Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Everything is infected - Worst situation in past 10+ years


  • This topic is locked This topic is locked
35 replies to this topic

#1 Andrei0

Andrei0

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 20 July 2017 - 10:56 AM

Hello All,

 

After countless of trials to clean all viruses, malware, spyware, worms etc from my computer via multiple cleaning tools, I had to come here to ask for assistance if someone would be so kind to please help. Few of recognized problems I am facing are (Lenovo, Windows 10 64bit, 3.4 ghz, 32 gb ram):

 

1. slow performance of computer particularly but not only on start up or reboot after desktop already appears
2. a lot of unwanted pops up. Some as stand alone applications but majority of them inside web browsers (both Firefox which i use in 99% of times and IE)
3. I am being forced to open particular link via IE while I want it to be opened via Firefox even if Firefox is set to default browser
4. In MS Office 2013 Pro (particularly but not only Excel and Outlook) i cannot even open hyperlinks due to error message saying they cannot be opened.
5. High quantity, talking about thousands of very weird entries (referring to their names) in Registry Editor similar to: G490890HJH23407FDGHHD0898904B
6. High quantity of Registry Editor entries related to the applications I have never installed or uninstalled long time ago. Just like in 5th problem, neither CCleaner nor Abexo helps.
7. Firefox is shouting down automatically. Destroying to me immediately all the work I am doing and all currently opened tabs. Since I am using IE extremely rarely, I haven't noticed this problem in IE.
8. Large ''addon corruption'' errors in Firefox causing it to freeze.
9. My internal hard drive is C and it contains three ''Program'' folders: Program Files, Program Files (x86), Program Data. I would like to separate this 9th problem on three different subproblems:

9.1 Folder ''Program Files'' was recently and always in the past named in local language and not english language. My Windows is in local language. I haven't been changing the language and it seems like some virus/malware/spyware/worm/etc renamed it to English language term. Updating of Windows didn't cause this.

9.2 Folder ''ProgramData'' was previously ''Program Data''

9.3 All three folders are all the time getting added new subfolders that I don't install on my own, neither do I recognize them.

10. It happened that fonts of desktop icons got completely changed also: style, size. Even icons' size got changed
11. New applications, most likely malware, are being automatically installed all the time.
12. Windows Defender is all the time reporting problems but very few amount (e.g. 2).
13. Both Firefox and IE windows are occuring automatically to unwanted websites. (i believe i partially mentioned this in problem number 2)
14. I noticed that Firefox is asking me for 90% of websites  error message ''Your connection is not secure'' and for majority of those websites I am REQUIRED to add security exception in order for visit the websites. For some websites I don't even see possibility to add exception.
15. Firefox all the time shows me some unwanted completely unknown home page when running it (it = firefox). I have been always having blank page as home page. But different websites are added as home page - all of them unwanted ones.
16. Both CCleaner and Skype are getting features ''run when Windows start'' turn off automatically. This causes problem that every time i run those two softwares, I need to manually look for them.
17. Unwanted contacts are being all the time added to Skype. I don't know those people. They are occuring in my list all the time. I never added them, neither did I give any contact permission if anyone else added me but im sure they didn't.
18. Control Panel - unwanted new icon ''Playing Games'' occurred there.

 

etc - been noticing more problems also.

 

Logs are in attachment.

 

Nothing from the past 10 years comes even close to current situation about how much infected my computer is. I am unable to do anything. Everything is infected. Everything.

 

 

I tried to clean up with tools i found but nothing helps. Your assistance would be highly appreciated.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:06 AM

Posted 21 July 2017 - 09:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Amigo (HKU\S-1-5-21-3349261695-2154521845-2584642868-1001\...\Amigo) (Version: 56.0.2924.197 - Mail.Ru) <==== ATTENTION
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Windows Defender <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
Toolbar: HKU\S-1-5-21-3349261695-2154521845-2584642868-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF user.js: detected! => C:\Users\Uporabnik\AppData\Roaming\Mozilla\Firefox\Profiles\t4vp2qx6.default-1446832988670\user.js [2017-05-09]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\t4vp2qx6.default-1446832988670 -> ?????@Mail.Ru
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\t4vp2qx6.default-1446832988670 -> ?????@Mail.Ru
FF Homepage: Mozilla\Firefox\Profiles\t4vp2qx6.default-1446832988670 -> hxxps://mail.ru/cnt/11956636?fr=ffhp1.0.3
FF ProfilePath: C:\Users\Uporabnik\AppData\Roaming\Firefox\Firefox\Profiles\t4vp2qx6.default-1446832988670 [2017-02-15] <==== ATTENTION
FF Homepage: Firefox\Firefox\Profiles\t4vp2qx6.default-1446832988670 -> about:home
FF NetworkProxy: Firefox\Firefox\Profiles\t4vp2qx6.default-1446832988670 -> type", 0
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
S1 arefzzhgq.sys; C:\WINDOWS\system32\drivers\arefzzhgq.sys [15424 2017-07-13] () [File not signed]
S1 exitpsqyx.sys; C:\WINDOWS\system32\drivers\exitpsqyx.sys [15424 2017-07-20] () [File not signed]
S1 qlgurlsvn.sys; C:\WINDOWS\system32\drivers\qlgurlsvn.sys [15424 2017-07-12] () [File not signed]
R1 qsmvgmwdd.sys; C:\WINDOWS\system32\drivers\qsmvgmwdd.sys [121200 2017-07-20] () [File not signed]
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  -> No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  -> No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  -> No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  -> No File
ContextMenuHandlers01: [SugarSync] -> {305BC11B-5175-492B-B569-866547FCDA40} =>  -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers06: [SugarSync] -> {305BC11B-5175-492B-B569-866547FCDA40} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {0779B6BD-E784-46E1-A7E0-B4612BB01073} - \Norton Security Scan for Levak -> No File <==== ATTENTION
Task: {0831083B-8E41-4F2F-870E-FA3E76BC4302} - \Lenovo\LSC\LSCHardwareScanPostpone -> No File <==== ATTENTION
Task: {094CD275-5C71-4753-B57E-5566CA859498} - \Microsoft\Windows\SideShow\AutoWake -> No File <==== ATTENTION
Task: {0AD02914-2CC4-4B4C-AB09-F8716EA74C43} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {0F533730-4C72-4034-807A-8EDA1FA09F8D} - \Lenovo\Lenovo Solution Center Launcher -> No File <==== ATTENTION
Task: {0F6DBBD1-1FA5-490B-A482-1F43FCC689E6} - \Microsoft\Windows\SideShow\SystemDataProviders -> No File <==== ATTENTION
Task: {19295C7D-C8A1-4B56-B44A-6582A1CC753A} - \ParetoLogic Registration3 -> No File <==== ATTENTION
Task: {19A3017D-AEDC-4BC3-A4BD-DA532FAF3E49} - \Microsoft\Windows\PLA\LSC Memory -> No File <==== ATTENTION
Task: {1A4230A2-E136-4936-9B22-DDF624BB8332} - \Microsoft\Windows\IME\SQM data sender -> No File <==== ATTENTION
Task: {1B9AF3D3-97BD-4E67-933F-3A1BB5D1EC79} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {1C12F6D5-B6F4-4438-B68B-F46A42570BA9} - \Microsoft\Windows\WindowsUpdate\AUFirmwareInstall -> No File <==== ATTENTION
Task: {29ED74FC-2A29-4B43-AAC3-7B3584A8C2F4} - \Microsoft\Windows\WindowsUpdate\AUSessionConnect -> No File <==== ATTENTION
Task: {2A767A1A-6DF2-4490-89AF-EE64AFADC9AF} - \Microsoft\Windows\MUI\Lpksetup -> No File <==== ATTENTION
Task: {2CA3CC00-5B78-4565-B045-E71AC1107269} - \Microsoft\Windows\WindowsUpdate\AUScheduledInstall -> No File <==== ATTENTION
Task: {2F6C8A3F-3EEB-481B-9EF3-4E6D93703C3E} - \Lenovo\LSC\Time72Task -> No File <==== ATTENTION
Task: {3E49052A-4BE6-40C6-828E-8A29B03C0528} - \ParetoLogic Update Version3 -> No File <==== ATTENTION
Task: {4520E8A9-AF06-4122-859B-E4B655B29B36} - \Microsoft\Windows\AppID\SmartScreenSpecific -> No File <==== ATTENTION
Task: {47828933-3978-4CB6-8014-9030BC0ED618} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {4F2AFA0C-1D66-450F-BA90-8E5C2E0FD59C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {505D08C3-3C9C-420B-8EF0-1DA30EDD8885} - \Microsoft\Windows\MUI\Mcbuilder -> No File <==== ATTENTION
Task: {51B7FB15-4DCB-400E-9A98-10E802F21FB3} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceScreenOnOff -> No File <==== ATTENTION
Task: {5A3FB241-0B11-4EA5-BC66-0D9F1B406040} - \Microsoft\Windows\Customer Experience Improvement Program\BthSQM -> No File <==== ATTENTION
Task: {62C47028-7886-43DE-BAA1-7EFC83DBF85C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {62CF6675-6B84-4827-B131-F11BFC05E6CD} - System32\Tasks\Microsoft\Windows\Multimedia\Manager => C:\Windows\Manager.exe
Task: {63387002-B60F-4EA2-BA38-92BC3889A7AC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6C129B53-A416-4EA8-BFB6-543F1C5760B1} - \Microsoft\Windows\Shell\FamilySafetyUpload -> No File <==== ATTENTION
Task: {6DFCB649-0769-4F83-BB10-F60F235F6D3D} - \Microsoft\Windows\SkyDrive\Idle Sync Maintenance Task -> No File <==== ATTENTION
Task: {72319288-85B2-481C-833C-775FB5EE5E6B} - \Lenovo\LSC\LSCHardwareScan -> No File <==== ATTENTION
Task: {75D7510F-DDC7-48E4-9BF7-5AE620EB896B} - \Microsoft\XblGameSave\XblGameSaveTaskLogon -> No File <==== ATTENTION
Task: {7E882950-1225-4D67-A702-DE7168DAE9D9} - \Lenovo\Lenovo Customer Feedback Program 64 -> No File <==== ATTENTION
Task: {847F1BAD-23DF-4026-AFFF-C5F9E7DC6BC9} - \Intel(R) Small Business Advantage\Notifier -> No File <==== ATTENTION
Task: {865C0EE0-DF6A-4717-8266-343E6B6B9468} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {872D0E53-FD2E-41E3-B431-698AF82882CE} - \Microsoft\Windows\SkyDrive\Routine Maintenance Task -> No File <==== ATTENTION
Task: {8B6759EE-1C08-4B8F-955C-774AB5A6544E} - \Microsoft\Windows\SideShow\SessionAgent -> No File <==== ATTENTION
Task: {91DF7AF0-8EA6-4E07-84CA-465A2E3AF462} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A1F64D6A-4069-47DF-BAFC-A44DF929DBA3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {A480128A-D30A-4758-9357-B387C6F7A448} - \Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate -> No File <==== ATTENTION
Task: {AEE87E78-DAA1-424D-9BAE-64FE74D816E7} - \System\SystemCheck -> No File <==== ATTENTION
Task: {B0A7ED8D-F4F4-4F07-B68E-E05F6579873C} - \Microsoft\Windows\ErrorDetails\ErrorDetailsUpdate -> No File <==== ATTENTION
Task: {B320E058-C6FA-413F-876B-0C9B4428AE66} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic6 -> No File <==== ATTENTION
Task: {BFC818AC-70B2-482F-8A42-1A14A542B20A} - \Lenovo\Dependency Package Auto Update -> No File <==== ATTENTION
Task: {C4AE3C3E-C327-4689-B6FD-C11FB31AE88B} - \Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler -> No File <==== ATTENTION
Task: {C6B2579B-4962-4D12-883D-BBD420573A6C} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic1 -> No File <==== ATTENTION
Task: {C8AB6BAB-3F8C-4169-B001-9A964BDADB66} - \ParetoLogic Update Version3 Startup Task -> No File <==== ATTENTION
Task: {C9ACBFD2-20AA-4A3F-BE1A-A3D5279BB1BB} - \Microsoft\Windows\Plug and Play\Plug and Play Cleanup -> No File <==== ATTENTION
Task: {C9DCF59E-6B97-4C0C-8641-B8261089C8CA} - \Microsoft\Windows\MobilePC\HotStart -> No File <==== ATTENTION
Task: {CB4B526E-29ED-4FA6-9DE0-8E7CAE577CE9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {CE2DE968-E342-40D7-9566-427D45E4A886} - \Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor -> No File <==== ATTENTION
Task: {D19A2726-897E-4F7D-9CE4-0773B449CE9E} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceConnectedToNetwork -> No File <==== ATTENTION
Task: {D1B81547-C7EC-4CE5-BF4A-C11684F8569D} - \Lenovo\LSC\Lenovo Solution Center Notifications -> No File <==== ATTENTION
Task: {D30A18DA-1853-4AEC-8BFC-52EA5B06A4E3} - \Microsoft\Windows\WindowsUpdate\Scheduled Start With Network -> No File <==== ATTENTION
Task: {D407E6A8-1483-4F01-94FE-0915C7ADA0FB} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {DB21EF32-6BA9-4118-BBC1-BC4FF48961E5} - \Microsoft\Windows\SideShow\GadgetManager -> No File <==== ATTENTION
Task: {DBA09BB9-6440-412A-834A-2BDBB9D685D4} - \Lenovo\Lenovo Customer Feedback Program 64 35 -> No File <==== ATTENTION
Task: {DBB6A085-16B7-49FC-85A9-584612C68F2B} - \Lenovo\LSC\RebootCountTask -> No File <==== ATTENTION
Task: {DFE80F9F-D11E-486B-BAA6-1AC9BBE4E14E} - \ASUS\ASUS Product Register Service -> No File <==== ATTENTION
Task: {E465E548-DD4E-4B53-8578-58617638BE0E} - \Microsoft\Windows\RemovalTools\MRT_HB -> No File <==== ATTENTION
Task: {E6208CC9-A451-4509-B375-483CA9781251} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {E9BB7B3D-01B2-4C6F-8B39-91FB35FF1C5B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {F24FDA55-6D75-4ACF-AF1F-5EC68CD97277} - \Lenovo\Lenovo Customer Feedback Program -> No File <==== ATTENTION
Task: {F6309E66-8415-4641-A250-40C2F9857251} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {FD303B05-6B84-49C8-BC65-819141CF7194} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\ParetoLogic Registration3.job => rundll32.exe  C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\UUS3.dll <==== ATTENTION
Task: C:\WINDOWS\Tasks\ParetoLogic Update Version3 Startup Task.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\ParetoLogic Update Version3.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe <==== ATTENTION
Shortcut: C:\Users\Uporabnik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\?????????.lnk -> C:\Users\Uporabnik\AppData\Local\Amigo\Application\amigo.exe (No File) <==== Cyrillic
Shortcut: C:\Users\Uporabnik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\?????????????.lnk -> C:\Users\Uporabnik\AppData\Local\Amigo\Application\amigo.exe (No File) <==== Cyrillic
Shortcut: C:\Users\Uporabnik\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\?????????.lnk -> C:\Users\Uporabnik\AppData\Local\Amigo\Application\amigo.exe (No File) <==== Cyrillic
Shortcut: C:\Users\Uporabnik\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\?????????????.lnk -> C:\Users\Uporabnik\AppData\Local\Amigo\Application\amigo.exe (No File) <==== Cyrillic
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP => ""="service"
FirewallRules: [{5C3C30A4-7CA3-4F0F-92FF-FE4D8E1AA916}] => (Allow) C:\Users\Uporabnik\AppData\Local\Amigo\Application\amigo.exe
C:\Windows\Manager.exe
C:\Program Files (x86)\Common Files\ParetoLogic
C:\Users\Uporabnik\AppData\Local\Amigo
C:\WINDOWS\system32\drivers\arefzzhgq.sys
C:\WINDOWS\system32\drivers\exitpsqyx.sys
C:\WINDOWS\system32\drivers\qlgurlsvn.sys
C:\WINDOWS\system32\drivers\qsmvgmwdd.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
===

Please post the logs and let me know what problem persists with this computer.

#3 Andrei0

Andrei0
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 21 July 2017 - 06:41 PM

Oh my God. All my Firefox bookmarks are now gone. ALL. Also addons are gone. Following instructions for resetting firefox didn't help. I got one weird and very much unwanted folder named ''Old Firefox Data'' on desktop. This folder is very annoying and hopefully I will get rid of it soon. However one of its subfolders which is named ''bookmarkbackups'' is empty. I am veing now EXTREMELY WORRIED for my bookmarks. I had a lot of them, they were very very very important for me and was using them all the time. Every hour. Oh my God. Those bookmarks are required for me and I don't have them anymore!! Please, pretty please, tell me how to get them back in identical order and bookmarks' folders. Same for addons. Even saved passwords are gone! I don't have them anymore but by far the biggest disaster and worry are bookmarks.

Also I noticed issue with firefox: opening another (second) firefox's icon in the taskbar (windows 10). In the past I solved this issue in the following way: Step 1: I removed icon from taskbar. Step 2: I went to installation folder e.g. Program Files\Mozilla Firefox. Step 3: I renamed the main folder ''Mozilla Firefox'' to something completely random, usually i added just one random letter and number at the end, e.g. ''Mozilla Firefoxd3''. Step 4: I opened this folder and searched for firefox.exe. Step 5: I right clicked said file and pinned it to taskbar. This resulted in firefox NOT making another icon in taskbar as soon as it is opened. Now this solution doesn't work anymore. I repeat again that there is no way I will relax without having bookmarks there. My life depends on them.

Program adwcleaner_7.0.0.0 produced 2 logs so in total I am attaching 3 logs.

I also installed new updated Java.

Also: We are far far far away from having problem solved. Not just due to giant disaster with firefox but also from aspect of malware - no changes yet comparing to situation before. However, I would already now like to thank you for taking a time to reply on this topic. I should say this at the beginning of my reply but firefox problem, particularly bookmarks, destroyed me. Even if we have very long road ahead of us, I will be waiting, patiently but EXTREMELLY ANXIOUSLY (worry) for your reply.

 

EDIT (this paragraph is added several hours after I type previous content of THIS message): I could not sleep because of this and spent entire night trying to get back all my bookmarks/passwords/addons/etc. I tried to add ALL available previous Firefox profiles on entire hard drive via ''Troubleshooting information''. Neither of them had previous settings available!!! FRST destroyed my entire firefox. Even Online Banking certificate is gone. Everything is gone.

 

EDIT2 (approximately one hour after first edit): While being in huge panic, not getting a reply from you, I try to do everything what is humanly possible to get back my normal firefox. I found even another very severe problem: When I ctrl+t to open a new tab of the same firefox window, i get extremely annoying (although not that much as folder ''Old Firefox Data'' on desktop is) squares (three lines and each line has 5 squares) graphically showing which websites I have recently visited. This has never been happening to me and since malware/worms/spyware/viruses/etc are not yet cleaned and situation is the same as it had been before, I am in even bigger problem than I was. NASDAQ if you could please help me with this as my computer is completely useless at this time. My life depends on firefox. Each of 18 problems reported in my first post are still here. I was trying to use ''about:<wbr>profiles'' which is one of possible ways how to deal with firefox problem - I found it when doing my research but I get error message ''address is not valid''. I also did the following: Bookmarks menu\Show All Bookmarks\Import And Backup\Restore. However, In this submenu ''Restore'' there is nothing to be restored.

Attached Files


Edited by Andrei0, 22 July 2017 - 05:08 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:06 AM

Posted 22 July 2017 - 07:42 AM

I can understand you delima but you have been hit by a new type of bonett which has compromised you computer.

I was made aware of this infection and topic this morning.

Read about it.
http://www.spywareinfoforum.com/topic/118846-spam-frauds-fakes-and-other-malware-deliveries/page-40#entry800557

You may have to register to see the topic.


More reading.
https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf

===

I can only suggest that you restore you computer to the Factory level if at all possible.

If not format the computer and reinstall the operating system and all the applications.

Save to an external flash driver all you important files, documents before proceeding.


Good luck.

Edited by nasdaq, 22 July 2017 - 07:43 AM.


#5 Andrei0

Andrei0
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 22 July 2017 - 07:57 AM

New type of what? What is ''bonett''?

 

Regarding your first link: On the content of that link are two image files from content of emails. I haven't received any such mail with Excel attachment. Therefore haven't downloaded anything like that.

 

Restoring the computer won't work because I urgently need my Firefox settings, particularly but not only Bookmark, back.  Also I don't have such source of installation (cd) because Windows 10 were installed on computer when I bought it. Therefore cannot format it either. Formatting wouldn't bring back all Firefox settings.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:06 AM

Posted 22 July 2017 - 10:01 AM

Formatting would remove everything.


See if you can restore your Firefox backup from the backup.

https://support.mozilla.org/en-US/questions/1037683
Reading your last remarks it may not be possible.
===

Do you sync you bookmarks with a phone or tablet?
https://support.mozilla.org/en-US/kb/sync-bookmarks-tabs-history-and-passwords-android

If not possible then if you have bookmarks with Chrome and or Internet Explorer they can be exported to Firefox.
===

Please run the Farbar program and post fresh FRST and Addition.txt log for my review.

Make sure that the marked the box to create a new Addition.txt log.

#7 Andrei0

Andrei0
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 22 July 2017 - 10:22 AM

On the following location:

Bookmarks menu\Show All Bookmarks\Import And Backup\Restore

There is only some useless entry named by today's day. Nothing else.

However if I go to the following path:

C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles

while being aware that for unknown reason to me, system allows me to search JSON type of files only

I see four folders. Unfortunately all of them are from today's date BUT fortunately in few (i believe three out of four) of those folders the subfolders ''bookmarkbackups'' are NOT empty and files inside include different date (fortunately older) than today's date or yesterday's date. However the reasons whyI haven't been using any of those folders in

C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles

are (referring to the reasons) two:

1. as far as i know in most ideal way, they would restore for me what is the most important: bookmarks but other settings (squares/thumbnails to be removed as previously mentioned, addons, saved passwords, online banking certificate) wouldn't be restored. If I restoring bookmarks then this doesn't mean other settings would be restores too..

2. I have no idea which file and from which (out of 4) folder should I choose and what to do with it. On request I may provide DIR copy with foldernames, filenames of everything in ''Profiles''.

I don't have phone or tablet. Bookmarks and other settings are not saved anywhere else because in 99% of times I am using Firefox only.

Requested two files are in attachment. So far it seems like entire computer is still infected but due to Firefox problem, situation is even worse.

Attached Files


Edited by Andrei0, 22 July 2017 - 10:23 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:06 AM

Posted 22 July 2017 - 01:14 PM

Traces of this infection found on the FRST log just submitted.
Removal instructions from Malwarebytes.
https://forums.malwarebytes.com/topic/181989-removal-instructions-for-yessearches/

:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF ProfilePath: C:\Users\Uporabnik\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1 [2017-07-22]
S1 ngasrpgom.sys; C:\WINDOWS\system32\drivers\ngasrpgom.sys [15424 2017-07-22] () [File not signed]
R1 qmdqqamwd.sys; C:\WINDOWS\system32\drivers\qmdqqamwd.sys [121200 2017-07-22] () [File not signed]
C:\WINDOWS\system32\drivers\ngasrpgom.sys
C:\WINDOWS\system32\drivers\qmdqqamwd.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

===
Lets deal with the FF ProfilePath: C:\Users\Uporabnik\Desktop\Old Firefox Data [2017-07-22]

Read these instructions
https://support.mozilla.org/en-US/questions/1097939

I think that you should used this default browser if available.
C:\Users\Uporabnik\AppData\Roaming\Mozilla\Firefox\Profiles\qlgg77nz.default-1500678382414

p.s.
DO NOT REMOVE THE \Old Firefox Data folder until all is well.


===

After a restart please run the Farbar tool again and this time post only the FRST log for my review.
I want to check if some bad drivers are spawning such as these that were not in your first FRST log.
C:\WINDOWS\system32\drivers\ngasrpgom.sys
C:\WINDOWS\system32\drivers\qmdqqamwd.sys

#9 Andrei0

Andrei0
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 22 July 2017 - 04:03 PM

Two infections found by Malwarebytes Anti-Malware were moved to Quarantine. Do I delete the Quarantine's content inside Malwarebytes Anti-Malware?

 

Both logs are in attachment.

 

In my first message I briefly described the situation on my computer and out of many problems I have, I listed 18 of them. Solved are: 10, 11 (i don't see unwanted installations anymore), 12, 14, 15, 16 (note: i didn't forget to type 17 because this problem remain - could be malware inside skype?) but others are not solved yet.

 

As 4: I am still getting errors when trying to open legitimate links in emails from well known people in Outlook.

As 5, 6: Here we are talking about thousands of unwanted entries. They are everywhere in regedit.

etc

 

I am already using default profile ''qlgg77nz.default-1500678382414'' but everything in Firefox is still gone.

 

I don't know what exactly should I do with ''Old Firefox Data'' folder which is located on desktop? Its subfolder ''bookmarkbackups'' is empty! I tried to add ''Old Firefox Data'' to ''About Profiles'' and added new profile (the ''Old Firefox Data'' profile) and launched it in a new browser. Its not working. In new browser, after being lunched, bookmarks are NOT back and therefore I automatically assume nothing else could be restored also.

 

New FRST log is in attachment too.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:06 AM

Posted 23 July 2017 - 06:39 AM

Hi,
 

Two infections found by Malwarebytes Anti-Malware were moved to Quarantine. Do I delete the Quarantine's content inside Malwarebytes Anti-Malware?

Yes but no rush. The items deleted are not activke.

===

You definately have a rootkit infection. These have spawned.
S1 dloyfxvya.sys; C:\WINDOWS\system32\drivers\dloyfxvya.sys [15424 2017-07-22] () [File not signed]
R1 iztaedovv.sys; C:\WINDOWS\system32\drivers\iztaedovv.sys [121200 2017-07-22] () [File not signed]

We have to find the souce.

Malwarebytes Anti-Rootkit

Please download Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  • =======

    #11 Andrei0

    Andrei0
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:05:06 PM

    Posted 23 July 2017 - 08:03 AM

    You said no rush is needed for items in Quarantine in Malwarebytes Anti-Malware to be deleted (from Quarantine) so I will wait for you to tell me when to delete them.

     

    Regarding RogueKiller: Nothing from found items were in red. I assumed you meant color of background in line. Few items are in orange and few in grey background. Do I delete them anyway? Until I get your answer on this question, I will keep software opened and active on ''Threats Detected'' part. It took very long time for scan to finished so I am keeping the software opened to not need to scan again unless you suggest me to do so. Log is in attachment.

    Attached Files



    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 40,476 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:06 AM

    Posted 23 July 2017 - 01:00 PM


    Yes remove everything.

    [PUP.Gen2] (X64) HKEY_CLASSES_ROOT\.qmgc -> Found
    [PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3349261695-2154521845-2584642868-1001\Software\IM -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3349261695-2154521845-2584642868-1001\Software\IM -> Found
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3349261695-2154521845-2584642868-1001\SOFTWARE\Microsoft\Internet Explorer\Extensions\{086C8477-4F71-4550-87FB-AF0AE8DF3E98} | Exec : C:\Users\Uporabnik\AppData\Roaming\ICQM\icq.exe [x] -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3349261695-2154521845-2584642868-1001\SOFTWARE\Microsoft\Internet Explorer\Extensions\{086C8477-4F71-4550-87FB-AF0AE8DF3E98} | Exec : C:\Users\Uporabnik\AppData\Roaming\ICQM\icq.exe [x] -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QMUdisk (\??\C:\Program Files (x86)\Tencent\QQPCMgr\12.2.18347.225\QMUdisk64_ev.sys) -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\softaal (\??\C:\Program Files (x86)\Tencent\QQPCMgr\12.2.18347.225\softaal64_ev.sys) -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tsnethlpx64 (\??\C:\Program Files (x86)\Tencent\QQPCMgr\12.2.18347.225\TsNetHlpX64_ev.sys) -> Found
    [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

    [PUP.DownloadAssistant][Folder] C:\Users\Uporabnik\AppData\Roaming\DVDVideoSoft -> Found
    [PUP.Ghokswa][Folder] C:\Users\Uporabnik\AppData\Local\Firefox -> Found



    #13 Andrei0

    Andrei0
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:05:06 PM

    Posted 23 July 2017 - 03:09 PM

    New log is in attachment. I don't see any changes from aspect of malware/viruses yet.

    Attached Files

    • Attached File  a2.txt   2.4MB   1 downloads

    Edited by Andrei0, 23 July 2017 - 05:29 PM.


    #14 nasdaq

    nasdaq

    • Malware Response Team
    • 40,476 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:06 AM

    Posted 24 July 2017 - 06:42 AM

    My bad I forgot to give you the link and the instructions to run this tool.

    Malwarebytes Anti-Rootkit

    Please download [url=https://www.malwarebytes.com/antirootkit

    Anti-Rootkit BETA and save it to your Desktop.
    • Right-click on the icon and select Run as administrator to start the extraction of the program;
    • Click Yes to accept the security warning that may appear;
    • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
    • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
    • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
    • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
    • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
    • Please copy and paste the entire content of that log in your next reply;
    If you have any problems running either one come back and let me know.
    ===

    We will also check your BIOS and Master boot record.

    Read carefully and follow these steps.
    TDSS
    • Download TDSSKiller and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application.
    • Then click on Start Scan.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    • ===

      Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
      • Click the "Scan" button to start scan.
      • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
      • Please paste the contents of that log in your next reply.
      There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
      ===



    #15 Andrei0

    Andrei0
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:05:06 PM

    Posted 24 July 2017 - 02:31 PM

    Third file (aswMBR.exe) performed like a virus or malware on my computer. It created blue screen error message twice ( ! ) upon two different runs of said exe file and I was forced to shout computer down by force (electric power OFF). Additionally it completely changed the locations of each and every icon on desktop and slowed down my computer even more. Seriously. I had to use a camera of my cell phone of that error message (full blue screen error) so I can describe it because i wasn't able to do a screenshot. The content of error messaged produced by .exe file (i was not able to do entire scan at all, once it produced error immediately when starting, once after around 1 minute after scan was started) is:

     

    "Your PC ran into a problem and needs to restart. We're just collecting some error  info and then we'll restart for you. For more information about this issue and [[[i don't know what was here because my camera didn't photo it]]] https://windows.com/stopcode If you call a support person, give them this info: Stop code: DRIVER IRQL_NOT_LESS_OR_EQUAL What failed: aswMBR.sys"

     

    Due to this, basically entire computer is freezing every 30 seconds so I believe I have even more viruses/malware/spyware/worms on computer :tvhorror:

     

    Other two programs, you suggested in your latest reply, worked fine. Attached are logs.

    Attached Files


    Edited by Andrei0, 24 July 2017 - 02:31 PM.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users