC3-4869-8C36-884FAB5A7CD3}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BE547A11-CC57-488D-A88D-6CB561087A2F}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{DF1A9C02-4225-43E4-90A9-D56FB85FF338}: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-15] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-15] (Oracle Corporation)
BHO-x32: CtxIEInterceptorBHO Class -> {2C4631FF-5CC8-4EBC-A0DF-34C92291759E} -> C:\Program Files (x86)\Citrix\ICA Client\IEInterceptor.dll [2012-04-05] (Citrix Systems, Inc.)
DPF: HKLM-x32 {3D3B42C2-11BF-4732-A304-A01384B70D68} hxxp://picasaweb.google.com/s/v/66.36/uploader2.cab
DPF: HKLM-x32 {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: HKLM-x32 {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-04-05] (Citrix Systems, Inc.)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files (x86)\AVG\AVG10\Firefox4
FF Extension: (AVG Safe Search) - C:\Program Files (x86)\AVG\AVG10\Firefox4 [2011-04-30] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-06] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-06] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2012-04-05] (Citrix Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - firefox.exe
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.drudgereport.com/
CHR StartupUrls: Default -> "hxxp://www.drudgereport.com/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.7.796\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default [2017-01-16]
CHR Extension: (Google Drive) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Adobe Acrobat) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-01-16]
CHR Extension: (Google Calendar) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2017-01-06]
CHR Extension: (Google Docs Offline) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-14]
CHR Extension: (Google Maps) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2015-09-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Picasa) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\onlgmecjpnejhfeofkgbfgnmdlipdejb [2015-03-22]
CHR Extension: (Gmail) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-27]
CHR Extension: (Chrome Media Router) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S4 LeapFrog Connect Device Service; C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe [7241728 2014-07-11] (LeapFrog Enterprises, Inc.) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe [244736 2010-01-21] (IDT, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [24576 2014-07-11] (LeapFrog)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [54736 2017-01-15] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-13] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-01-15] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-01-15] (Zemana Ltd.)
S3 ATMFBUS; system32\DRIVERS\ATMFBUS.sys [X]
S3 ATMFCVsp; system32\DRIVERS\ATMFCVsp.sys [X]
S3 ATMFFLT; system32\DRIVERS\ATMFFLT.sys [X]
S3 ATMFMdm; system32\DRIVERS\ATMFMdm.sys [X]
S3 ATMFNET; system32\DRIVERS\ATMFNET.sys [X]
S3 ATMFNVsp; system32\DRIVERS\ATMFNVsp.sys [X]
S3 ATMFVsp; system32\DRIVERS\ATMFVsp.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-16 09:21 - 2017-01-16 10:43 - 00000000 ____D C:\FRST
2017-01-15 21:59 - 2017-01-15 22:00 - 00000000 ____D C:\Users\Marcus\Desktop\Get Printed
2017-01-15 12:37 - 2017-01-15 12:37 - 00000000 ____D C:\Program Files (x86)\ESET
2017-01-15 12:08 - 2017-01-15 12:08 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-01-15 12:07 - 2017-01-15 12:07 - 00003002 _____ C:\Windows\system32\.crusader
2017-01-15 11:55 - 2017-01-15 12:07 - 00000000 ____D C:\ProgramData\HitmanPro
2017-01-15 11:14 - 2017-01-16 10:43 - 00102002 _____ C:\Windows\ZAM.krnl.trace
2017-01-15 11:14 - 2017-01-16 10:43 - 00031067 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-01-15 11:14 - 2017-01-15 11:14 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-01-15 11:14 - 2017-01-15 11:14 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-01-15 11:14 - 2017-01-15 11:14 - 00000000 ____D C:\Users\Marcus\AppData\Local\Zemana
2017-01-14 23:30 - 2017-01-14 23:30 - 00000111 _____ C:\Users\Marcus\Desktop\Delete iPhone backups.txt
2017-01-06 17:53 - 2017-01-16 08:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-06 17:53 - 2017-01-06 17:53 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-16 10:11 - 2010-09-18 13:27 - 00011120 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-16 10:11 - 2010-09-18 13:27 - 00011120 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-16 10:10 - 2010-09-18 13:28 - 00000000 ____D C:\Users\Marcus
2017-01-16 10:08 - 2009-07-13 23:13 - 00006526 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-16 10:03 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-16 10:02 - 2009-07-14 01:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2017-01-16 10:02 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
2017-01-16 10:02 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2017-01-16 09:42 - 2010-11-14 11:03 - 00000000 ____D C:\Users\Marcus\AppData\LocalLow\Temp
2017-01-16 09:30 - 2015-11-29 19:28 - 00000000 ____D C:\Users\Marcus\Desktop\Computer Clean Up
2017-01-15 21:53 - 2014-03-01 10:05 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\KeePass
2017-01-15 12:38 - 2010-10-16 09:07 - 00000000 ____D C:\Users\Marcus\Documents\Computer
2017-01-15 12:28 - 2014-03-22 09:52 - 00000000 ____D C:\AdwCleaner
2017-01-15 11:24 - 2014-12-06 10:29 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-15 11:24 - 2014-12-06 10:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-01-15 11:24 - 2014-12-06 10:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-01-13 05:07 - 2015-11-20 21:45 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-13 05:07 - 2015-05-22 13:53 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-01-10 05:16 - 2012-05-18 19:29 - 00000000 ____D C:\Users\Marcus\Documents\Food & Health
2017-01-06 17:54 - 2010-09-20 10:05 - 00000000 ____D C:\Users\Marcus\AppData\Local\Adobe
2017-01-06 17:53 - 2012-05-07 15:24 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-06 17:53 - 2011-05-15 11:54 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-06 17:53 - 2010-09-23 01:01 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-06 17:53 - 2010-09-20 10:46 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-06 15:40 - 2014-01-29 21:45 - 00000000 ____D C:\Users\Marcus\Documents\Records
2017-01-05 14:13 - 2010-10-29 22:55 - 00000000 ____D C:\Windows\Minidump
2016-12-23 09:23 - 2010-11-12 08:36 - 00000000 ____D C:\Users\Marcus\AppData\Local\ElevatedDiagnostics
2016-12-17 07:29 - 2010-09-18 13:28 - 00000000 ___RD C:\Users\Marcus\Music
 
==================== Files in the root of some directories =======
 
2015-02-26 18:35 - 2015-03-21 07:41 - 0000020 _____ () C:\Users\Marcus\AppData\Roaming\appdataFr3.bin
2011-09-11 20:01 - 2011-09-11 20:01 - 0038466 _____ () C:\Users\Marcus\AppData\Roaming\Comma Separated Values (DOS).ADR
2011-03-23 16:35 - 2011-03-23 16:35 - 0038463 _____ () C:\Users\Marcus\AppData\Roaming\Comma Separated Values (Windows).ADR
2010-11-09 14:09 - 2011-05-15 15:18 - 0000308 _____ () C:\Users\Marcus\AppData\Roaming\Rim.Desktop.Exception.log
2010-11-09 14:02 - 2012-07-27 17:19 - 0002828 _____ () C:\Users\Marcus\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2010-10-26 13:43 - 2013-01-04 18:11 - 0014848 _____ () C:\Users\Marcus\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-27 17:28 - 2012-07-27 17:28 - 0007599 _____ () C:\Users\Marcus\AppData\Local\Resmon.ResmonCfg
2010-09-18 13:47 - 2010-09-18 14:54 - 0001081 _____ () C:\Users\Marcus\AppData\Local\Win7_tmp1.htm
2016-05-20 14:53 - 2016-05-20 14:53 - 0000000 _____ () C:\Users\Marcus\AppData\Local\{06A92BE0-55A6-4488-A584-9B42AF50C189}
 
Some files in TEMP:
====================
C:\Users\Marcus\AppData\Local\Temp\Quarantine.exe
C:\Users\Marcus\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-14 09:05
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 17 January 2017 - 10:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AppInit_DLLs-x32: c:/progra~3/{f9b71~1/191~1.1/tose.dll => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.7.796\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
S3 ATMFBUS; system32\DRIVERS\ATMFBUS.sys [X]
S3 ATMFCVsp; system32\DRIVERS\ATMFCVsp.sys [X]
S3 ATMFFLT; system32\DRIVERS\ATMFFLT.sys [X]
S3 ATMFMdm; system32\DRIVERS\ATMFMdm.sys [X]
S3 ATMFNET; system32\DRIVERS\ATMFNET.sys [X]
S3 ATMFNVsp; system32\DRIVERS\ATMFNVsp.sys [X]
S3 ATMFVsp; system32\DRIVERS\ATMFVsp.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

If still present after the update remove the old version(s) Java via the Control Panel > Programs > Programs and Features.
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#3 Marccus

Marccus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 22 January 2017 - 09:05 AM

Thank you Nasdaq!  I completed every step including removal of Adobe Flash Player 16 NPAPI and Java. So far so good.  Will reply if I have further issues.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017
Ran by Marcus (22-01-2017 07:33:26) Run:2
Running from C:\Users\Marcus\Desktop\Computer Clean Up\FRST
Loaded Profiles: Marcus (Available Profiles: Marcus)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
AppInit_DLLs-x32: c:/progra~3/{f9b71~1/191~1.1/tose.dll => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.7.796\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
S3 ATMFBUS; system32\DRIVERS\ATMFBUS.sys [X]
S3 ATMFCVsp; system32\DRIVERS\ATMFCVsp.sys [X]
S3 ATMFFLT; system32\DRIVERS\ATMFFLT.sys [X]
S3 ATMFMdm; system32\DRIVERS\ATMFMdm.sys [X]
S3 ATMFNET; system32\DRIVERS\ATMFNET.sys [X]
S3 ATMFNVsp; system32\DRIVERS\ATMFNVsp.sys [X]
S3 ATMFVsp; system32\DRIVERS\ATMFVsp.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"c:/progra~3/{f9b71~1/191~1.1/tose.dll" => Value data removed successfully.
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} => key removed successfully
HKCR\CLSID\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} => key not found. 
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.45.2 => key removed successfully
C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll => moved successfully
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.45.2 => key removed successfully
C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll => moved successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.7.796\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => not found.
C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\ATMFBUS => key removed successfully
ATMFBUS => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFCVsp => key removed successfully
ATMFCVsp => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFFLT => key removed successfully
ATMFFLT => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFMdm => key removed successfully
ATMFMdm => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFNET => key removed successfully
ATMFNET => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFNVsp => key removed successfully
ATMFNVsp => service removed successfully
HKLM\System\CurrentControlSet\Services\ATMFVsp => key removed successfully
ATMFVsp => service removed successfully
HKLM\System\CurrentControlSet\Services\CtClsFlt => key removed successfully
CtClsFlt => service removed successfully
HKLM\System\CurrentControlSet\Services\RimUsb => key removed successfully
RimUsb => service removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6295071 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 316459 B
Edge => 0 B
Chrome => 453222397 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 692 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 66370 B
LocalService => 0 B
NetworkService => 30800 B
Marcus => 9194578 B
 
RecycleBin => 644 B
EmptyTemp: => 455.4 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 07:33:53 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 22 January 2017 - 11:13 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users