Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant get rid of bogus "your infected" popup in FireFox


  • This topic is locked This topic is locked
6 replies to this topic

#1 JPNYC

JPNYC

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 13 January 2018 - 01:30 PM

I have a user running Win7 Pro 64.

They are continually being directed in FireFox to a fake "your computer is infected site"

 

I have run a full Avast scan - no items found

A MalwareBytes scan - nothing found

Windows Defender - nothing dound

FF has no add-ins or extensions

completely deleted their FF profile

Done a system restore back as far as possible

 

I cant get a clear answer from the user if it will happen when FF is not running (I think it has to be open, but could be in the background).  I myself have clicked on a totally clean link and been redirected to the "your infected" page, but as I said I think FF just needs to be open, no link click necessary.

 

All startup programs and services are legit

 

The URL to the site is a very long string
h t t p : //code-ss57.stream/guest/01234567891011121314151617181920212223....

 

Any thoughts, or help would be appreciated


Edited by JPNYC, 14 January 2018 - 10:10 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 13 January 2018 - 03:12 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Hosts:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

====

If the browsers are being Synced with other divices it should be stop and reset.

Let me know if the problem persists.

#3 JPNYC

JPNYC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 13 January 2018 - 05:27 PM

Log file below:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13.01.2018 01
Ran by Laura (13-01-2018 16:16:59) Run:1
Running from C:\Users\Laura\Downloads\New folder
Loaded Profiles: Laura (Available Profiles: Laura)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Hosts:

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= IPCONFIG /release =========


Windows IP Configuration

No operation can be performed on Bluetooth Network Connection while it has its media disconnected.

Ethernet adapter Local Area Connection:


========= End of CMD: =========


========= IPCONFIG /renew =========


Windows IP Configuration

No operation can be performed on Bluetooth Network Connection while it has its media disconnected.

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . :
   IPv4 Address. . . . . . . . . . . : 192.168.0.24
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{4F1F2045-8AF2-45D7-A1AC-09001A98AA20}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{296BE725-EA23-46B5-A2E0-1D9FEC1EDBB5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset c:\resetlog.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv4 reset =========

There's no user specified settings to be reset.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {A34A08FD-CAB1-49E4-88DB-992EE699000E}.
0 out of 1 jobs canceled.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51594393 B
Java, Flash, Steam htmlcache => 1422 B
Windows/system/drivers => 61726038 B
Edge => 0 B
Chrome => 0 B
Firefox => 45053136 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66356 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 14954 B
Laura => 65188536 B

RecycleBin => 14158483 B
EmptyTemp: => 234.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 16:17:20 ====


Edited by JPNYC, 14 January 2018 - 10:12 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 14 January 2018 - 08:52 AM



Hi,

If the problem persists please give me some details.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Post the logs and wait for further instructions.

#5 JPNYC

JPNYC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 14 January 2018 - 09:42 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13.01.2018 01
Ran by Laura (administrator) on DESKTOP (14-01-2018 09:10:28)
Running from C:\Users\Laura\Downloads\New folder
Loaded Profiles: Laura (Available Profiles: Laura)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(AVAST Software) C:\Program Files\Avast\x64\aswidsagenta.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(AVAST Software) C:\Program Files\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8843784 2016-08-16] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_MAXX6] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1462792 2016-08-16] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [724400 2016-07-24] (Waves Audio Ltd.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Avast\AvLaunch.exe [246120 2018-01-13] (AVAST Software)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [299504 2016-06-20] (Intel Corporation)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [623992 2008-10-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-795802538-2840373822-4203302388-1001\...\RunOnce: [Uninstall C:\Users\Laura\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Laura\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64"
HKU\S-1-5-21-795802538-2840373822-4203302388-1001\...\MountPoints2: {57a14675-4b0b-11e7-8ab1-90cdb603a6d4} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-795802538-2840373822-4203302388-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [242688 2010-11-20] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{296BE72-EA23-46B5-C2E0-1D9FEC1EDBB5}: [NameServer] 208.67.222.222
Tcpip\..\Interfaces\{296BE72-EA23-46B5-C2E0-1D9FEC1EDBB5}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKU\S-1-5-21-795802538-2840373822-4203302388-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msnbc.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2017-07-11] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2017-06-09] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-07-11] (Microsoft Corporation)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2017-06-09] (Microsoft Corporation)
Handler-x32: intu-help-qb10 - {E795042F-8A29-42E4-B265-2C7AB38E8AEE} - C:\Program Files (x86)\Intuit\QuickBooks 2017\HelpAsyncPluggableProtocol.dll [2017-03-07] (Intuit, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-06-09] (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: xg210n3g5.default
FF ProfilePath: C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\xg210n3g5.default [2018-01-14]
FF Homepage: Mozilla\Firefox\Profiles\g210n3g5.default -> hxxp://www.msnbc.com
FF NetworkProxy: Mozilla\Firefox\Profiles\g210n3g5.default -> type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-13] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2017-06-09] (Microsoft Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 aswbIDSAgent; C:\Program Files\Avast\x64\aswidsagenta.exe [7538536 2018-01-13] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\Avast\AvastSvc.exe [301168 2018-01-13] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042544 2017-03-14] (Microsoft Corporation)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-16] (Seiko Epson Corporation)
R3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2017-06-06] (Macrovision Europe Ltd.) [File not signed]
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [324592 2016-11-03] (Intel Corporation)
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2016-08-22] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [314624 2016-08-16] (Realtek Semiconductor)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [185096 2018-01-13] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321512 2018-01-13] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199448 2018-01-13] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343768 2018-01-13] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57696 2018-01-13] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-01-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146648 2018-01-13] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110336 2018-01-13] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84384 2018-01-13] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1025176 2018-01-13] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [457896 2018-01-13] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [204456 2018-01-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [358672 2018-01-13] (AVAST Software)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [179456 2015-08-31] (Intel Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-14 04:02 - 2018-01-14 04:02 - 129365736 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-01-13 16:10 - 2018-01-14 09:10 - 000000000 ____D C:\FRST
2018-01-13 16:02 - 2018-01-14 09:10 - 000000000 ____D C:\Users\Laura\Downloads\New folder
2018-01-13 15:54 - 2018-01-13 15:54 - 000000000 ____D C:\Users\Laura\AppData\Roaming\TeamViewer
2018-01-13 15:51 - 2018-01-13 15:53 - 000000000 ____D C:\AdwCleaner
2018-01-13 15:37 - 2018-01-14 08:19 - 000000000 ____D C:\Program Files\Avast
2018-01-13 15:37 - 2018-01-13 15:37 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-01-13 15:37 - 2018-01-13 15:37 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-01-13 15:37 - 2018-01-13 15:37 - 000003884 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-13 15:37 - 2018-01-13 15:37 - 000001719 _____ C:\Users\Public\Desktop\Avast  Antivirus.lnk
    2018-01-13 15:10 - 2018-01-13 15:12 - 000000000 ____D C:\Users\Laura\AppData\Local\Mozilla
2018-01-13 15:10 - 2018-01-13 15:10 - 000000000 ____D C:\Users\Laura\AppData\Roaming\Mozilla
2018-01-13 15:07 - 2018-01-13 15:07 - 000000936 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2018-01-13 15:07 - 2018-01-13 15:07 - 000000924 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2018-01-13 15:07 - 2018-01-13 15:07 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-01-08 16:20 - 2018-01-08 16:20 - 000009402 _____ C:\Users\Laura\Documents\Book1.xlsx
2017-12-22 08:23 - 2018-01-13 15:05 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2017-12-22 08:23 - 2017-12-22 08:23 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2017-12-21 14:33 - 2018-01-13 15:38 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-21 14:32 - 2017-12-21 14:38 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-12-21 13:50 - 2017-12-21 13:50 - 000000000 ____D C:\Users\Laura\AppData\Local\ESET

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-14 09:09 - 2017-06-06 15:39 - 000000000 ____D C:\Users\Laura\AppData\LocalLow\Mozilla
2018-01-14 04:26 - 2009-07-13 23:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-14 04:26 - 2009-07-13 23:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-14 04:22 - 2009-07-14 00:13 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-14 04:22 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-01-14 04:18 - 2017-06-05 14:19 - 000000000 __SHD C:\Users\Laura\IntelGraphicsProfiles
2018-01-14 04:18 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-14 04:02 - 2017-06-06 16:17 - 129365736 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-01-14 04:02 - 2017-06-06 16:17 - 000000000 ____D C:\Windows\system32\MRT
2018-01-14 04:00 - 2017-06-06 16:01 - 000773536 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-01-13 16:17 - 2017-06-07 13:42 - 000000000 ____D C:\Users\Laura\AppData\LocalLow\Temp
2018-01-13 15:57 - 2017-08-09 10:42 - 000000000 ____D C:\Users\Laura\AppData\Local\Microsoft Help
2018-01-13 15:57 - 2017-06-06 16:57 - 000000000 ____D C:\ProgramData\FLEXnet
2018-01-13 15:57 - 2017-06-06 16:08 - 000000000 ____D C:\Users\Laura\AppData\Local\Intuit
2018-01-13 15:57 - 2017-06-06 16:03 - 000000000 ____D C:\Program Files (x86)\Intuit
2018-01-13 15:57 - 2010-11-21 02:16 - 000000000 ___RD C:\Users\Public\Recorded TV
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 __RHD C:\Users\Public\Libraries
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\SysWOW64\Setup
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\system32\Setup
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\rescache
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2018-01-13 15:57 - 2009-07-13 22:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2018-01-13 15:56 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\registration
2018-01-13 15:53 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\servicing
2018-01-13 15:49 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\AppCompat
2018-01-13 15:45 - 2017-06-05 15:45 - 000000000 ____D C:\Program Files\Microsoft Office 15
2018-01-13 15:36 - 2012-06-05 15:10 - 000000000 ____D C:\ProgramData\AVAST Software
2018-01-13 15:20 - 2017-05-18 14:11 - 000003148 _____ C:\Windows\System32\Tasks\RtHDVBg_PushButton
2018-01-13 15:17 - 2017-06-05 15:25 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-01-13 15:17 - 2017-06-05 15:25 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-13 15:17 - 2017-06-05 15:25 - 000004324 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-01-13 15:17 - 2017-06-05 15:25 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-13 15:17 - 2017-06-05 15:25 - 000000000 ____D C:\Windows\system32\Macromed
2018-01-13 15:17 - 2017-06-05 15:25 - 000000000 ____D C:\Users\Laura\AppData\Local\Adobe
2018-01-13 14:58 - 2017-06-05 15:11 - 000000000 _____ C:\Windows\SysWOW64\config.nt
2018-01-13 14:58 - 2017-06-05 14:19 - 000000000 ____D C:\Users\Laura
2018-01-13 14:57 - 2009-07-13 22:20 - 000000000 __RSD C:\Windows\Media
2018-01-10 14:02 - 2017-06-06 15:30 - 000056320 _____ C:\Users\Laura\Documents\uno Summary.xls
2018-01-10 11:44 - 2017-06-06 15:30 - 000000000 ____D C:\Users\Laura\Documents\Scans
2017-12-27 11:48 - 2017-06-06 15:29 - 000000000 ____D C:\Users\Laura\Documents\ola

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-01-08 10:35

==================== End of FRST.txt ============================

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 14 January 2018 - 01:22 PM

Hi,

Nothing suspicious was found on your logs.


Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

If the problem persists run this cleaner tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

How is it now?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 20 January 2018 - 08:16 AM

Hi,

Are you still with me?

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users