Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

InstallShield Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 KuyaJaaam

KuyaJaaam

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 September 2017 - 11:33 AM

Hello,
My computer is restarting unexpectedly maybe about cpu usage because I found InstallShield in my Task Manager. I didn't install InstallShield in my computer but it was there I tried to delete it's directory but after deleting it I can't browse on any browser it said No Internet Connection I also tried end it thru Task Manager same problem I can't browse on any browser so that's why I'm convinced that the restart problem of my pc is because of this InstallShield. I found the thread before https://www.bleepingcomputer.com/forums/t/637950/installshield-malwarepossibly-rootkit/ and I think it's fixed.

 

Farbar Recovery Scan Tool Result:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2017 01
Ran by James (administrator) on TRAVIS (30-09-2017 00:25:09)
Running from C:\Users\James\Downloads\Programs
Loaded Profiles: James (Available Profiles: James)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(InstallShield®) C:\Program Files\Common Files\InstallShield\Update\ISUSPM.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OFFICE12\Office Setup Controller\SETUP.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2137744 2016-10-08] (Wondershare)
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [7684824 2017-09-08] (Piriform Ltd)
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [4015216 2016-12-15] (Tonec Inc.)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.8.1 192.168.8.1
Tcpip\..\Interfaces\{28388CD3-F0D6-40AB-B3F1-56A1D0FD61E3}: [DhcpNameServer] 192.168.8.1 192.168.8.1
Tcpip\..\Interfaces\{6F965574-A44C-4879-8BDE-1E253D2E20CF}: [DhcpNameServer] 8.8.8.8 8.8.4.4
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080;
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0EyE0FtGyB0ByDtAyCyDtAtBtDyCtC0E2QtN0A0LzuyE%26cr%3D648960488%26a%3Dwbf_ir_17_31%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2016-12-11] (Internet Download Manager, Tonec Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2008-10-25] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_144\bin\ssv.dll [2017-08-06] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-06] (Oracle Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2008-10-25] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF DefaultProfile: 9m0qj0w8.default
FF ProfilePath: C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\9m0qj0w8.default [2017-09-30]
FF Extension: (Privacy Badger) - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\9m0qj0w8.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2017-09-11]
FF Extension: (Adblock Plus) - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\9m0qj0w8.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-09-11]
FF HKU\S-1-5-21-382865111-2993243812-2193682747-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\James\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\James\AppData\Roaming\IDM\idmmzcc5 [2017-09-30] [not signed]
FF HKU\S-1-5-21-382865111-2993243812-2193682747-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2016-11-16]
FF Plugin: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-06] (Oracle Corporation)
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-05] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-05] (Google Inc.)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR Profile: C:\Users\James\AppData\Local\Google\Chrome\User Data\Default [2017-09-30]
CHR Extension: (Google Drive) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-05]
CHR Extension: (YouTube) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-05]
CHR Extension: (Message Cleaner) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcanahkfmlgbgmnjlcmpmjcmbldniele [2017-09-11]
CHR Extension: (Word Online) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiombgjlkfpdpkbhfioofeeinbehmajg [2017-08-01]
CHR Extension: (BrowserStack Local) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfiddfehmfdojjfdpfngagldgaaafcfo [2017-09-28]
CHR Extension: (IDM Integration Module) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2017-09-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-11]
CHR Extension: (Gmail) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-05]
CHR Extension: (Chrome Media Router) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-16]
CHR Profile: C:\Users\James\AppData\Local\Google\Chrome\User Data\System Profile [2017-09-30]
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2016-12-15]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 InventoriaService; C:\Program Files\NCH Software\Inventoria\inventoria.exe [1788648 2016-09-13] (NCH Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project)
S3 wdm_usb; C:\Windows\System32\DRIVERS\usb2ser.sys [128704 2016-08-16] (MBB)
S3 GGSAFERDriver; \??\C:\Program Files\Garena Plus\Room\safedrv.sys [X]
S4 IUFileFilter; \??\C:\Program Files\IObit\IObit Uninstaller\drivers\win7_x86\IUFileFilter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-30 00:25 - 2017-09-30 00:25 - 000000000 ____D C:\FRST
2017-09-30 00:18 - 2017-09-30 00:18 - 000109608 _____ C:\Users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2017-09-29 23:51 - 2017-09-29 23:51 - 000000000 ____D C:\Users\James\AppData\Local\ElevatedDiagnostics
2017-09-28 20:16 - 2017-09-28 20:16 - 000000000 ____D C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2017-09-28 19:03 - 2017-09-28 19:03 - 000013604 _____ C:\Users\James\Downloads\2.3.json
2017-09-28 18:55 - 2017-09-28 18:55 - 000008535 _____ C:\Users\James\Downloads\v2.3 (1).json
2017-09-28 16:56 - 2017-09-28 16:56 - 000000000 ____D C:\Users\James\Documents\a
2017-09-28 16:07 - 2017-09-28 16:07 - 000015168 _____ C:\Users\James\Downloads\mendoza_sarah_02848992.pdf
2017-09-27 21:48 - 2017-09-27 21:48 - 000008535 _____ C:\Users\James\Downloads\v2.3.json
2017-09-27 20:37 - 2017-09-27 20:37 - 000013604 _____ C:\Users\James\Desktop\2.3.json
2017-09-23 17:41 - 2017-09-23 17:41 - 000000000 ____D C:\Users\James\AppData\Roaming\Ethereum
2017-09-23 17:40 - 2017-09-23 17:43 - 000000000 ____D C:\Users\James\AppData\Roaming\Mist
2017-09-23 17:40 - 2017-09-23 17:40 - 000000000 ____D C:\Users\James\Downloads\Mist-win32-0-9-0
2017-09-23 17:39 - 2017-09-23 17:40 - 055716992 _____ C:\Users\James\Downloads\Mist-win32-0-9-0.zip
2017-09-21 23:58 - 2017-09-21 23:58 - 000092736 _____ C:\Users\James\Downloads\HTOWERT.TTF
2017-09-21 20:06 - 2017-09-21 20:06 - 000000000 ____D C:\Program Files\Lame For Audacity
2017-09-21 19:40 - 2017-09-21 20:07 - 000000000 ____D C:\Users\James\Documents\Audacity
2017-09-21 19:36 - 2017-09-22 04:00 - 000000000 ____D C:\Users\James\AppData\Roaming\audacity
2017-09-21 19:36 - 2017-09-21 19:36 - 000000000 ____D C:\Users\James\AppData\Local\Audacity
2017-09-21 19:30 - 2017-09-21 19:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acoustica MP3 Audio Mixer
2017-09-21 19:30 - 2005-04-01 21:06 - 000000000 _____ C:\Windows\wmsysprx.prx
2017-09-21 18:33 - 2017-09-21 18:33 - 000000040 ____H C:\375ED13EC869
2017-09-21 18:32 - 2017-09-21 18:32 - 000000000 ____D C:\Users\James\Desktop\phanmemtop.net PhotoshopPortable_13x86
2017-09-21 18:31 - 2017-09-21 18:24 - 133585717 ____N C:\Users\James\Desktop\phanmemtop.net PhotoshopPortable_13x86.rar
2017-09-21 18:00 - 2017-09-30 00:03 - 000000000 ____D C:\Users\James\AppData\Roaming\DMCache
2017-09-21 18:00 - 2017-09-21 18:00 - 000000979 _____ C:\Users\James\Desktop\Internet Download Manager.lnk
2017-09-21 18:00 - 2017-09-21 18:00 - 000000000 ____D C:\Users\James\Downloads\IDM 6.27 build 2 Setup + Universal _
2017-09-21 18:00 - 2017-09-21 18:00 - 000000000 ____D C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2017-09-21 18:00 - 2017-09-21 18:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2017-09-21 18:00 - 2017-09-21 18:00 - 000000000 ____D C:\ProgramData\IDM
2017-09-21 17:59 - 2017-09-21 17:59 - 007360379 _____ C:\Users\James\Downloads\IDM 6.27 build 2 Setup + Universal _.rar
2017-09-21 17:44 - 2017-09-28 19:13 - 000000000 ____D C:\ProgramData\ProductData
2017-09-21 17:43 - 2017-09-21 17:44 - 000000000 ____D C:\Users\James\AppData\LocalLow\IObit
2017-09-21 17:43 - 2017-09-21 17:43 - 000000000 ____D C:\Program Files\Common Files\IObit
2017-09-21 17:42 - 2017-09-30 00:06 - 000000000 ____D C:\Program Files\IObit
2017-09-21 17:42 - 2017-09-21 17:54 - 000000000 ____D C:\Program Files\CCleaner
2017-09-21 17:42 - 2017-09-21 17:42 - 000000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-09-21 17:42 - 2017-09-21 17:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-09-21 17:41 - 2017-09-29 23:19 - 000000000 ____D C:\Users\James\AppData\Roaming\IObit
2017-09-21 17:41 - 2017-09-21 17:44 - 000000000 ____D C:\ProgramData\IObit
2017-09-21 17:38 - 2017-09-28 18:13 - 000000000 ____D C:\Users\James\Downloads\Compressed
2017-09-21 17:38 - 2017-09-21 17:38 - 000000000 ____D C:\Users\James\Downloads\Video
2017-09-21 17:37 - 2017-09-30 00:24 - 000000000 ____D C:\Users\James\AppData\Roaming\IDM
2017-09-21 16:58 - 2017-09-21 17:00 - 000008241 _____ C:\Users\James\Downloads\v2.1.json
2017-09-21 16:58 - 2017-09-21 16:59 - 000008544 _____ C:\Users\James\Downloads\2.2.json
2017-09-21 02:31 - 2017-09-27 22:42 - 000043456 _____ C:\Users\James\Documents\starburn.txt
2017-09-21 02:31 - 2017-09-21 02:31 - 000000000 ____D C:\Users\James\AppData\Local\Wondershare
2017-09-21 02:31 - 2017-09-21 02:31 - 000000000 ____D C:\ProgramData\Wondershare
2017-09-21 02:31 - 2017-09-21 02:31 - 000000000 ____D C:\Program Files\Common Files\Wondershare
2017-09-21 02:30 - 2017-09-21 02:30 - 000001187 _____ C:\Users\Public\Desktop\Wondershare Filmora.lnk
2017-09-21 02:30 - 2017-09-21 02:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2017-09-21 02:28 - 2017-09-21 02:55 - 000000000 ____D C:\Users\James\Documents\Wondershare Filmora
2017-09-21 02:25 - 2017-09-21 04:30 - 000000000 ____D C:\ProgramData\Wondershare Video Editor
2017-09-21 02:25 - 2017-09-21 02:25 - 000000000 ____D C:\Program Files\Wondershare
2017-09-21 02:24 - 2017-09-21 02:31 - 000000000 ____D C:\Users\Public\Documents\Wondershare
2017-09-21 02:05 - 2017-09-30 00:16 - 000000000 ____D C:\Program Files\Internet Download Manager
2017-09-21 01:51 - 2017-09-21 01:53 - 000000000 ____D C:\Users\James\Desktop\Sony Vegas
2017-09-19 03:08 - 2017-09-19 03:08 - 000000000 ____D C:\Users\James\AppData\Roaming\Litecoin
2017-09-18 22:46 - 2017-09-19 01:03 - 000000000 ____D C:\Users\James\Downloads\Excel Files
2017-09-18 22:06 - 2017-09-18 22:06 - 000000165 ____H C:\Users\James\Downloads\~$VPN (1).xlsx
2017-09-16 14:16 - 2017-09-16 14:17 - 000000000 ____D C:\Program Files\TAP-Windows
2017-09-14 23:57 - 2017-09-15 01:53 - 000000000 ____D C:\Users\James\Documents\sample
2017-09-13 16:15 - 2017-09-13 16:15 - 000000000 ____D C:\Users\James\Documents\Juancash
2017-09-12 22:25 - 2017-09-12 22:25 - 002565379 _____ C:\Users\James\Documents\huhu.zip
2017-09-12 17:15 - 2017-09-13 00:44 - 000001456 _____ C:\Users\James\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-09-12 16:44 - 2017-09-13 19:15 - 000000132 _____ C:\Users\James\AppData\Roaming\Adobe PNG Format CS6 Prefs
2017-09-12 11:19 - 2017-09-12 11:19 - 000000000 ____D C:\Users\James\AppData\LocalLow\Adobe
2017-09-12 11:03 - 2017-09-12 11:03 - 000000000 ____D C:\Program Files\Photoshop
2017-09-11 23:21 - 2017-09-12 00:03 - 000000000 ____D C:\Users\James\Documents\New folder (2)
2017-09-11 22:21 - 2017-09-28 19:31 - 000002141 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-09-11 22:21 - 2017-09-28 19:31 - 000002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-09-02 00:17 - 2017-09-02 00:17 - 000000000 ____D C:\Users\James\Downloads\Login-Signup-PDO-OOP
2017-09-01 23:58 - 2017-09-02 00:12 - 000000000 ____D C:\Chrome dev session
2017-08-31 22:41 - 2017-09-02 00:12 - 000000000 ____D C:\Users\James\Downloads\Themes
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-30 00:20 - 2009-07-14 12:34 - 000009584 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-30 00:20 - 2009-07-14 12:34 - 000009584 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-30 00:18 - 2017-08-11 16:32 - 000000374 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2017-09-30 00:18 - 2017-07-05 03:38 - 000000000 ____D C:\Users\James
2017-09-30 00:18 - 2009-07-14 12:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-30 00:17 - 2017-08-02 08:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2017-09-30 00:16 - 2017-08-13 23:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN
2017-09-30 00:16 - 2017-08-06 19:06 - 000000000 ____D C:\Program Files\Common Files\InstallShield
2017-09-30 00:16 - 2017-08-05 19:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EpicBot
2017-09-30 00:16 - 2017-08-05 19:17 - 000000000 ____D C:\Program Files\Common Files\53300f040fad6e0efbd6277be782f9c5
2017-09-30 00:16 - 2017-08-02 08:12 - 000000000 ____D C:\Program Files\Microsoft Works
2017-09-30 00:16 - 2017-08-02 08:11 - 000000000 ____D C:\Program Files\Microsoft Visual Studio
2017-09-30 00:16 - 2017-08-02 08:11 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2017-09-30 00:16 - 2017-08-02 08:07 - 000000000 ____D C:\Program Files\Microsoft Visual Studio 8
2017-09-30 00:16 - 2017-08-02 08:06 - 000000000 ____D C:\Program Files\Microsoft Office
2017-09-30 00:16 - 2017-08-02 08:05 - 000000000 __RHD C:\MSOCache
2017-09-30 00:16 - 2017-07-05 19:50 - 000000000 ____D C:\Windows\pss
2017-09-30 00:16 - 2009-07-14 15:49 - 000000000 ____D C:\Windows\ShellNew
2017-09-30 00:16 - 2009-07-14 12:52 - 000000000 ____D C:\Program Files\MSBuild
2017-09-30 00:16 - 2009-07-14 10:37 - 000000000 ____D C:\Windows\system32\NDF
2017-09-30 00:16 - 2009-07-14 10:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2017-09-30 00:15 - 2009-07-14 10:37 - 000000000 ____D C:\Windows\registration
2017-09-29 23:19 - 2017-08-05 19:18 - 000000000 ____D C:\Program Files\EpicBot
2017-09-29 23:18 - 2009-07-14 10:37 - 000000000 ____D C:\Windows\inf
2017-09-28 17:05 - 2017-07-13 02:06 - 000000000 ____D C:\My Web Sites
2017-09-27 21:41 - 2017-07-12 23:49 - 000000600 _____ C:\Users\James\AppData\Roaming\winscp.rnd
2017-09-22 05:48 - 2017-07-05 19:20 - 000000000 ____D C:\Windows\Panther
2017-09-22 02:52 - 2009-07-14 12:53 - 000032624 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-09-22 00:35 - 2017-07-05 03:40 - 000006354 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-22 00:25 - 2009-07-14 12:33 - 000411784 _____ C:\Windows\system32\FNTCACHE.DAT
2017-09-16 18:00 - 2017-07-19 01:52 - 000000000 ____D C:\xampp
2017-09-16 17:59 - 2017-07-07 23:28 - 000000000 ____D C:\Users\James\AppData\Roaming\Spotify
2017-09-16 15:05 - 2017-07-12 18:40 - 000000600 _____ C:\Users\James\AppData\Local\PUTTY.RND
2017-09-16 15:00 - 2017-07-18 23:55 - 000000000 ____D C:\Users\James\Documents\JuanVPN
2017-09-16 02:07 - 2017-07-26 19:02 - 000000000 ____D C:\Program Files\Garena Plus
2017-09-15 20:53 - 2017-08-25 00:13 - 000000000 ____D C:\Users\James\Desktop\PROJECT
2017-09-12 12:19 - 2017-08-16 00:33 - 000000000 ____D C:\Users\James\.runiqueprefs
2017-09-12 12:19 - 2017-07-28 21:03 - 000000000 ____D C:\.jagex_cache_32
2017-09-12 12:19 - 2017-07-26 19:03 - 000000000 ____D C:\Users\James\AppData\Roaming\GarenaPlus
2017-09-12 12:19 - 2017-07-26 19:02 - 000000000 ____D C:\ProgramData\GarenaMessenger
2017-09-12 12:19 - 2017-07-12 18:23 - 000000000 ____D C:\JuanVPN
2017-09-12 12:19 - 2009-07-14 10:37 - 000000000 ____D C:\Windows\servicing
2017-09-12 12:18 - 2017-08-30 01:17 - 000000000 ____D C:\Program Files\JuanVPN
2017-09-12 12:18 - 2017-08-26 02:27 - 000000000 ____D C:\Program Files\ComposerSetup
2017-09-12 12:18 - 2017-08-22 13:20 - 000000000 ____D C:\Users\James\AppData\Local\SSTap-beta
2017-09-12 08:40 - 2017-07-28 20:46 - 000000000 ____D C:\Users\James\AppData\Local\Jagex
2017-09-12 08:40 - 2017-07-28 20:42 - 000000000 ____D C:\ProgramData\Jagex
2017-09-11 22:22 - 2017-07-24 02:23 - 000000000 ____D C:\Users\James\AppData\LocalLow\Mozilla
2017-09-11 22:21 - 2017-07-05 03:59 - 000000000 ____D C:\Program Files\Google
2017-09-11 21:17 - 2017-08-01 23:09 - 000000000 _RSHD C:\Google
2017-09-11 20:56 - 2017-08-13 23:20 - 000000000 ____D C:\Program Files\OpenVPN
2017-09-11 20:52 - 2017-08-06 19:06 - 000000000 ____D C:\Program Files\KMSpico
2017-09-11 20:52 - 2017-07-05 04:21 - 000000000 ____D C:\ProgramData\Package Cache
2017-09-11 20:31 - 2017-08-06 08:56 - 000000221 _____ C:\Users\James\AppData\Roaming\WB.CFG
 
==================== Files in the root of some directories =======
 
2017-09-12 16:44 - 2017-09-13 19:15 - 000000132 _____ () C:\Users\James\AppData\Roaming\Adobe PNG Format CS6 Prefs
2017-08-06 08:56 - 2017-09-11 20:31 - 000000221 _____ () C:\Users\James\AppData\Roaming\WB.CFG
2017-07-12 23:49 - 2017-09-27 21:41 - 000000600 _____ () C:\Users\James\AppData\Roaming\winscp.rnd
2017-09-12 17:15 - 2017-09-13 00:44 - 000001456 _____ () C:\Users\James\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-07-12 18:40 - 2017-09-16 15:05 - 000000600 _____ () C:\Users\James\AppData\Local\PUTTY.RND
2017-08-01 23:09 - 2017-08-06 16:47 - 000000898 _____ () C:\ProgramData\ProgramData.lnk
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-07-24 14:49
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 PM

Posted 29 September 2017 - 12:40 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080;
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0E... (long line)
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qz... (long line)
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0... (long line)
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyE... (long line)
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE... (long line)
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1... (long line)
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
S3 GGSAFERDriver; \??\C:\Program Files\Garena Plus\Room\safedrv.sys [X]
S4 IUFileFilter; \??\C:\Program Files\IObit\IObit Uninstaller\drivers\win7_x86\IUFileFilter.sys [X]


RemoveProxy:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please post the Fislog.txt and include the Addition.txt file created by the Farbar program.

Please let me know what problem persists with this computer.

#3 KuyaJaaam

KuyaJaaam
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 September 2017 - 01:47 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 26-09-2017 01
Ran by James (30-09-2017 02:41:11) Run:1
Running from C:\Users\James\Downloads\Programs
Loaded Profiles: James (Available Profiles: James)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080;
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyEtCtDtG0A0E... (long line)
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qz... (long line)
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0... (long line)
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CyEyBzz0DyB0D0DtG0E0F0C0DtGyEyE... (long line)
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE... (long line)
SearchScopes: HKU\S-1-5-21-382865111-2993243812-2193682747-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_31&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0FyByB0E0DyC0DtCyEtCyDtD0DtN0D0Tzu0StBtDyEtAtN1L2XzutAtFtBzytFtCtDyEtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StA0EtByDyC0D0EtDtGyCtAyEzytG0FzyyD0AtGtDtBzz0EtGtB0CzztDyEyB0CtCyCtBzzyE2QtN1M1F1B2Z1... (long line)
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
S3 GGSAFERDriver; \??\C:\Program Files\Garena Plus\Room\safedrv.sys [X]
S4 IUFileFilter; \??\C:\Program Files\IObit\IObit Uninstaller\drivers\win7_x86\IUFileFilter.sys [X]
 
 
RemoveProxy:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully.
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully.
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\Software\MozillaPlugins\@t.garena.com/garenatalk => key removed successfully.
Chrome DefaultSearchURL => removed successfully.
Chrome DefaultSuggestURL => removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej => key removed successfully.
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully.
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej => key removed successfully.
HKLM\System\CurrentControlSet\Services\GGSAFERDriver => key removed successfully.
GGSAFERDriver => service removed successfully.
HKLM\System\CurrentControlSet\Services\IUFileFilter => key removed successfully.
IUFileFilter => service removed successfully.
 
========= RemoveProxy: =========
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-382865111-2993243812-2193682747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
 
 
========= End of RemoveProxy: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection 2 while it has its media disconnected.
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::f0cc:7f78:3e1c:8df9%11
   Default Gateway . . . . . . . . . : 
 
Tunnel adapter isatap.{6F965574-A44C-4879-8BDE-1E253D2E20CF}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter isatap.{28388CD3-F0D6-40AB-B3F1-56A1D0FD61E3}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection 2 while it has its media disconnected.
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::f0cc:7f78:3e1c:8df9%11
   IPv4 Address. . . . . . . . . . . : 192.168.8.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1
 
Tunnel adapter isatap.{6F965574-A44C-4879-8BDE-1E253D2E20CF}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset c:\resetlog.txt =========
 
Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv4 reset =========
 
There's no user specified settings to be reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv6 reset =========
 
There's no user specified settings to be reset.
 
 
========= End of CMD: =========
 
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {430DD520-0D34-4759-A4B1-9398522E569D}.
Unable to cancel {68410C42-9E2D-4E4B-AFC0-7FB137CEAD00}.
Unable to cancel {8543385A-7E14-4745-A198-5FB32C52A0C8}.
Unable to cancel {073B62DF-FFF3-4CBD-8E1A-1B8DB465489F}.
Unable to cancel {48627540-3B3D-428C-A0E1-3EAEFA9EE74D}.
Unable to cancel {2C651B9B-75C5-4C80-B86B-B4ADA72372B3}.
Unable to cancel {AF9A8ECA-4AEC-4551-B573-88FBD442AF78}.
Unable to cancel {51FCB663-CB8B-4F77-BEC0-8F11466C7C06}.
{5AB728AB-5571-4BE0-84BF-51DFB32B69DE} canceled.
{C30FC790-C140-4E0C-91C5-EBB9DDA71781} canceled.
{24A4949A-10AD-4EDF-AB48-211F50651E2D} canceled.
{1D838543-CD89-4CF5-BD49-79BD0594C3DE} canceled.
{592D6CD4-5B5A-4E0C-A024-1094471C1E6D} canceled.
{4BFD7B47-153C-410B-B82D-099895158237} canceled.
6 out of 14 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 3267457 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 17315266 B
Firefox => 10017790 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 233640 B
LocalService => 66708 B
NetworkService => 692 B
James => 159486256 B
 
RecycleBin => 0 B
EmptyTemp: => 189.6 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 02:42:14 ====

Here's the addition.txt

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 PM

Posted 30 September 2017 - 07:39 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


Task: {5E3006BF-0C8A-4FE6-AFB2-E483CDFE6877} - System32\Tasks\InstallShield® Update Service Scheduler => C:\Program Files\Common Files\InstallShield\Update\ISUSPM.exe [2017-02-16] (InstallShield®)
FirewallRules: [{1279A573-7359-49D8-894D-8ABF0B3269A5}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{1DC55791-09F1-4AB6-B6ED-56900903B785}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
C:\Program Files\KMSpico
C:\Windows\System32\Tasks\InstallShield® Update Service Schedule
C:\Program Files\Common Files\InstallShield\Update\ISUSPM.exe

RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java™ 6 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)

Please let me know what problem persists with this computer.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 PM

Posted 05 October 2017 - 07:47 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users