Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issue with my WebBrowser and unwanted folders are being created


  • This topic is locked This topic is locked
6 replies to this topic

#1 raviremje

raviremje

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 30 August 2017 - 02:34 PM

Virus Removal Logs Forum ~~ boopme

Dear Team,
Whenever I try to access my chrome or ie or firefox, some random websites such as http://www.yeadesktopbr.com/ becomes my homepage. Some pervert dating webiste ads are always present on my search engine and youtube page. When i try open a new tab it randomly opens a dating ad page. 
 
Further more there are many random folder present in my My Computer folder heirarchy. I have pasted the log file for the hijackthis.log.
 
Please help me!!
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:06:54, on 30-08-2017
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v10.0 (10.00.9200.17568)
Boot mode: Normal

Running processes:
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Users\Ravindra\AppData\Roaming\BitTorrent\BitTorrent.exe
C:\Users\Ravindra\AppData\Roaming\BitTorrent\updates\7.10.0_43917\bittorrentie.exe
C:\Users\Ravindra\AppData\Roaming\BitTorrent\updates\7.10.0_43917\bittorrentie.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\PROGRA~2\MOZILL~1\firefox.exe
C:\Program Files (x86)\qBittorrent\qbittorrent.exe
C:\Users\Ravindra\Downloads\Computer Clean-Up Kit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.helperbar.com/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxk4KosIJpuVKXvO75LOT4gTZKoXxFxN06ZsbXnhMTk_ASf_p2Ijg99tbjRGo0XCGdxGd4gv02XNS8NKXHaVNUkKgrUkj0CKIB0SseXfZErbqubIXwEdF2PSNajlDSU-2ufAKYuf7fK7UTmQ0YHGGIHJArufoxrM_XcyVu6x6DFI5&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Windows\System32\Drivers\iexplore.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8080;https=127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype for Business Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Microsoft OneDrive for Business Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\PROGRA~2\MICROS~1\Office16\GROOVEEX.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [Redirector] "C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /startup
O4 - HKCU\..\Run: [pEZUE7jvne.exe] C:\Program Files\Windows Photo Viewer\ML2688LPYZV3C3FTB35Z0P9N7N3N\pEZUE7jvne.exe -r1_5 -r2_1
O4 - HKCU\..\Run: [qg4b1t4bk0g] "C:\Users\Ravindra\AppData\Roaming\dnoeyrhafbz\tudrgggshbe.exe"
O4 - HKCU\..\Run: [4QYQ4UMR16381I5] "C:\Program Files\O0IA4GYVMA\O0IA4GYVM.exe"
O4 - HKCU\..\Run: [3rijpqirged] "C:\Users\Ravindra\AppData\Roaming\cphpxzf2yud\qn50vrkiiet.exe"
O4 - HKCU\..\Run: [DI4NJVF61BMVOV6] "C:\Program Files\XRN6JGRANF\XRN6JGRAN.exe"
O4 - HKCU\..\Run: [ptznybtwirc] "C:\Users\Ravindra\AppData\Roaming\zedv3bc0ytt\ipt3dmgdmcu.exe"
O4 - HKCU\..\Run: [VZSHXWM4N5UAOZC] "C:\Program Files\2S8J5VVF47\FHEYDV1G4.exe"
O4 - HKCU\..\Run: [bn5gmzq33z4] "C:\Users\Ravindra\AppData\Roaming\dpkxk4appb2\oouzl5xviio.exe"
O4 - HKCU\..\Run: [D5PUXWNJG335XEX] "C:\Program Files\XE9EXHZO16\A3FT5G5P1.exe"
O4 - HKCU\..\Run: [p2sasw24cj0] "C:\Users\Ravindra\AppData\Roaming\3ghjegdnvst\2ubambgzhsi.exe"
O4 - HKCU\..\Run: [RUXHEY585A71KBB] "C:\Program Files\PTVWCXMC23\PTVWCXMC2.exe"
O4 - HKCU\..\Run: [2conggmc0bx] "C:\Users\Ravindra\AppData\Roaming\jv2wr0j0lvb\y2pfrnwjpsb.exe"
O4 - HKCU\..\Run: [ZPE8ZKO3WSHE77U] "C:\Program Files\E9RQV5RV28\E9RQV5RV2.exe"
O4 - HKCU\..\Run: [khjn0ytqrvi] "C:\Users\Ravindra\AppData\Roaming\t42qzfzxmp1\xa1pjbyjwvu.exe"
O4 - HKCU\..\Run: [79O3MKUCBNKZQ30] "C:\Program Files\1ECGK8R9MS\YWDW0AZVF.exe"
O4 - HKCU\..\Run: [q3apmm2sspj] "C:\Users\Ravindra\AppData\Roaming\balyng3hwhg\5dq5vvj2wnk.exe"
O4 - HKCU\..\Run: [GxX1iH2ct.exe] C:\Users\Ravindra\AppData\Local\231f3f275b354c8e81d25058597bf686\GxX1iH2ct.exe -r1_1 -r2_2
O4 - HKCU\..\Run: [5K3P2CKN472AY0P] "C:\Program Files\9VJUXGVC1M\9VJUXGVC1.exe"
O4 - HKCU\..\Run: [4Cx3dv2a.exe] C:\Users\Ravindra\AppData\Local\2c729530ad5c42c399703afeeb37a24a\4Cx3dv2a.exe -r1_1 -r2_2
O4 - HKCU\..\Run: [LBcEtnXTMVPHJ.exe] C:\Users\Ravindra\AppData\Local\f3f96c53c4454856ba0c675fbb99edd5\LBcEtnXTMVPHJ.exe -r1_1 -r2_2
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Lync] "C:\Program Files\Microsoft Office\Office16\lync.exe" /fromrunkey
O4 - HKCU\..\Run: [AH8195J6WMJP269] "C:\Program Files\0MWKBVYHBH\0MWKBVYHB.exe"
O4 - HKCU\..\Run: [BN2K7DQCV1T22LO] "C:\Program Files (x86)\t1idaiohpnr\96R6A.exe"
O4 - HKCU\..\Run: [lb25hak1nr1] "C:\Users\Ravindra\AppData\Roaming\kmeglmhytcx\mhfgrxgmkl2.exe"
O4 - HKCU\..\Run: [FQ23U0LYQXZWBBE] "C:\Program Files\BAQ3TJIVJY\BAQ3TJIVJ.exe"
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: FAH.lnk = C:\Program Files\WinZip\FAHConsole.exe
O4 - Global Startup: Update Notifier.lnk = C:\Program Files\WinZip\WZUpdateNotifier.exe
O4 - Global Startup: WinZip Preloader.lnk = C:\Program Files\WinZip\WzPreloader.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: @%CommonProgramFiles%\Microsoft Shared\Office16\oregres.dll,-430 - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll
O9 - Extra 'Tools' menuitem: @%CommonProgramFiles%\Microsoft Shared\Office16\oregres.dll,-430 - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix:
O16 - DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} (SlimClient Class) - https://remoteoffice.lntinfotech.com/sslvpn/SNX/CSHELL/extender.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T30L10NSP20EP1-10003/webex/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4220C5-B8C9-436F-A69A-40A07572E70B}: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{4084F6F4-DDEE-4BAF-8F5E-27AB0FF76FC3}: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE371BBD-C2E6-44C5-9D43-F46CF604D1F4}: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = browserinfo.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B4220C5-B8C9-436F-A69A-40A07572E70B}: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = browserinfo.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 82.163.143.176 82.163.142.178
O18 - Protocol: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL
O18 - Protocol: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PG Manager (pgt_svc) - Gold Click Ltd - C:\Program Files (x86)\ProxyGate\MainService.exe
O23 - Service: Photon. OUC (Photon. RunOuc) - Unknown owner - C:\Program Files (x86)\Photon\Huawei\EC306-1\UpdateDog\ouc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 14495 bytes

Attached Files


Edited by boopme, 30 August 2017 - 07:15 PM.
Moved from Win 8/8.1 to 'Am I infected?'


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 31 August 2017 - 07:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar Recovery Scan Tool from now on to report problems.
<<<>>>


:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 raviremje

raviremje
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 31 August 2017 - 04:22 PM

Thanks Team,

 

As suggested I have followed all the steps. Attaching the respective log files of the same.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 01 September 2017 - 08:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:


HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [pEZUE7jvne.exe] => C:\Program Files\Windows Photo Viewer\ML2688LPYZV3C3FTB35Z0P9N7N3N\pEZUE7jvne.exe -r1_5 -r2_1
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [qg4b1t4bk0g] => "C:\Users\Ravindra\AppData\Roaming\dnoeyrhafbz\tudrgggshbe.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [ptznybtwirc] => "C:\Users\Ravindra\AppData\Roaming\zedv3bc0ytt\ipt3dmgdmcu.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [bn5gmzq33z4] => "C:\Users\Ravindra\AppData\Roaming\dpkxk4appb2\oouzl5xviio.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [p2sasw24cj0] => "C:\Users\Ravindra\AppData\Roaming\3ghjegdnvst\2ubambgzhsi.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [2conggmc0bx] => "C:\Users\Ravindra\AppData\Roaming\jv2wr0j0lvb\y2pfrnwjpsb.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [khjn0ytqrvi] => "C:\Users\Ravindra\AppData\Roaming\t42qzfzxmp1\xa1pjbyjwvu.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [q3apmm2sspj] => "C:\Users\Ravindra\AppData\Roaming\balyng3hwhg\5dq5vvj2wnk.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [GxX1iH2ct.exe] => C:\Users\Ravindra\AppData\Local\231f3f275b354c8e81d25058597bf686\GxX1iH2ct.exe -r1_1 -r2_2
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [4Cx3dv2a.exe] => C:\Users\Ravindra\AppData\Local\2c729530ad5c42c399703afeeb37a24a\4Cx3dv2a.exe -r1_1 -r2_2
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [LBcEtnXTMVPHJ.exe] => C:\Users\Ravindra\AppData\Local\f3f96c53c4454856ba0c675fbb99edd5\LBcEtnXTMVPHJ.exe -r1_1 -r2_2
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [BN2K7DQCV1T22LO] => "C:\Program Files (x86)\t1idaiohpnr\96R6A.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\Run: [lb25hak1nr1] => "C:\Users\Ravindra\AppData\Roaming\kmeglmhytcx\mhfgrxgmkl2.exe"
FF user.js: detected! => C:\Users\Ravindra\AppData\Roaming\Mozilla\Firefox\Profiles\bw4xxbvk.default-1483896164242\user.js [2017-07-12]
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [gccplojjfpdbeidicabkegekmcplafee] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hkdmihdclhhoghpojiifklmegjnjkdlh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ikdlehiegikpggplngbmpdgnidekfmjn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gccplojjfpdbeidicabkegekmcplafee] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hkdmihdclhhoghpojiifklmegjnjkdlh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ikdlehiegikpggplngbmpdgnidekfmjn] - hxxps://clients2.google.com/service/update2/crx
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Dopig\Application\chrome.exe <==== ATTENTION
R2 WinUpdateSrv; C:\ProgramData\Package Cache\{137DE25F-7C3C-DEFE-C45B-990088714B67}v12.2.2793.254\Update\install.dll [104448 2017-05-05] () [File not signed]


CustomCLSID: HKU\S-1-5-21-3747097417-3459733374-1063093042-1001_Classes\CLSID\{CE38C5EA-EA8D-11DE-82CF-001731059680}\InprocServer32 -> C:\Users\Ravindra\AppData\Local\PKI Client\4\64\nptblive-4-x86_64.dll => No File
Task: {90A31690-2572-49F9-BA79-B259DC7B945F} - System32\Tasks\{422E503B-ABCC-4E84-AEBD-AC8933A86E8B} => C:\Windows\system32\pcalua.exe -a C:\Windows\11e9a025314a4f947521d89db522a0c6.exe
Task: {A48CD1A1-A8FC-4B10-81F9-DC63479ED1DD} - System32\Tasks\lByhLhSeY9 => C:\Program Files (x86)\aTfVLUvemt\updengine.exe <==== ATTENTION
WMI_ActiveScriptEventConsumer_ASEC: <==== ATTENTION
Shortcut: C:\Users\Ravindra\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\50691f4194389907\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Dopig\Application\chrome.bat (No File)
Shortcut: C:\Users\Ravindra\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\3ea9b03f7eb2643e\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Dopig\Application\chrome.bat (No File)
Shortcut: C:\Users\Ravindra\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Dopig\Application\chrome.bat (No File)
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Ravindra\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktopbr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Ravindra\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktopbr.com/

C:\Windows\System32\Tasks\{422E503B-ABCC-4E84-AEBD-AC8933A86E8B}
C:\Windows\11e9a025314a4f947521d89db522a0c6.exe
C:\Windows\System32\Tasks\lByhLhSeY9
C:\Program Files (x86)\aTfVLUvemt
C:\Program Files\Windows Photo Viewer\ML2688LPYZV3C3FTB35Z0P9N7N3N
C:\Users\Ravindra\AppData\Local\231f3f275b354c8e81d25058597bf686
C:\Users\Ravindra\AppData\Local\2c729530ad5c42c399703afeeb37a24a
C:\Users\Ravindra\AppData\Local\f3f96c53c4454856ba0c675fbb99edd5
C:\ProgramData\Package Cache\{137DE25F-7C3C-DEFE-C45B-990088714B67}v12.2.2793.254

HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "OA9T62ZE3R"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "RLQK2C80A4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "VU5MP8K2RR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "E7JM614ALN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "U18CECFJIE"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "V4VUJ7HVVY"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "3JF8RJJ3UR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "17KDHYCF7F"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "ENQ7DUMDVQ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "G6JEPXH56X"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "3R0XPEPOV0"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "WT90BTRYNK"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "BZBI220FPF"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "66CA82DY8O"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "R7ARETMPQ3"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "RP71AWLJVW"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "TV97MU6TYY"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "ZFLOEB4YGQ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "LP6MVQ8ZFL"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "7YKKORTK0N"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "4M9PE65DFR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "OVIXICFNKS"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "WNPAMRWSYX"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "EAXI28W1PX"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "RHVRBVXSQQ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "25S1VH2MXN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "O9O3NVNL6Z"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "AKFELJI55E"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "P56GYVXBYL"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "V5AOHPF0GN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "8QW2K8ZUAJ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "HW8CHN3D8F"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "BTH13IWLP4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "8SA5A4SBOC"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "0LQF0KLDOJ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "FN7Y0AVUNK"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "7Y71JBLFPN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "5FY3FTWA7Z"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "6E7EKDNWOE"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "GH4A1HJ5RR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "P2VZH6P8CN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "KD5FT67D7Q"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "N0UK0VR2N6"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "L67E41WZM3"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "GF020VKXZ1"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "WV32YZJGO9"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "TDLEXRX6Y6"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "MFSPMBZF82"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "Y85DQ2AVF7"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "EQNFRCREXO"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "2T9LE3LB2I"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "6HDVHQSI58"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "N5377HH7IA"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "482FQCNG48"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "1F2EPPMDLU"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "KJE6GTTR2G"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "WM3VNG3XK9"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "FNU0P9GMY7"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "V0U2QP6DVS"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "R2Q8OKAKNV"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "4EXANXO4U3"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "J5B501K844"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "BY0Z8F6R4M"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "TMZU0PBCZN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "6KLKEKT0E9"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "9OXXQOE6QS"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "Z7H81N2GIK"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "MNSJBWSGC2"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "R7HQTOXSLM"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "NW3ZTNH6DL"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "O6FCFPBEAK"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "GIXX646NO9"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "359RDKSJZO"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "8H69FSK9WE"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "QNKOL83KUD"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "RQ8HETJLSV"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "HCW4LBDP0D"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "AKKM4TQ7X4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "YV4G8MI9B5"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "AXUYGN1SD5"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "KGY94POWVR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "2LQ9MA6TEO"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "VI5SYHECDX"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "3N7HF8U13I"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "IQSI0W3BAZ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "OP2E4Q7XPV"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "FLW4C0TNMD"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "EWU5EADHGH"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "71LHR5NCOV"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "LYHGPX17LN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "K3PFXP1CGR"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "49N0HHGTG2"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "XZ0DNQ29QI"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "KT0BH83H62"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "JORCMI5FK0"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "G1IX0G0722"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "VKQ10O1NWM"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "059IYQH0HN"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "ZQUWQYDMF4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "6279FHJLZ4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "HNC0RB5H30"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "43XQOY80PQ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "SSFZXYFRVJ"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "P2L6Q5J3L0"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "X95M0JOAEG"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "79O3MKUCBNKZQ30"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "ZPE8ZKO3WSHE77U"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "RUXHEY585A71KBB"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "bn5gmzq33z4"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "ptznybtwirc"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "3rijpqirged"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "qg4b1t4bk0g"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "GxX1iH2ct.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "5K3P2CKN472AY0P"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "q3apmm2sspj"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "khjn0ytqrvi"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "2conggmc0bx"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "p2sasw24cj0"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "D5PUXWNJG335XEX"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "VZSHXWM4N5UAOZC"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "4QYQ4UMR16381I5"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "pEZUE7jvne.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "LBcEtnXTMVPHJ.exe"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "AH8195J6WMJP269"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "BN2K7DQCV1T22LO"
HKU\S-1-5-21-3747097417-3459733374-1063093042-1001\...\StartupApproved\Run: => "FQ23U0LYQXZWBBE"


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download Zemana AntiMalware and save it to your Desktop.
- You need to unzip it and start..
- Without changing any options, press Scan to begin.
After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

- Open Zemana AntiMalware again.
- Click on icon and double click the latest report.
- Now click File > Save As and choose your Desktop before pressing Save.
The only left thing is to attach saved report in your next message.
---

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)

Please post the logs and let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 07 September 2017 - 09:21 AM

Are you still with me?

#6 raviremje

raviremje
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 11 September 2017 - 07:31 AM

Hi,

I am really sorry fr replying so late. Have been busy. So i have attached the fixlog.txt as suggested.Attached File  Fixlog.txt   62.14KB   1 downloads



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 11 September 2017 - 07:57 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users