Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some sort of drive by malware?


  • Please log in to reply
4 replies to this topic

#1 agnogenic

agnogenic

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 30 January 2017 - 09:24 AM

Hi there,

 

About 2 days ago, Chrome started going beserk and redirecting me to a number of pages. I've scanned with malwarebytes, and adwcleaner and Ive tried reinstalling chrome and running the chrome reset tool. No changes. When I try using firefox instead its pointing to a mail.ru start page.

 

Thank you for your assistance.

 

 

Attached File  FRST.txt   237.21KB   8 downloads

 

Attached File  Addition.txt   40.81KB   6 downloads


Edited by agnogenic, 30 January 2017 - 09:26 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 AM

Posted 31 January 2017 - 10:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Keyword.URL: Mozilla\Firefox\Profiles\8efd1z4n.default -> hxxp://go.mail.ru/distib/ep/?product_id=%7BF1294180-1B10-4991-B9F2-9D1DA62651C8%7D&gp=811014
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Hover Zoom) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2017-01-29]
CHR Extension: (Chrome Media Router) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-07]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]
Task: {06173CE0-5CC7-4F3C-96B4-F14B84420FAA} - \{090E0D47-780E-0D0A-7911-797E7A0B110A} -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Endi\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "hxxp://rigneda.ru/?utm_source=startlink03&utm_content=adbf052057e305ed7ecce74202676864&utm_term=A9C5318D56364CDCCD8B02762B9E2ECD&utm_d=20170124"

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 agnogenic

agnogenic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 31 January 2017 - 06:05 PM

Hello nasdaq,

 

I have followed the directions in your last post, and I am still getting redirects in chrome. If anything it seems to be worse. When I try logging into bleeping computer it is redirecting me to a 'microsoft support' page wanting me to call someone. 

 

I am browsing with my other computer. Can you recommend some next steps that I should attempt?

 

 

Thank you for your time

 

edit: here is my fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-01-2017
Ran by Endi (31-01-2017 12:02:55) Run:1
Running from C:\Users\Endi\Downloads
Loaded Profiles: Endi & UpdatusUser (Available Profiles: Endi & UpdatusUser)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
FF Keyword.URL: Mozilla\Firefox\Profiles\8efd1z4n.default -> hxxp://go.mail.ru/distib/ep/?product_id=%7BF1294180-1B10-4991-B9F2-9D1DA62651C8%7D&gp=811014
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Hover Zoom) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2017-01-29]
CHR Extension: (Chrome Media Router) - C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-07]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]
Task: {06173CE0-5CC7-4F3C-96B4-F14B84420FAA} - \{090E0D47-780E-0D0A-7911-797E7A0B110A} -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Endi\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "hxxp://rigneda.ru/?utm_source=startlink03&utm_content=adbf052057e305ed7ecce74202676864&utm_term=A9C5318D56364CDCCD8B02762B9E2ECD&utm_d=20170124"
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
Firefox "Keyword.URL" removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl => moved successfully
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
HKLM\System\CurrentControlSet\Services\MBAMSwissArmy => key removed successfully
MBAMSwissArmy => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{06173CE0-5CC7-4F3C-96B4-F14B84420FAA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06173CE0-5CC7-4F3C-96B4-F14B84420FAA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{090E0D47-780E-0D0A-7911-797E7A0B110A} => key removed successfully
C:\Users\Endi\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13971369 B
Java, Flash, Steam htmlcache => 23173263 B
Windows/system/drivers => 14345154 B
Edge => 0 B
Chrome => 285129308 B
Firefox => 48456475 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 2170 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33253 B
systemprofile32 => 33253 B
LocalService => 33125 B
NetworkService => 7212733 B
Endi => 190740261 B
UpdatusUser => 0 B
 
RecycleBin => 674126898 B
EmptyTemp: => 1.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 12:03:44 ====

Edited by agnogenic, 31 January 2017 - 11:44 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 AM

Posted 01 February 2017 - 08:19 AM



Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here
Lets see what else we can clean.

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===



--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Also, please provide an update on how the computer is behaving after running the above script.
===

p.s.
You can download these tools using the good computer.
Copy the file to the compromised computer and run them offline.

#5 agnogenic

agnogenic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 01 February 2017 - 12:46 PM

nasdaq,
 
 
I still am getting redirects while trying to surf unfortunately :(  

 
 
Here are my results from running zoek and rouge killer. 
 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Endi on Wed 02/01/2017 at  7:45:30.24.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Endi\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2/1/2017 7:48:47 AM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\CompanyDir deleted successfully
C:\PROGRA~2\Origin Games deleted successfully
C:\Users\Endi\AppData\Roaming\Logitech deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
HKEY_USERS\S-1-5-21-3331634467-2405064863-947979224-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{8E8F97CD-60B5-456F-A201-73065652D099} deleted successfully
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\Endi\AppData\Roaming\Mozilla\Firefox\Profiles\8efd1z4n.default\prefs.js:
user_pref("browser.startup.homepage", "https://go.mail.ru/?fr=ffhp1.0.4&gp=818405");
user_pref("browser.search.useDBForOrder", false);
 
Added to C:\Users\Endi\AppData\Roaming\Mozilla\Firefox\Profiles\8efd1z4n.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\CompanyDir not found
C:\PROGRA~2\Origin Games deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\Public\Desktop\ResumeMaker Professional.lnk deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\Endi\AppData\Roaming\Mozilla\Firefox\Profiles\8efd1z4n.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions ======================
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
 
==== Firefox Plugins ======================
 
 
==== Chromium Look ======================
 
MEGA - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bigefpfhnfcobdlfbedofhhaibnlghod
Something Awful Last Read Redux - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogegdelcjhoaakaepmoglademmhiboo
uBlock₀ - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm
Videostream for Google Chromecast™ - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnciopoikihiagdjbjpnocolokfelagl
Image Downloader - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnpniohnfphhjihaiiggeabnkjhpaldj
Netflix - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\deceagebecbceejblnlcjooeohmmeldh
Authy Extension - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgenkpocbhhddlgkjnfghpjanffonno
Authy - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaedmjdfmmahhbjefcbgaolhhanlaolb
TinEye Reverse Image Search - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\haebnnbpedcbhciplfhjjkbafijpncjl
4.1.39 - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd
Super Browse for Netflix - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\iejponamigpndjgdmnpelkohnbpancjf
XKCD substitutions - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkgogmboalmaijfgfhfepckdgjeopfhk
Yappy - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\jleajjoinbmogfgencngmnnndkkciben
Remote Transmission ++ - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfbocdnicmioodheiciijiegbmfoliim
Make America Kittens Again - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\klchnmggepghlcolikgaekpibclpmgcm
Solitaire - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkbhppfbabandkdmgjmifahoabeodiep
RTA - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\oabphaconndgibllomdcjbfdghcmenci
uBO-Extra - Endi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgdnlhfefecpicbbihgmbmffkjpaplco
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http:///"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http:///"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Web Data will be reset at reboot
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal will be reset at reboot
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Endi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Endi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UKN8CG3B will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
C:\Users\Endi\AppData\Local\Mozilla\Firefox\Profiles\8efd1z4n.default\cache2 emptied successfully
C:\Users\Endi\AppData\Roaming\Mozilla\Firefox\Profiles\8efd1z4n.default\storage\default\https+++www.youtube.com\cache emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache will be emptied at reboot
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=22 folders=25 21422576 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Endi\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Endi\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Web Data" not found
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal" not found
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0" deleted
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1" deleted
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2" deleted
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3" deleted
"C:\Users\Endi\AppData\Local\Google\Chrome\User Data\Default\Cache\index" deleted
"C:\Users\Endi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UKN8CG3B" not found
 
==== EOF on Wed 02/01/2017 at 11:05:44.92 ======================
 
 
RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Endi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 02/01/2017 11:07:46 (Duration : 00:16:14)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3331634467-2405064863-947979224-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http:///  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3331634467-2405064863-947979224-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http:///  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3331634467-2405064863-947979224-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3331634467-2405064863-947979224-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Hj.Shortcut][File] C:\Users\Endi\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk [LNK@] C:\Windows\explorer.exe "http://rigneda.ru/?utm_source=startlink03&utm_content=adbf052057e305ed7ecce74202676864&utm_term=A9C5318D56364CDCCD8B02762B9E2ECD&utm_d=20170124" -> Shortcut cleaned
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 PRO Series ATA Device +++++
--- User ---
[MBR] 606a09a98d7ada9d7ba24b95dc584200
[BSP] 3f1785b24cd1d1aa6bf559b2b886b075 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Here are my results from running zoek and rouge killer. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users