Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinSnare, WinSap, Kyubey.exe keeps reinstalling.


  • This topic is locked This topic is locked
26 replies to this topic

#1 Klyash

Klyash

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 02 April 2017 - 07:42 AM

Hey,
I have tried removing these by uninstalling, cleaning registry, scanning with antivirus and what not suggested on other websites.
Even i uninstalled Google Chrome when i saw that its shortvut was changed to some other folder in my Program Files, but it keeps reinstalling itself. In every few days these softwares are back in my computer.
Please help and tell me what you need. :smash: :smash:



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 03 April 2017 - 07:26 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

--- ---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 06 April 2017 - 02:10 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#4 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 08 April 2017 - 11:24 AM

Contents of checkup.txt:

 Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
McAfee VirusScan   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Microsoft VisualStudio JavaScript Project System
 Microsoft VisualStudio JavaScript Language Service
 Java version 32-bit out of Date!
 Adobe Flash Player     23.0.0.162  
 Adobe Reader XI  
 Mozilla Firefox (51.0)
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe
 Windows Defender MpCmdRun.exe   
 Windows Defender MSASCuiL.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````



#5 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 09 April 2017 - 06:40 AM

The MBAR Scan went on for 9 hours and wasn't responding.
I restarted my computer. Before MBAR Scan hanged it detected 6977 malware on my computer.
No log file could be generated. Tell me what to do



#6 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 09 April 2017 - 07:39 AM


Please go on with step 3 and 4:

:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

--- ---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 April 2017 - 01:43 PM

# AdwCleaner v6.045 - Logfile created 12/04/2017 at 00:11:22
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-11.1 [Server]
# Operating System : Windows 10 Home Single Language  (X64)
# Username : dell - SKYNET
# Running from : C:\Users\dell\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  iSafeKrnlMon
Service Found:  FirefoxU
Service Found:  WinSAPSvc
Service Found:  ed2kidle
Service Found:  WinSnare
Service Found:  FirefoxDL
Service Found:  Kyubey
Service Found:  isafekrnlmon
Service Found:  clean
Service Found:  SNARER
Service Found:  AMD


***** [ Folders ] *****

Folder Found:  C:\ProgramData\bd8328f3-36cf-4296-9d22-91fc139e476e
Folder Found:  C:\Users\dell\AppData\Local\Legass
Folder Found:  C:\Users\dell\AppData\Local\Coldmay
Folder Found:  C:\Users\dell\AppData\Local\Hipmy
Folder Found:  C:\Users\dell\AppData\Local\Toolhair
Folder Found:  C:\Users\dell\AppData\Local\Hotcine
Folder Found:  C:\Users\dell\AppData\Local\SNARER
Folder Found:  C:\Users\dell\AppData\Local\Antanna
Folder Found:  C:\Users\dell\AppData\Roaming\WinSAPSvc
Folder Found:  C:\Users\dell\AppData\Roaming\WinSnare
Folder Found:  C:\Users\dell\AppData\Roaming\Kyubey
Folder Found:  C:\Users\dell\AppData\Roaming\SNARER
Folder Found:  C:\Program Files (x86)\deskapp
Folder Found:  C:\Program Files (x86)\Antanna
Folder Found:  C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Roaming\Tencent
Folder Found:  C:\Program Files (x86)\Firefox
Folder Found:  C:\Users\dell\AppData\Roaming\WinSnare
Folder Found:  C:\Users\dell\AppData\Roaming\Firefox
Folder Found:  C:\Users\dell\AppData\Local\Firefox
Folder Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\extensions\arthurj8283@gmail.com
Folder Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\extensions\arthurj8283@gmail.com
Folder Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\extensions\arthurj8283@gmail.com
Folder Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\extensions\arthurj8283@gmail.com


***** [ Files ] *****

File Found:  C:\WINDOWS\SysNative\log\iSafeKrnlCall.log
File Found:  C:\WINDOWS\SysNative\drivers\iSafeKrnlBoot.sys
File Found:  C:\WINDOWS\SysNative\drivers\iSafeNetFilter.sys
File Found:  C:\Users\Public\Documents\temp.dat
File Found:  C:\Users\Public\Documents\report.dat
File Found:  C:\Users\dell\AppData\Local\AMD\amd.exe
File Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\invalidprefs.js
File Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\searchplugins\yahoo! powered.xml
File Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\SEARCHPLUGINS\YAHOO! POWERED.XML
File Found:  C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\searchplugins\startpageing123.xml


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

Shortcut infected:  C:\Users\dell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ( hxxp://www.startpageing123.com/?type=sc&ts=1488547528&z=bc874081086da71d084cc4egcz7bfbcw5z8m2wec


***** [ Scheduled Tasks ] *****

Task Found:  Bjuchsupoent Community
Task Found:  Drihspsheretain
Task Found:  Milimili
Task Found:  Windows-PG


***** [ Registry ] *****

Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WinSnare
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WinSnare
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARER
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARER
Key Found:  HKU\S-1-5-21-3684574227-2233368907-3675068148-1001\Software\PRODUCTSETUP
Key Found:  HKU\S-1-5-21-3684574227-2233368907-3675068148-1001\Software\csastats
Key Found:  HKU\S-1-5-21-3684574227-2233368907-3675068148-1001\Software\deskapp
Key Found:  HKCU\Software\PRODUCTSETUP
Key Found:  HKCU\Software\csastats
Key Found:  HKCU\Software\deskapp
Key Found:  HKLM\SOFTWARE\ScreenShot
Key Found:  HKLM\SOFTWARE\startpageing123Software
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59B5A9CD-253D-4C41-A073-B387D4C9672D}
Key Found:  [x64] HKCU\Software\PRODUCTSETUP
Key Found:  [x64] HKCU\Software\csastats
Key Found:  [x64] HKCU\Software\deskapp
Key Found:  [x64] HKLM\SOFTWARE\InterSect Alliance
Key Found:  HKU\S-1-5-21-3684574227-2233368907-3675068148-1001\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6D5F9DDE-01F7-4B43-9A8B-2E4DA2B9DD96}
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6D5F9DDE-01F7-4B43-9A8B-2E4DA2B9DD96}
Value Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
Key Found:  HKCU\SOFTWARE\Classes\ChromeHTML
Key Found:  HKCU\SOFTWARE\Clients\StartMenuInternet\ChromeHTML
Value Found:  HKLM\SOFTWARE\Mozilla\Firefox\Extensions [arthurj8283@gmail.com]
Value Found:  HKLM\SOFTWARE\Mozilla\Firefox\Extensions [arthurj8283@gmail.com]
Value Found:  HKLM\SOFTWARE\Mozilla\Firefox\Extensions [arthurj8283@gmail.com]
Value Found:  HKLM\SOFTWARE\Mozilla\Firefox\Extensions [arthurj8283@gmail.com]


***** [ Web browsers ] *****

Firefox pref Found:  [C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\prefs.js] - "browser.newtab.url" -  "hxxp://www.luckysearch123.com?type=hp&ts=1491499186&from=93770405&uid=wdcxwd10jpvx-75jc3t0_
Firefox pref Found:  [C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\prefs.js] - "browser.search.searchengine.iconURL" -  "hxxp://www.luckysearch123.com/favicon.ico?t=1"
Firefox pref Found:  [C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\prefs.js] - "browser.search.searchengine.url" -  "hxxp://www.luckysearch123.com/search.php?type=ds&ts=1491499186&from=93770405&u
Firefox pref Found:  [C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\prefs.js] - "browser.startup.homepage" -  "hxxp://www.luckysearch123.com?type=hp&ts=1491499186&from=93770405&uid=wdcxwd10jpvx-75
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [6718 Bytes] - [12/04/2017 00:11:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6791 Bytes] ##########



#8 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 April 2017 - 02:05 PM

FRST Log Files:

Attached Files



#9 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 11 April 2017 - 03:14 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt


 
Start
CreateRestorePoint:
CloseProcesses:
() C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
IFEO\taskmgr.exe: [Debugger] 
GroupPolicy: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491384855&z=7451f11d3234ea90919bbe8gcz2t1gccbb7z9b1w3m&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491384855&z=7451f11d3234ea90919bbe8gcz2t1gccbb7z9b1w3m&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&q={searchTerms}
SearchScopes: HKLM -> {6D5F9DDE-01F7-4B43-9A8B-2E4DA2B9DD96} URL = hxxps://in.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dmontlsfs_16_28_rps115078_rps&param1=1&param2=f%3D4%26b%3DIE%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0ByCyC0DzztA0EtC0EtAzy0E0Azz0DtAtN0D0Tzu0StCyCyDzztN1L2XzutAtFtBtBtFtAtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCtB0ByBtB0D0E0BtGyCtB0F0AtG0DyEtBzztGtD0F0EzytGtBzzyCtDyDtAyCyB0C0D0EyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtD0Dzz0D0DyE0FtGzyzzzztDtGyEtC0AtBtGzyyC0EtAtGtByDtAtD0EtBtB0BtA0BtBtC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutBtBtCtD%26cr%3D2037614681%26a%3Dwncy_dmontlsfs_16_28%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome%2BSingle%2BLanguage&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491384855&z=7451f11d3234ea90919bbe8gcz2t1gccbb7z9b1w3m&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&q={searchTerms}
SearchScopes: HKLM-x32 -> {6D5F9DDE-01F7-4B43-9A8B-2E4DA2B9DD96} URL = hxxps://in.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dmontlsfs_16_28_rps115078_rps&param1=1&param2=f%3D4%26b%3DIE%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0ByCyC0DzztA0EtC0EtAzy0E0Azz0DtAtN0D0Tzu0StCyCyDzztN1L2XzutAtFtBtBtFtAtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCtB0ByBtB0D0E0BtGyCtB0F0AtG0DyEtBzztGtD0F0EzytGtBzzyCtDyDtAyCyB0C0D0EyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtD0Dzz0D0DyE0FtGzyzzzztDtGyEtC0AtBtGzyyC0EtAtGtByDtAtD0EtBtB0BtA0BtBtC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutBtBtCtD%26cr%3D2037614681%26a%3Dwncy_dmontlsfs_16_28%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome%2BSingle%2BLanguage&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3684574227-2233368907-3675068148-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491384855&z=7451f11d3234ea90919bbe8gcz2t1gccbb7z9b1w3m&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3684574227-2233368907-3675068148-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://in.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dmontlsfs_16_28_rps115078_rps&param1=1&param2=f%3D4%26b%3DIE%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0ByCyC0DzztA0EtC0EtAzy0E0Azz0DtAtN0D0Tzu0StCyCyDzztN1L2XzutAtFtBtBtFtAtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCtB0ByBtB0D0E0BtGyCtB0F0AtG0DyEtBzztGtD0F0EzytGtBzzyCtDyDtAyCyB0C0D0EyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtD0Dzz0D0DyE0FtGzyzzzztDtGyEtC0AtBtGzyyC0EtAtGtByDtAtD0EtBtB0BtA0BtBtC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutBtBtCtD%26cr%3D2037614681%26a%3Dwncy_dmontlsfs_16_28%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome%2BSingle%2BLanguage&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3684574227-2233368907-3675068148-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491384855&z=7451f11d3234ea90919bbe8gcz2t1gccbb7z9b1w3m&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&q={searchTerms}
Edge HomeButtonPage: HKU\S-1-5-21-3684574227-2233368907-3675068148-1001 -> hxxp://www.startpageing123.com/?type=hp&ts=1488547528&z=bc874081086da71d084cc4egcz7bfbcw5z8m2wec8g&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F
FF SearchPlugin: C:\Users\dell\AppData\Roaming\Mozilla\Firefox\Profiles\cvlq9nwv.default\searchplugins\startpageing123.xml [2017-03-29]
HKU\S-1-5-21-3684574227-2233368907-3675068148-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Hipmy\Application\chrome.exe <==== ATTENTION
R2 FirefoxU; C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe [106160 2017-03-02] ()
R2 WinSAPSvc; C:\Users\dell\AppData\Roaming\WinSAPSvc\WinSAP.dll [553984 2017-04-11] (Windows) [File not signed]
R2 WinSnare; C:\Users\dell\AppData\Roaming\WINSNARE\WinSnare.dll [1291776 2017-04-05] (InterSect Alliance Pty Ltd) [File not signed] <==== ATTENTION
S4 clean; C:\Users\dell\AppData\Roaming\clean\kyubey.exe -s [X]
S2 ed2kidle; "C:\Program Files (x86)\amuleCexx\ed2k.exe" -downloadwhenidle [X]
S2 FirefoxDL; "C:\Users\dell\AppData\Local\Temp\1\QQBrowser.exe" -isvc [X] <==== ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
S2 Kyubey; C:\Users\dell\AppData\Roaming\Kyubey\Kyubey.exe -s [X]
S4 LegassSU; "C:\Users\dell\AppData\Local\Temp\1\ttff.exe" /i [X] <==== ATTENTION
S2 Timcultgrrocult; C:\Program Files (x86)\Sewasemhient\phhuwardactioncll.dll [X]
S1 iSafeKrnlMon; \??\C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlMon.sys [X]
2017-04-11 22:52 - 2017-03-07 16:55 - 00003660 _____ C:\WINDOWS\System32\Tasks\Milimili
2017-04-11 22:52 - 2017-02-27 22:58 - 00000000 ____D C:\Users\dell\AppData\Roaming\WinSAPSvc
CustomCLSID: HKU\S-1-5-21-3684574227-2233368907-3675068148-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
Task: {5C4F1D25-31DB-4634-A596-0021634FCC47} - System32\Tasks\Drihspsheretain => msiexec /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel.php?u=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F&amp;v=2017129 /q <==== ATTENTION
Task: {8176B455-889E-42C9-A95A-415B9E9A3102} - \MySQL\Installer\ManifestUpdate -> No File <==== ATTENTION
Task: {91755A70-509A-4881-A51E-408A9DF89E33} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\Windows\TEMP\DeleteFolderTask.exe  <==== ATTENTION
Task: {ADAF74F8-1881-4B4C-AB9C-FDB9196976B1} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-04-11] ()
ShortcutWithArgument: C:\Users\dell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.startpageing123.com/?type=sc&ts=1488547528&z=bc874081086da71d084cc4egcz7bfbcw5z8m2wec8g&from=che0812&uid=WDCXWD10JPVX-75JC3T0_WXQ1E25FYY3FE25FYY3F
2017-03-03 21:05 - 2017-03-02 13:47 - 00106160 _____ () C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{A3C0D5C7-8955-4382-9F8D-E03536C4E558}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{EDED0BED-012D-40DA-A6DF-38D71B8122BE}] => (Allow) C:\Program Files (x86)\MIO\loader\wdcxwd10jpvx-75jc3t0_wxq1e25fyy3fe25fyy3f.dat
FirewallRules: [{FFB43E28-7958-4CB5-AEA1-840C467E1531}] => (Allow) C:\Program Files (x86)\MIO\loader\wdcxwd10jpvx-75jc3t0_wxq1e25fyy3fe25fyy3f.dat
EmptyTemp:
End
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 April 2017 - 04:35 PM

Though the PC is working fine, Firefox keeps closing itself and visibility of hidden files is turned on from time to time.

Fixlog.txt

Attached Files



#11 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 11 April 2017 - 05:06 PM

:step1: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step2: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step3: How the computer is running now?


***


:step4: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.
-----------------------------------------------------------

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 April 2017 - 06:53 AM

Can I reinstall Firefox?
​I am using IE right now, and it still has startpageing123 as its homepage.

Attached Files



#13 Jo*

Jo*

  • Malware Response Team
  • 3,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:42 PM

Posted 12 April 2017 - 08:13 AM

Can I reinstall Firefox?
​I am using IE right now, and it still has startpageing123 as its homepage.

IE Start Page should be blank page:
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

or do you mean Search Page = hxxp://www.ourluckysites.com/search/?

---

Uninstall Firefox completely using this manual: http://kb.mozillazine.org/Uninstalling_Firefox
NOTE. Use MozBackup: http://mozbackup.jasnapaka.com/ to backup your bookmarks and passwords.
Do NOT backup anything else.
Install fresh copy.

Install ony plugins, that you really need!

---

Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

***


How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 April 2017 - 10:56 AM

I installed Firefox. Also updated Adobe Flash Player.
I am attaching a screenshot of default homepage of IE. I removed it from settings but it was set again when I restarted my browser.

Attached Files

  • Attached File  aas.PNG   21.93KB   0 downloads


#15 Klyash

Klyash
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 April 2017 - 11:42 AM

MBAM Log Files--

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users