Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

FVP Hijacking

This is a discussion on FVP Hijacking within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hi, My daughter`s computer is incredibly slow and the browsers were hijacked by something which call itself as ~FVP~. I


Closed Thread
 
Thread Tools Search this Thread
Old 03-13-2016, 12:44 PM   #1
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Hi,

My daughter`s computer is incredibly slow and the browsers were hijacked by something which call itself as ~FVP~.

I attached DDS logs.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18205
Run by LG at 16:28:18 on 2016-03-13
Microsoft Windows 7 Home Basic 6.1.7601.1.1252.55.1046.18.1990.114 [GMT -3:00]
.
AV: Antivírus e antispyware da McAfee *Enabled/Updated* {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Antivírus e antispyware da McAfee *Enabled/Updated* {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall *Enabled* {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
C:\Program Files\Motorola\Bluetooth\audiosrv.exe
C:\Program Files\Motorola\Bluetooth\obexsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Users\LG\AppData\Roaming\TSv\TSvr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\SFK\SSFK.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\Windows\system32\GWX\GWX.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\LG Software\LG Power Manager Suite\PowerManager.exe
C:\Program Files\LG Software\LG OSD\HotkeyManager.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\lg_swupdate\GiljabiStart.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreamsDownloader.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\TEMP\4448918C-4469-481E-81B1-3B38CDFC5000\dismhost.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe
C:\Program Files\Common Files\McAfee\CSP\1.8.267.0\McCSPServiceHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\LG\Desktop\Segurança\dds.com
c:\PROGRA~1\COMMON~1\mcafee\mhn\ALERTH~1.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1435120220&z=8770c4a9f7b6fbf2b02ef6dgczac2w5gdofe2o0gbc&from=ient06241&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
uDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
uDefault_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1435120220&z=8770c4a9f7b6fbf2b02ef6dgczac2w5gdofe2o0gbc&from=ient06241&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mStart Page = about:blank
mSearch Page = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
mDefault_Search_URL = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: LuckyTab Class: {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -
BHO: Auxiliar de Conexão do Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SafeKey Vault: {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: GbIehObj Class: {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: McAfee SafeKey: {61D700C1-7D8D-43c5-9C13-4FF85157CFE6} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [TornTv Downloader] C:\Users\LG\AppData\Roaming\TornTV.com\Torntv Downloader.exe /c=startup
uRun: [DelayShred] "c:\PROGRA~1\mcafee\mqs\ShrCL.EXE" /P1 /q "C:\Users\LG\AppData\Everything" "C:\Users\LG\NTUSER.DAT" "C:\Users\LG\ntuser.dat.LOG1" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" "C:\Users\LG\ntuser.dat.LOG2"
mRun: [LG Intelligent Update] "C:\Program Files (x86)\lg_swupdate\giljabistart.exe" Gilautouc
mRun: [LG Media FUNtasia] "C:\Program Files (x86)\LG Software\LG Media FUNtasia\MediaFuntasiaStart.exe" tray
mRun: [LG Smart Page] "C:\Program Files (x86)\LG Software\LG Smart Page\TOStart.exe" tray
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-0018-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-006E-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-001A-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-00A1-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
StartupFolder: C:\Users\LG\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TORNTV~1.LNK - C:\Users\LG\AppData\Roaming\TornTV.com\TornTV Downloader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Enviar para o OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: E&xportar para o Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: SafeKey - C:\Users\LG\AppData\LocalLow\SafeKey\context.html?cmd=lastpass
IE: SafeKey Fill Forms - C:\Users\LG\AppData\LocalLow\SafeKey\context.html?cmd=fillforms
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {bd707fe6-39f6-4bda-9265-86a76719bdc5} - C:\Program Files\Motorola\Bluetooth\btmiesend.htm
Trusted Zone: itau.com.br
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{305460FA-0359-48B1-AD6D-3BA43A3E9623} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{3BE3484F-5F3A-473A-A004-77D5F38DD402} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{555205B8-DCC6-42C5-8D10-B4B1A76424BC} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{555205B8-DCC6-42C5-8D10-B4B1A76424BC}\9437162656C616024416E6471637 : DHCPNameServer = 200.222.0.34 200.202.193.75
TCP: Interfaces\{F1F1E1DB-E21F-4D3B-9602-84094A923778} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: GbPluginUni - C:\Program Files (x86)\GbPlugin\gbiehUni.dll
AppInit_DLLs= C:\PROGRA~2\SupTab\SEARCH~1.DLL
SSODL: WebCheck - <orphaned>
SEH: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
x64-mStart Page = about:blank
x64-mSearch Page = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
x64-mDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
x64-mDefault_Search_URL = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: McAfee SafeKey Vault: {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: McAfee SafeKey: {61D700C1-7D8D-43c5-9C13-4FF85157CFE6} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-Run: [PowerManager] C:\Program Files\LG Software\LG Power Manager Suite\PowerManager.exe
x64-Run: [HotkeyManager] C:\Program Files\LG Software\LG OSD\HotkeyManager.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {bd707fe6-39f6-4bda-9265-86a76719bdc5} - C:\Program Files\Motorola\Bluetooth\btmiesend.htm
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2014-10-1 846080]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2014-10-1 245096]
R3 BTMUSB;Motorola Bluetooth Radio Service;C:\Windows\System32\drivers\btmusb.sys [2010-1-2 663936]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2014-10-1 79248]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2011-1-28 31088]
R3 IntcDAud;Áudio do vídeo Intel(R);C:\Windows\System32\drivers\IntcDAud.sys [2011-8-23 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-9-19 108656]
R3 mfeaack;McAfee Inc. mfeaack;C:\Windows\System32\drivers\mfeaack.sys [2015-2-17 419624]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2014-10-1 351144]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2014-10-1 496368]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2015-11-20 539496]
R3 mfesapsn;McAfee Process Start Notification Service;C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [2016-2-18 36968]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-1-2 1360960]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-11-22 339560]
S3 BTMCOM;Bluetooth Serial Port;C:\Windows\System32\drivers\btmcom.sys [2010-1-2 52736]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-11-22 48488]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2015-7-2 207208]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2015-11-20 109480]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2013-8-6 23040]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2012-10-9 1165928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2015-6-17 54784]
S3 wsvd;wsvd;C:\Windows\System32\drivers\wsvd.sys [2010-8-9 125936]
.
=============== Created Last 30 ================
.
2016-02-16 07:24:56 -------- d-----w- C:\Windows\rescache
2016-02-16 06:16:59 1018368 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2016-02-16 06:16:58 10949120 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
2016-02-16 06:16:30 141312 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2016-02-16 06:16:26 3211776 ----a-w- C:\Windows\System32\win32k.sys
2016-02-16 06:16:14 2085888 ----a-w- C:\Windows\System32\ole32.dll
2016-02-16 06:16:13 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
2016-02-16 06:14:32 3231232 ----a-w- C:\Windows\explorer.exe
2016-02-16 06:14:30 2973184 ----a-w- C:\Windows\SysWow64\explorer.exe
2016-02-16 06:14:30 1940992 ----a-w- C:\Windows\System32\authui.dll
2016-02-16 06:14:30 1866752 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2016-02-16 06:14:30 1805824 ----a-w- C:\Windows\SysWow64\authui.dll
2016-02-16 06:14:30 1498624 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
2016-02-16 03:09:10 -------- d-----w- C:\Program Files (x86)\iTunes
2016-02-16 03:09:09 -------- d-----w- C:\Program Files\iPod
2016-02-16 03:08:32 -------- d-----w- C:\Program Files\iTunes
2016-02-16 03:03:33 -------- d-----w- C:\Program Files\Bonjour
2016-02-16 03:03:33 -------- d-----w- C:\Program Files (x86)\Bonjour
2016-02-16 02:57:23 -------- d-----w- C:\Users\LG\AppData\Local\Apple Inc
2016-02-16 02:10:59 -------- d-----w- C:\ProgramData\Intel Security
2016-02-16 01:56:27 -------- d-----w- C:\Program Files\Common Files\Intel Security
.
==================== Find3M ====================
.
2016-02-06 10:32:57 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2016-02-06 10:10:21 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2016-02-06 09:54:50 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-02-06 09:37:23 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-01-22 06:56:05 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2016-01-22 06:41:35 66560 ----a-w- C:\Windows\System32\iesetup.dll
2016-01-22 06:40:50 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2016-01-22 06:40:43 417792 ----a-w- C:\Windows\System32\html.iec
2016-01-22 06:40:13 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2016-01-22 06:40:12 571904 ----a-w- C:\Windows\System32\vbscript.dll
2016-01-22 06:29:43 6052352 ----a-w- C:\Windows\System32\jscript9.dll
2016-01-22 06:27:40 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2016-01-22 06:27:24 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2016-01-22 06:27:10 5573056 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-01-22 06:27:08 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-01-22 06:27:08 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-01-22 06:24:12 1733592 ----a-w- C:\Windows\System32\ntdll.dll
2016-01-22 06:20:53 362496 ----a-w- C:\Windows\System32\wow64win.dll
2016-01-22 06:20:53 243712 ----a-w- C:\Windows\System32\wow64.dll
2016-01-22 06:20:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2016-01-22 06:20:36 215040 ----a-w- C:\Windows\System32\winsrv.dll
2016-01-22 06:20:33 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2016-01-22 06:20:31 210432 ----a-w- C:\Windows\System32\wdigest.dll
2016-01-22 06:20:20 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2016-01-22 06:20:10 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2016-01-22 06:20:10 135680 ----a-w- C:\Windows\System32\sspicli.dll
2016-01-22 06:20:08 503808 ----a-w- C:\Windows\System32\srcore.dll
2016-01-22 06:20:08 50176 ----a-w- C:\Windows\System32\srclient.dll
2016-01-22 06:19:06 28160 ----a-w- C:\Windows\System32\secur32.dll
2016-01-22 06:19:04 344064 ----a-w- C:\Windows\System32\schannel.dll
2016-01-22 06:19:02 1214464 ----a-w- C:\Windows\System32\rpcrt4.dll
2016-01-22 06:18:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2016-01-22 06:18:49 723968 ----a-w- C:\Windows\System32\EncDec.dll
2016-01-22 06:18:32 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2016-01-22 06:17:03 312320 ----a-w- C:\Windows\System32\ncrypt.dll
2016-01-22 06:17:01 159744 ----a-w- C:\Windows\System32\mtxoci.dll
2016-01-22 06:17:00 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2016-01-22 06:16:55 60416 ----a-w- C:\Windows\System32\msobjs.dll
2016-01-22 06:16:39 146432 ----a-w- C:\Windows\System32\msaudite.dll
2016-01-22 06:16:00 1461248 ----a-w- C:\Windows\System32\lsasrv.dll
2016-01-22 06:15:31 730112 ----a-w- C:\Windows\System32\kerberos.dll
2016-01-22 06:15:31 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2016-01-22 06:13:15 3993536 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2016-01-22 06:13:15 3938752 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2016-01-22 06:13:06 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2016-01-22 06:13:04 43520 ----a-w- C:\Windows\System32\cryptbase.dll
2016-01-22 06:13:03 22016 ----a-w- C:\Windows\System32\credssp.dll
2016-01-22 06:09:40 1314328 ----a-w- C:\Windows\SysWow64\ntdll.dll
2016-01-22 06:09:06 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2016-01-22 0650 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-01-22 0650 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-01-22 0650 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2016-01-22 0650 275456 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2016-01-22 0630 171520 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-01-22 0619 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2016-01-22 0611 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2016-01-22 06:05:27 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-01-22 06:05:20 251392 ----a-w- C:\Windows\SysWow64\schannel.dll
2016-01-22 06:04:36 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2016-01-22 06:04:36 535040 ----a-w- C:\Windows\SysWow64\EncDec.dll
2016-01-22 06:02:58 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2016-01-22 06:02:56 114176 ----a-w- C:\Windows\SysWow64\mtxoci.dll
2016-01-22 06:02:55 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2016-01-22 06:02:52 176128 ----a-w- C:\Windows\SysWow64\msorcl32.dll
2016-01-22 06:02:49 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2016-01-22 06:02:26 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2016-01-22 06:02:01 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2016-01-22 06:02:01 496640 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-01-22 06:02:00 553472 ----a-w- C:\Windows\SysWow64\kerberos.dll
2016-01-22 06:01:26 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2016-01-22 06:01:17 341504 ----a-w- C:\Windows\SysWow64\html.iec
2016-01-22 06:00:26 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2016-01-22 05:51:37 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2016-01-22 05:46:10 2123264 ----a-w- C:\Windows\System32\inetcpl.cpl
2016-01-22 05:46:00 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2016-01-22 05:39:38 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2016-01-22 05:35:15 4611072 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-01-22 05:31:43 2597376 ----a-w- C:\Windows\System32\wininet.dll
2016-01-22 05:24:59 2050560 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-01-22 05:24:40 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2016-01-22 05:13:56 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-01-22 05:07:28 2120704 ----a-w- C:\Windows\SysWow64\wininet.dll
2016-01-22 05:07:16 338432 ----a-w- C:\Windows\System32\conhost.exe
2016-01-22 05:07:09 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-01-22 05:05:44 296960 ----a-w- C:\Windows\System32\rstrui.exe
2016-01-22 04:59:53 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-01-22 04:58:52 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-01-22 04:58:46 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-01-22 04:57:17 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-01-22 04:57:09 112640 ----a-w- C:\Windows\System32\smss.exe
2016-01-22 04:53:59 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2016-01-22 04:53:56 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2016-01-22 04:53:56 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2016-01-22 04:53:55 2048 ----a-w- C:\Windows\SysWow64\user.exe
2016-01-22 04:51:55 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-01-22 04:51:40 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2016-01-22 04:51:40 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2016-01-22 04:51:40 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2016-01-22 04:51:40 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2016-01-16 1953 25024 ----a-w- C:\Windows\System32\CompatTelRunner.exe
.
============= FINISH: 16:32:41,24 ===============
Attached Files
File Type: txt attach.txt (8.9 KB, 20 views)
File Type: txt dds.txt (25.7 KB, 14 views)
ehgpdantas is offline  
Sponsored Links
Advertisement
 
Old 03-14-2016, 01:00 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

**Note - Please do NOT upgrade your OS to Windows 10 until your machine is clean, and we have uninstalled all our removal tools. Thanks.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-14-2016, 07:18 PM   #3
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Follows.
Attached Files
File Type: txt AdwCleaner[C1].txt (16.3 KB, 14 views)
File Type: txt AdwCleaner[S1].txt (21.4 KB, 13 views)
File Type: txt FRST.txt (58.2 KB, 20 views)
File Type: txt Addition.txt (32.0 KB, 15 views)
ehgpdantas is offline  
Sponsored Links
Advertisement
 
Old 03-15-2016, 02:59 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello ehgpdantas.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Back up your files - Windows Help

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

How To Create a Windows 7 System Repair Disc [Easy]

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {B3DB1D43-0368-48DF-A7F7-C2EA5E2E2FD2} - System32\Tasks\globalUpdateUpdateTaskMachineUA1d014e8ac204e43 => C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe <==== ATENÇÃO
    Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA1d014e8ac204e43.job => C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe <==== ATENÇÃO
    AlternateDataStreams: C:\Windows\System32:323A41CD_Uni.gbp [2]
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
    AlternateDataStreams: C:\Users\Todos os Usuários\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
    HKU\S-1-5-21-4281146232-1754030423-2531835936-1002\...\MountPoints2: {a895cf3f-e053-11e3-9918-00e0914c7256} - E:\Autorun.exe
    HKU\S-1-5-18\...\RunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
    HKU\S-1-5-18\...\RunOnce: [{90140000-0018-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
    HKU\S-1-5-18\...\RunOnce: [{90140000-006E-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
    HKU\S-1-5-18\...\RunOnce: [{90140000-001A-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
    HKU\S-1-5-18\...\RunOnce: [{90140000-00A1-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
    C:\ProgramData\Microsoft Help\Rgstrtn.lck
    ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} =>  Nenhum Arquivo
    CHR HKLM\SOFTWARE\Policies\Google: Restrição <======= ATENÇÃO
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-21-4281146232-1754030423-2531835936-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    Folder: "%allusersprofile%\Application Data\Microsoft Help"
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-15-2016, 04:49 PM   #5
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Follows.
Attached Files
File Type: txt Fixlog.txt (5.9 KB, 15 views)
ehgpdantas is offline  
Old 03-15-2016, 07:46 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. How is the machine behaving?

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-17-2016, 02:36 AM   #7
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Follws MBAM logs. ESET found many threats but did not complete the test and I will have to try once more.
Attached Files
File Type: txt mbam 13.txt (619 Bytes, 15 views)
File Type: txt mbam 23.txt (20.1 KB, 12 views)
File Type: txt mbam 33.txt (4.3 KB, 13 views)
ehgpdantas is offline  
Old 03-17-2016, 12:52 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, ehgpdantas. ESET often lists threats that have already been quarantined, so don't get overly worried. Let me know when ESET finishes.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-19-2016, 05:08 AM   #9
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Hi,

ESET finally completed. Follows the log. Seems most of what it found was already handled by AdwCleaner. However, there was a strange Google Update.exe...

System does not have the FVP hijack any more and seems to be clean, although slow...

Eduardo
Attached Files
File Type: txt ESET Log.txt (6.7 KB, 15 views)
ehgpdantas is offline  
Old 03-19-2016, 01:32 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. Some users complain of slowness after a cleaning. Use the machine a day or so and see if it improves.

------------------------------------------------------

Most of the ESET finds have already been quarantined by AdwCleaner. Those will get deleted when we uninstall AdwCleaner.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\everything.dll"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\Patch.dll"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\ServiceEverything.exe"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\SFKEX.exe"
"C:\ProgramData\Google\update\GoogleUpdate.exe"
"C:\Users\All Users\Google\update\GoogleUpdate.exe"
"C:\Users\Todos os Usuários\Google\update\GoogleUpdate.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Right-click on fix.bat and choose 'Run as administrator' to allow it to run.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-20-2016, 02:57 AM   #11
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Hi,

The script ran and created a log.txt file with the following records:

C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Users\All Users\Google\update\GoogleUpdate.exe

Eduardo
ehgpdantas is offline  
Old 03-20-2016, 01:38 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. Any improvement in speed?

Go Start > Computer > Organize > Folder and Search Options > View, then
  • Check the Show hidden files and folders option.
  • Uncheck the Hide file extensions for known file types option.
  • Click 'Yes', then 'Apply', then 'OK'.
------------------------------------------------------

Navigate to, right-click and delete these files:

Quote:
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Users\All Users\Google\update\GoogleUpdate.exe
Let me know if you were successful.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-20-2016, 04:24 PM   #13
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



I could not delete both files. It says the files are in use by Google Protect Service (gprotect). I scanned the file with McAffee and it found nothing. However, Vírus Total found some issues. Follows URL:
https://www.virustotal.com/pt/file/8...is/1458516009/

Maybe I could try to delete them in safe mode. Should I?
ehgpdantas is offline  
Old 03-20-2016, 04:25 PM   #14
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



I forgot to mention, I think speed is still an issue. Some activities take too long to complete.
ehgpdantas is offline  
Old 03-20-2016, 08:13 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. Not all slowness issues are due to malware. You may have to seek help in one of our other forums for help when we are done.

I'd like to collect those files for analysis, before deleting them.

Please download the Suspicious File Packer and Save it to your Desktop.
  • Unzip it to the desktop and run it.
  • Copy/paste the following list of files into the Suspicious File Packer window:

    C:\ProgramData\Google\update\GoogleUpdate.exe
    C:\Users\All Users\Google\update\GoogleUpdate.exe

  • Allow SFP to pack the files by clicking Continue
  • This will generate a CAB archive on your desktop named requested-files[Date/Time].cab
  • Please submit it to this site ==> Submit a Malware Sample and include this link in the message->>https://www.techsupportforum.com/foru...ml#post6963402
  • You can then delete the requested-files.cab file from your desktop, once you have uploaded it to the above recipient.
  • Please let me know you submitted the file.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-24-2016, 05:45 PM   #16
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



I just uploaded the cab file. I noticed that the slowness issue is not really on the laptop but on Internet Explorer. Laptop is responding quite well but IE is taking several second, some times a minute or so, to respond to a click.

Eduardo
ehgpdantas is offline  
Old 03-25-2016, 12:57 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. Have you tried resetting IE to default?

https://www.google.com/search?q=rest...utf-8&oe=utf-8

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    C:\ProgramData\Google\update\GoogleUpdate.exe
    C:\Users\All Users\Google\update\GoogleUpdate.exe
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

-------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-27-2016, 08:22 AM   #18
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Follows the log. It deleted one of the files but curiously did not find the one in AllUsers folder... As I tried to delete both, I am very sure the two files were there... but now, they do not show up anymore... Actually, one of them. pprobably the one in ProgramData folder, was moved and renamed as xBAD file.

I ran a search on Explorer and it found the folder below, last modified in 17/OCT/2014:
AppCrash_GoogleUpdate.exe_6466616b48e3848f8c3e56bed956fc81cee30b1_0f17e724

It also found two files (GoogleUpdateSetup.exe), last modified in 29/JUN/2013, in two different folders:
C:\Users\LG\AppData\Local\Apps\2.0\TQT80TGK.2DB\N2BJBTQ8.9MR\clic...exe_4fe91ede9f9bdca3_0001.0003_none_81523cbd64d988f5

Now the odd part of my post... I did the reset on IE and got a slight improvement. Not sure if IE is too heavy or because I am "measuring" its performance very close to the boot... so the computer is doing several things at same time... but in any case, pages take a long time to load. So I decided to install Chrome again.

I googled for it, clicked on chrome page and went to a google page thanking me for having installed it. At that time, I haven't had done any installation... I thought it was strange but continued to the browser tab and then it asked me to download chrome, having to check the box whether chrome would be the default browser. After chrome was intalled, McAffee warned me that a program was changing the way chrome would behave and asked me to prevent it (what I did, with no effect)... and here am I, my malware is back... Any time chrome opens it goes to a strange start page and uses a strange search engine... I went to chrome settings and there was also a warning that its standards were modified...

So, it looks like it is really chrome but with a malware complement... I am almost sure next time I reboot the computer it will be infected again.

So, I think the infection is on the chrome install program... probably google noticed I had the install program and rather than sending a new one, it used the infected one.

I searched again for the GoogleUpdate.exe file and now I got the following result (attached jpg).

I will reboot system and run another dds scan as well as mbam.
Attached Thumbnails
Click image for larger version

Name:	GU.jpg
Views:	124
Size:	237.4 KB
ID:	276281  
Attached Files
File Type: txt Fixlog.txt (840 Bytes, 17 views)
ehgpdantas is offline  
Old 03-27-2016, 01:41 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eduardo. That doesn't mean all those GoogleUpdate.exe files are bad.

I don't need another dds log. I need to see fresh FRST64 logs, both FRST.txt and Addition.txt log.

Make sure Addition.txt is ticked before clicking 'Scan'.

-----------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-27-2016, 04:35 PM   #20
Registered Member
 
Join Date: Jul 2005
Posts: 56
OS: Win XP SP2



Hi,

After the boot, chrome browser was effectively hijacked but Mcffee seemed to manage it once I could remove both start page and search engine from chrome settings.

I ran MBAM which found nothing and AdwareCleaner which found two threats. I am attaching its log.

Follows FRST and Addition logs as well.
Attached Files
File Type: txt Addition.txt (33.2 KB, 20 views)
File Type: txt FRST.txt (69.0 KB, 19 views)
File Type: txt AdwCleaner[S1].txt (979 Bytes, 20 views)
ehgpdantas is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Android hijacking bug may allow attackers to install password-stealers
Android hijacking bug may allow attackers to install password-stealers | Ars Technica
JMH3143 Computer Security News 0 03-26-2015 08:21 PM
Squashed bug opened EVERY PayPal account to hijacking
Squashed bug opened EVERY PayPal account to hijacking • The Register
JMH3143 Computer Security News 0 12-05-2014 05:05 PM
Computer hijacking arrests in UK and across Europe
BBC News - Computer hijacking arrests in UK and across Europe
JMH3143 Computer Security News 0 11-22-2014 04:13 PM
Google digs deep in the world of manual hijacking
Google digs deep in the world of manual hijacking | ZDNet
JMH3143 Computer Security News 0 11-07-2014 10:30 PM
Twitter fixes text account hijacking vulnerability, requires users to set PIN
Twitter has restricted the ability of attackers to post tweets and perform other actions on behalf of many users who have phone numbers associated with their accounts, but some users need to enable a PIN option in order to be protected. On Monday, a developer and security researcher named...
Glaswegian Computer Security News 0 12-05-2012 01:52 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:53 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts