Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome - "Aw, Snap!" on every single page


  • This topic is locked This topic is locked
8 replies to this topic

#1 silvr

silvr

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 19 March 2017 - 01:32 AM

When I open Chrome, the 'Aw, Snap! Something went wrong while displaying this webpage.' comes up. It is affecting every single page including Settings. No websites work. There is no error message like 'ERR_CONNECTION_RESET', etc...

 

I am able to use both FireFox and Internet Explorer. There are no issues with the accessing webpages on those two browsers.

 

Thank you so much for your help!

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Fong (administrator) on FONG-PC (18-03-2017 23:26:33)
Running from C:\Users\Fong\Desktop
Loaded Profiles: Fong (Available Profiles: Fong & Kui Kui)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(百度在线网络技术(北京)有限公司) C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
Failed to access process -> Custom.exe
() C:\ProgramData\Penpower\PPEZR\EZGoRun.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-07] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-07] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-11] (Synaptics Incorporated)
HKLM\...\Run: [baidusdTray] => "C:\Program Files (x86)\BaiduSd3.0\BaiduSd\3.0.0.4605\baidusdTray.exe"  -stmd=3
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-12-20] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-12-10] (Intel Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\...\Run: [EZGoRun] => C:\ProgramData\Penpower\PPEZR\EZGoRun.exe [199184 2010-10-13] ()
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\...\Run: [ctfmon] => C:\Windows\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BFBA9445-ECDA-4E20-B235-45BC568AB632}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
SearchScopes: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={459D325E-6C5A-49CA-9DDE-1C1A6F7E8861}&mid=3a103fe86bad47cd8c1d511fb4e31f7d-01c20005fc4546a11975f3c8ad55067228260a9e&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915tb&pr=fr&d=2015-09-09 20:56:38&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> {2C4FEF0F-607E-4EC2-BA67-7F4413869FB7} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> {4AD43A14-AA87-4d4b-A345-B0BC1C61BC76} URL = hxxp://www.google.cn/search?hl=zh-CN&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={459D325E-6C5A-49CA-9DDE-1C1A6F7E8861}&mid=3a103fe86bad47cd8c1d511fb4e31f7d-01c20005fc4546a11975f3c8ad55067228260a9e&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915tb&pr=fr&d=2015-09-09 20:56:38&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> {C3BBCD0B-9234-4d36-9151-EC49EE32FCE3} URL = hxxp://www.baidu.com/s?wd={searchTerms}&tn=28026190_dg&ie=utf-8
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2017-03-10] (Google Inc.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2017-03-10] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2017-03-10] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2017-03-10] (Google Inc.)
Toolbar: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2017-03-10] (Google Inc.)
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\8043~1.187\KUGOO3~1.OCX No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\8043~1.187\KUGOO3~1.OCX No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Fong\AppData\Roaming\Mozilla\Firefox\Profiles\fawn5xze.default-1489883658478 [2017-03-18]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-06-04] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-06-04] ()
FF Plugin-x32: @baidu.com/BaiduExpert-npplugin -> C:\Users\Fong\AppData\Roaming\Baidu\BDWebAdapter\3.0.331.0\npBDExNP.dll [2015-08-11] (百度在线网络技术(北京)有限公司)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-10] (Google Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://yahoo.com.hk/"
CHR Profile: C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default [2017-03-18]
CHR Extension: (Google Drive) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-10]
CHR Extension: (YouTube) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (uBlock Origin) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-03-18]
CHR Extension: (Google Search) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-18]
CHR Extension: (Gmail) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-18]
CHR Profile: C:\Users\Fong\AppData\Local\Google\Chrome\User Data\Guest Profile [2017-03-18]
CHR Profile: C:\Users\Fong\AppData\Local\Google\Chrome\User Data\System Profile [2017-03-18]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 baidushoujizhushouUpdater; C:\Program Files (x86)\Baidu\baidushoujizhushouUpdate\bdupdate.exe [545928 2014-09-12] (Baidu, Inc.)
S3 BDdaSvc; C:\Users\Fong\AppData\Roaming\Baidu\BDda\5.0.0.4005\BDdaSvc.exe [78792 2014-12-24] (百度在线网络技术(北京)有限公司)
R2 BDSGRTP; C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe [1940072 2014-12-04] (百度在线网络技术(北京)有限公司)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 bbrowserboost; C:\Windows\system32\drivers\bbrowserboost.sys [155640 2015-11-24] (Baidu)
R1 bd0001; C:\Windows\System32\DRIVERS\bd0001.sys [203280 2015-12-03] (Baidu)
R1 bd0001; C:\Windows\SysWOW64\DRIVERS\bd0001.sys [203280 2015-12-03] (Baidu)
S1 bd0002; C:\Windows\SysWOW64\DRIVERS\bd0002.sys [219144 2015-12-03] (Baidu)
R1 bd0004; C:\Windows\System32\DRIVERS\bd0004.sys [170312 2014-11-28] (Baidu)
R2 BDArKit; C:\Windows\System32\DRIVERS\BDArKit.sys [152392 2014-12-26] (Baidu Technology)
R1 BDMWrench; C:\Windows\System32\DRIVERS\BDMWrench.sys [122184 2014-12-22] (Baidu)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-08-11] (Synaptics Incorporated)
S1 BDMWrench_x64; system32\DRIVERS\BDMWrench_x64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-18 23:26 - 2017-03-18 23:27 - 00014282 _____ C:\Users\Fong\Desktop\FRST.txt
2017-03-18 23:26 - 2017-03-18 23:26 - 00000000 ____D C:\FRST
2017-03-18 23:25 - 2017-03-18 23:25 - 02424832 _____ (Farbar) C:\Users\Fong\Desktop\FRST64.exe
2017-03-18 18:14 - 2017-03-18 18:14 - 00075045 _____ C:\ComboFix.txt
2017-03-18 18:01 - 2017-03-18 18:23 - 00000000 ____D C:\Windows\erdnt
2017-03-18 17:39 - 2017-03-18 17:39 - 00002271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-18 17:39 - 2017-03-18 17:39 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-03-18 17:38 - 2017-03-18 17:39 - 01129376 _____ (Google Inc.) C:\Users\Fong\Downloads\ChromeSetup.exe
2017-03-18 17:34 - 2017-03-18 17:34 - 00000000 ____D C:\Users\Fong\Desktop\Old Firefox Data
2017-03-18 17:33 - 2017-03-18 23:10 - 00000000 ____D C:\Users\Fong\AppData\LocalLow\Mozilla
2017-03-18 17:33 - 2017-03-18 17:33 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-03-18 17:33 - 2017-03-18 17:33 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-03-18 17:33 - 2017-03-18 17:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-18 17:24 - 2017-03-18 17:27 - 00000000 ____D C:\AVG_Remover
2017-03-18 17:23 - 2017-03-18 17:24 - 07986864 _____ ( ) C:\Users\Fong\Downloads\AVG_Remover.exe
2017-03-10 19:51 - 2017-03-10 19:54 - 00000000 ____D C:\Users\Kui Kui\AppData\Roaming\Google
2017-03-10 19:50 - 2017-03-10 19:50 - 00014008 _____ C:\Users\Kui Kui\Desktop\chrome - Shortcut.lnk
2017-03-10 19:43 - 2017-03-10 19:46 - 00000000 ____D C:\ProgramData\Google
2017-03-10 19:37 - 2017-03-10 19:37 - 01129376 _____ (Google Inc.) C:\Users\Kui Kui\Downloads\ChromeSetup.exe
2017-02-17 22:35 - 2017-02-17 22:35 - 03911863 _____ C:\Users\Fong\Downloads\Ingenieux11 (1).mp4
2017-02-17 22:34 - 2017-02-17 22:35 - 03911863 _____ C:\Users\Fong\Downloads\Ingenieux11.mp4
2017-02-17 19:41 - 2017-03-10 19:51 - 00000000 ____D C:\Users\Kui Kui\AppData\Local\Google
2017-02-17 19:41 - 2017-02-17 19:41 - 00057952 _____ C:\Users\Kui Kui\AppData\Local\GDIPFONTCACHEV1.DAT
2017-02-17 19:41 - 2017-02-17 19:41 - 00001447 _____ C:\Users\Kui Kui\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-02-17 19:41 - 2017-02-17 19:41 - 00001413 _____ C:\Users\Kui Kui\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2017-02-17 19:41 - 2017-02-17 19:41 - 00000000 ____D C:\Users\Kui Kui\AppData\Local\VirtualStore
2017-02-17 19:41 - 2017-02-17 19:41 - 00000000 ____D C:\Users\Kui Kui\AppData\Local\CEF
2017-02-17 19:40 - 2017-02-17 19:41 - 00000000 ____D C:\Users\Kui Kui
2017-02-17 19:40 - 2017-02-17 19:40 - 00000020 ___SH C:\Users\Kui Kui\ntuser.ini
2017-02-17 19:40 - 2017-02-17 19:40 - 00000000 _SHDL C:\Users\Kui Kui\My Documents
2017-02-17 19:40 - 2017-02-17 19:40 - 00000000 _SHDL C:\Users\Kui Kui\Documents\My Videos
2017-02-17 19:40 - 2017-02-17 19:40 - 00000000 _SHDL C:\Users\Kui Kui\Documents\My Pictures
2017-02-17 19:40 - 2017-02-17 19:40 - 00000000 _SHDL C:\Users\Kui Kui\Documents\My Music
2017-02-17 19:40 - 2015-12-17 06:16 - 00000000 ____D C:\Users\Kui Kui\AppData\Roaming\AVG
2017-02-17 19:40 - 2015-12-17 06:16 - 00000000 ____D C:\Users\Kui Kui\AppData\Local\AVG
2017-02-17 19:40 - 2015-09-16 20:32 - 00000000 ____D C:\Users\Kui Kui\AppData\Roaming\TuneUp Software
2017-02-17 19:40 - 2010-11-21 00:16 - 00000000 ____D C:\Users\Kui Kui\AppData\Roaming\Media Center Programs

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-18 23:16 - 2009-07-13 21:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-18 23:16 - 2009-07-13 21:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-18 18:29 - 2009-07-13 22:13 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-18 18:29 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2017-03-18 18:25 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-18 18:11 - 2009-07-13 19:34 - 00000215 _____ C:\Windows\system.ini
2017-03-18 18:10 - 2009-07-13 19:34 - 47972352 _____ C:\Windows\system32\config\software.bak
2017-03-18 18:10 - 2009-07-13 19:34 - 22020096 _____ C:\Windows\system32\config\system.bak
2017-03-18 18:10 - 2009-07-13 19:34 - 00262144 _____ C:\Windows\system32\config\security.bak
2017-03-18 18:10 - 2009-07-13 19:34 - 00262144 _____ C:\Windows\system32\config\sam.bak
2017-03-18 18:10 - 2009-07-13 19:34 - 00262144 _____ C:\Windows\system32\config\default.bak
2017-03-18 17:42 - 2015-08-03 20:54 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-18 17:39 - 2014-09-25 01:23 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-18 17:33 - 2016-06-04 16:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-18 17:30 - 2014-09-25 00:34 - 00000000 ____D C:\Users\Fong\AppData\Local\Deployment
2017-03-18 17:26 - 2015-07-28 19:12 - 00000000 ____D C:\Program Files (x86)\AVG
2017-03-18 17:25 - 2015-12-03 20:27 - 00000000 ____D C:\ProgramData\Avg
2017-03-18 12:02 - 2016-05-07 13:16 - 00000000 ____D C:\Users\Fong\AppData\Roaming\Google
2017-03-18 12:00 - 2014-09-25 01:23 - 00000000 ____D C:\Users\Fong\AppData\Local\Google
2017-03-10 19:38 - 2014-09-25 01:23 - 00002974 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-10 19:38 - 2014-09-25 01:23 - 00002846 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-09 10:42 - 2014-09-25 22:55 - 00000104 _____ C:\ProgramData\SWAPPINFO.ini
2017-02-17 19:32 - 2017-01-20 22:41 - 00034304 ___SH C:\Users\Fong\Thumbs.db
2017-02-17 19:32 - 2014-09-23 11:59 - 00000000 ____D C:\Users\Fong
2017-02-17 19:27 - 2017-01-14 17:47 - 00000000 ____D C:\Users\Fong\AppData\Local\ElevatedDiagnostics

==================== Files in the root of some directories =======

2014-09-24 17:13 - 2014-09-24 17:13 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-25 22:55 - 2017-03-09 10:42 - 0000104 _____ () C:\ProgramData\SWAPPINFO.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-17 18:41

==================== End of FRST.txt ============================


Edited by silvr, 19 March 2017 - 01:35 AM.


BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 20 March 2017 - 03:57 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 4 days will result in this thread being closed.


Hello silvr,

My name is mAL_rEm018, but feel free to call me mAL.  I will be helping you with your malware related problems. :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".


While I review the log you provided, please do the following..



  • Right-click on FRST64.exe and select Run as administrator.
  • Ensure that Addition.txt is checked.
  • Select Scan.
  • When the scan is over two windows will open, FRST.txt and Addition.txt.
  • Please post the contents of Addition.txt in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • Addition.txt

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 silvr

silvr
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 20 March 2017 - 11:24 PM

Thank you for taking the time to review the logs!

 

Copy and paste from addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Fong (20-03-2017 21:23:32)
Running from C:\Users\Fong\Desktop
Windows 7 Professional Service Pack 1 (X64) (2014-09-23 18:59:21)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2372610415-3466994355-1358180305-500 - Administrator - Disabled)
Fong (S-1-5-21-2372610415-3466994355-1358180305-1000 - Administrator - Enabled) => C:\Users\Fong
Guest (S-1-5-21-2372610415-3466994355-1358180305-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2372610415-3466994355-1358180305-1002 - Limited - Enabled)
Kui Kui (S-1-5-21-2372610415-3466994355-1358180305-1003 - Administrator - Enabled) => C:\Users\Kui Kui

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.1.1 - Canon Inc.)
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version:  - )
Canon MP495 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP495_series) (Version:  - Canon Inc.)
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.5118 - CDBurnerXP)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1107.115.102 - ALPS ELECTRIC CO., LTD.)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.1 - Synaptics Incorporated)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.110 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3345 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.3.34 - Intel Corporation)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 52.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.1 (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.1 - Mozilla)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.16.002 - Dell Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7023 - Realtek Semiconductor Corp.)
Realtek USB Card Reader (HKLM-x32\...\{1E496A68-4943-424E-829D-5C3C85B7B8F2}) (Version: 6.2.9200.39039 - Realtek Semiconductor Corp.)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {190714E3-42DD-41BD-AD82-A262A692AEF1} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {57987433-FF42-41AB-8491-B2E0155EF8D0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {5F1CEBA3-416F-48D8-9D70-26A3ECE37140} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-02-01] (AVAST Software)
Task: {6CE745E5-3786-40E5-9963-75931BF48337} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {8B15E3CA-DBAE-4241-BA90-9CBC2BD37787} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {8FC90759-9ABB-4BC6-BD38-40E7808C567A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {94D6DAAF-5200-4D16-A9B5-C089D7F221D9} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {AC6CCBFF-F037-4A81-8945-F572A33BDCBE} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe
Task: {F046ADCD-C55F-4F55-AD72-8417917B6CF1} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {F24C5105-D0AD-460A-AD65-D8268E594A86} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-12-05 08:07 - 2014-11-06 01:47 - 00444744 _____ () C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\bdsg0002.dll
2014-09-25 22:54 - 2010-10-13 03:03 - 00199184 ____R () C:\ProgramData\Penpower\PPEZR\EZGoRun.exe
2015-12-17 06:22 - 2015-12-14 00:40 - 00314248 _____ () C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\SafeBrowserPlugin.dll
2015-12-10 07:36 - 2015-12-09 02:23 - 00142216 _____ () C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\BrowserProbe.dll
2015-05-04 14:28 - 2015-04-24 02:33 - 00076680 _____ () C:\Program Files (x86)\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\BbSavior.dll
2010-09-10 02:03 - 2010-09-10 02:03 - 00104976 ____R () C:\ProgramData\Penpower\PPEZR\2272EUUT.dll
2014-09-25 22:54 - 2010-10-12 22:34 - 00133648 ____R () C:\ProgramData\Penpower\PPEZR\HidTool.dll
2014-09-24 17:18 - 2013-12-10 22:27 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\...\baidu.com -> hxxp://baidu.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2017-03-18 18:11 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Fong\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{9C202D16-606B-4403-BA92-AFC3BA9F8C96}E:\winpenjr\win32\ppupdwz.exe] => (Block) E:\winpenjr\win32\ppupdwz.exe
FirewallRules: [UDP Query User{8E7C9128-9BCE-4FD6-A193-61ED6975C986}E:\winpenjr\win32\ppupdwz.exe] => (Block) E:\winpenjr\win32\ppupdwz.exe
FirewallRules: [{889E525C-F9DA-4CE2-96D1-0D89C07D7718}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{4C1E1D80-1AF2-4B6C-8246-AC255929B277}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B98A308A-C4EF-48E9-B0F8-DDC0BC0123E6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A8B7BE3-81C5-4E6D-9A66-6D9081041B39}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{D6B12F7E-47F2-4C15-B965-435B8A99BEE8}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{39F82BF4-4BB9-44E2-86D5-44053C37EDFB}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{3B6E0776-1467-4E4E-9B64-C04CE9A3C11D}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{5E04D243-AA67-49DB-A858-EB05E2C0293D}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{42702713-53EF-410F-ACE6-ABE08268A302}] => (Allow) C:\program files (x86)\common files\baidu\bddownload\112\bddownloader.exe
FirewallRules: [{D108EF90-7F5F-4005-99F5-D37F92D7A286}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{5C8FF0D2-7DD8-4A67-9345-DAC53E270925}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{BF835C6F-0BE9-45AD-BE2A-DCCCD68EC1A4}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{6BF3EA1D-76A1-4458-8098-CCA505315BDC}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{A5C733D1-152C-44BB-AB34-F73F4ECC7BA8}] => (Allow) C:\Users\Fong\Downloads\inst.exe
FirewallRules: [{0095F692-14CB-431E-84DF-6E4E64BB6B28}] => (Allow) C:\Users\Fong\Downloads\inst.exe
FirewallRules: [{B1549B4B-9604-449E-8B24-8CC1F1F873F1}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SGTool.exe
FirewallRules: [{CA14AEDF-F65F-49B5-97B8-778FD12504DE}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SGTool.exe
FirewallRules: [{47D92F82-168E-4231-9721-F18B7F4D0A0B}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SogouCloud.exe
FirewallRules: [{966F5D0D-D8D2-4486-A37D-764E99C99628}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SogouCloud.exe
FirewallRules: [{47577172-88EE-40BF-9F86-EAD5F352F0E5}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SGMedalLoader.exe
FirewallRules: [{82EA3570-611C-4A33-BCF6-160283D096C3}] => (Allow) C:\Program Files (x86)\sogoupinyin\8.0.0.7839\SGMedalLoader.exe
FirewallRules: [{A2247BAD-0F50-4F3E-8BC1-74FE0D7B9450}] => (Allow) C:\Users\Fong\AppData\Local\SogouExplorer\SogouExplorer.exe
FirewallRules: [{C4670C57-CBDB-4F9A-ACB4-12B019FB0AED}] => (Allow) C:\Users\Fong\AppData\Local\SogouExplorer\SogouExplorer.exe
FirewallRules: [{0398D00B-09EF-4BBF-8206-02B184F529C1}] => (Allow) C:\Users\Fong\AppData\Roaming\SogouExplorer\Temp\SogouExplorerUp.exe
FirewallRules: [{62A34CB6-29E9-4E01-B405-B0898D43634B}] => (Allow) C:\Users\Fong\AppData\Roaming\SogouExplorer\Temp\SogouExplorerUp.exe
FirewallRules: [{70E95DC0-5226-4121-8F72-095D41C216A2}] => (Allow) C:\Users\Fong\AppData\Local\SogouExplorer\6.1.5.20716\SGRepairTool.exe
FirewallRules: [{5CB371B4-C683-4E48-B93C-A0765E9E14EC}] => (Allow) C:\Users\Fong\AppData\Local\SogouExplorer\6.1.5.20716\SGRepairTool.exe
FirewallRules: [{08DF05B6-2C8C-4D36-A2B0-E6AF7E6B4A3D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D74C6E93-3C01-4749-B60D-B71143131B8E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{522768C3-432D-49C8-AFFC-344058CE32F8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

18-03-2017 18:23:52 ComboFix created restore point

==================== Faulty Device Manager Devices =============

Name: Ethernet Controller
Description: Ethernet Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/18/2017 11:36:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 6396

Error: (03/18/2017 11:36:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 6396

Error: (03/18/2017 11:36:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/18/2017 11:36:50 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5366

Error: (03/18/2017 11:36:50 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5366

Error: (03/18/2017 11:36:50 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/18/2017 11:36:49 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4321

Error: (03/18/2017 11:36:49 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4321

Error: (03/18/2017 11:36:49 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/18/2017 11:36:48 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3323


System errors:
=============
Error: (03/18/2017 06:25:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BDSafeBrowser service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/18/2017 06:25:18 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Apple Mobile Device service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (03/18/2017 06:25:18 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

Error: (03/18/2017 06:11:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BDSafeBrowser service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/18/2017 06:11:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Apple Mobile Device service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (03/18/2017 06:11:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

Error: (03/18/2017 06:10:25 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (03/18/2017 06:10:24 PM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: Fong-PC)
Description: 0x8000002a32\??\c:\windows\erdnt\subs\system

Error: (03/18/2017 06:10:18 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (03/18/2017 06:08:40 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


CodeIntegrity:
===================================
  Date: 2017-03-18 18:08:40.299
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-03-18 18:08:40.299
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i3-4010U CPU @ 1.70GHz
Percentage of memory in use: 35%
Total physical RAM: 3812.96 MB
Available physical RAM: 2446.54 MB
Total Virtual: 7624.13 MB
Available Virtual: 5800.11 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.87 GB) (Free:248.18 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: D42F66E9)

Partition: GPT.

==================== End of Addition.txt ============================



#4 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 21 March 2017 - 04:47 PM

Hello silvr,

A word of caution: Combofix is a very powerful tool that could cause substantial to your computer if used incorrectly.  Please do not use it in the future, unless you were asked by a trained helper.  With that being said, please navigate to the following location and post the log in your next reply:

C:\ComboFix.txt


Backup your registry using TCRB


  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

Next..

Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs



  • Close all opened programs, open your browser and go to the following link: ESET Online Scanner.
  • Click on the SCAN NOW button under ESET Online Scanner.
    • Depending on which browser you are using, you might be prompted to download an executable file.
    • Please save it to your desktop.
    • Right-click on esetonlinescanner_enu.exe and select Run as administrator.  
    • If you agree to the Terms of use, select Accept to continue.  
  • Please check the following option:

     

    • Enable detection of potentially unwanted applications

     

  • Select Advanced settings and ensure that the following options are checked:

     

    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology

     

        
  • Make sure that the following option is NOT checked:  => Very important!

     

    • Clean threats automatically

     

  • Click Scan and the process will now begin.  Please do not use your computer while the scan is running.
  • Once the scan is completed, click Copy to clipboard.
  • Open the Start menu and type notepad.exe in the search programs and files box.
  • Press Enter.  A blank Notepad page should open, paste the contents inside the window.
  • Save the file as ESETScan.txt.
  • Please copy/paste the contents of ESETScan.txt in your next reply.
  • You can now safely close the program.
    Do not forget to re-activate your Antivirus at this point.


I noticed you have Malwarebyes installed on your computer, let's use it to run a scan..



  • Please open Malwarebytes Anti-Malware.
  • Locate and click on Update Now >>.
  • Once the updates have been installed, select the Scan tab.
  • Ensure that Threat Scan is selected and click on Start Scan.
  • Once the scan is completed, if there has been any detections, select Apply Actions.
  • You will most likely be prompted to restart your computer, if so please allow the reboot.

 

Once your computer is restarted, please do the following..

 

  • Open Malwarebytes Anti-Malware.
  • Click History and then select Application Logs.
  • Double-click on the scan log by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
  • Click Export and select Text file (*.txt).
  • In the File name: box, please write MBAM Log and save it to your desktop.
  • Once the process is over, a message will appear stating that the file has been successfully exported.  Click OK.
  • Please post the contents of MBAM Log.txt in your next reply.



-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble with any of the steps?
  • Combofix.txt
  • ESETScan.txt
  • MBAM Log.txt

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#5 silvr

silvr
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 22 March 2017 - 02:50 AM

Thanks again for your help.

Attached Files



#6 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 22 March 2017 - 04:51 PM

Hello silvr,

There are strong indicators that you were infected with a Remote Access Infection, namely Poweliks.  Poweliks is a serious infection that not only installs several other malware, but also causes the infected computer to become part of a "click-fraud" botnet. The compromised computer is remotely controlled by the malware creator(s), which is why I advise you to read the following article very carefully before making any type of decision: Remote Access Infections ... (why you should repave).

Whether you choose to reformat or clean your computer is your decision to make, but it has to be an informed decision.  In your next reply please let me know what you want to do and we will proceed accordingly. :)

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#7 silvr

silvr
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 23 March 2017 - 03:00 AM

Thanks for the information mAL. I am still debating on whether to reformat or try to clean it. 

 

What in the logs led you to Poweliks? Also, is there any way of determining how the laptop got infected?

 

Thanks. 



#8 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 23 March 2017 - 10:43 AM

Hello silvr,
 

Thanks for the information mAL. I am still debating on whether to reformat or try to clean it.

You're welcome silvr.  I understand that making such a decision is never easy, so feel free to take a day or 2 to think about it.  You might also find it useful to re-read the article linked in my last post.



What in the logs led you to Poweliks?

The following entries from your FRST logs:


HKU\S-1-5-21-2372610415-3466994355-1358180305-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-2372610415-3466994355-1358180305-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath


Also, is there any way of determining how the laptop got infected?

Unfortunately, there's no way for me to know exactly how you were infected.  What I can do is to provide you with some information on how to protect yourself from future infections.  I will do this in my "all clear" post. :)

mAL

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#9 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 27 March 2017 - 12:29 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users